The Registry
T
he registry is the core repository of configuration infor-
mation in Windows 2000, storing information about the
operating system, applications, and user environment on
standalone workstations and member servers (non-domain
controllers).
The Purpose of the Registry
Early versions of the Windows operating system family, such
as Windows 3.x, stored most of their configuration informa-
tion in initialization, or
.ini
files. These files were text files
containing various sections that stored settings for a variety
of properties such as device drivers, application and docu-
ment associations, user environment settings, and so on.
Windows applications used
.ini
files as well to store their
configuration settings. Even today in Windows 2000 and appli-
cations,
.ini
files are still a widely used mechanism for stor-
ing user, application, and operating system settings. A quick
search of your hard drive for
.ini
files will illustrate that fact.
Although they provide a simple means of storing and retriev-
ing settings,
.ini
files offer some disadvantages, particularly

for storing important OS settings such as device drivers, con-
figuration data, user environment settings, and so on. First,
Windows 2000 needs a fault tolerant system for maintaining
its settings to avoid the problem of an unbootable system due
to a corrupt or missing
.ini
file. This information also needs
to be secure, something
.ini
files can’t really provide. Finally,
managing all the settings needed to keep a Windows 2000 sys-
tem up and running, plus applications and user-related set-
tings, would be overwhelming if
.ini
files were the only
solution. The registry comes to the rescue.
In Windows 2000, like Windows NT before it, the registry
stores configuration information about the system’s hardware
and software, both operating system- and application-related.
The registry also stores information about users, including
security settings and rights, working environment (desktop
properties, folders, and so on), and much more. However,
18
18
CHAPTER
✦✦✦✦
In This Chapter
The Purpose of
the Registry
The Registry’s

Structure
The Registry Editors
Securing the Registry
✦✦✦✦
4667-8 ch18.f.qc 5/15/00 2:07 PM Page 689
690
Part V ✦ Availability Management
unlike Windows NT, it no longer stores domain user and computer accounts or
information related to “network” objects; this job now belongs to the Active
Directory, as explained in Chapter 2 and the chapters in Part III.
When you promote a member server to a domain controller, all registry settings
that also apply to a domain controller server, such as the desktop settings, are
absorbed into Active Directory. But when you demote the server, the original reg-
istry settings are not restored, and you are returned to a clean registry. (The demo-
tion wizard even asks you for a new Administrator password because the original
account is lost.) Keep this in mind when you demote a domain controller, because
Active Directory can easily outgrow the host machine it was originally installed on.
The following list explains some of the ways certain components make use of the
registry:
✦ Setup: When you install Windows 2000, Setup builds the registry based on
your selections (or automated selections) during installation. Setup also mod-
ifies the registry when you add or remove hardware from the system.
✦ Application setup: The Setup program for an application typically will modify
the registry to store the application’s settings at installation. It also will typi-
cally read the registry to determine which components, if any, are already
installed.
✦ Applications: Most applications that store their settings in the registry modify
those settings during program startup, shutdown, or general operation to store
changes made to application settings both by the application or the user.
✦ Ntdetect: The

Ntdetect.com
program executes at system startup to detect
hardware and attached peripherals, and it stores information in the registry
about those items for use in subsequent boot steps to initialize device drivers
for identified devices.
✦ The kernel: The Windows 2000 kernel reads the registry at startup to deter-
mine which device drivers to load and in which order, along with other driver
initialization parameters.
✦ Device drivers: Most device drivers store their configuration and operating
settings in the registry, reading the registry at initialization to determine how
to load and function.
✦ System: The Windows 2000 operating system as a whole uses the registry to
store information about services, installed applications, document and OLE
(Object Linking and Embedding) associations, networking, user settings, and
other properties.
✦ Administrative tools: One of the main functions of utilities such as the
Control Panel, the various MMC consoles, and standalone administration
utilities is typically to modify the registry. In this context, these utilities
provide a user interface for registry modification.
Caution
4667-8 ch18.f.qc 5/15/00 2:08 PM Page 690
691
Chapter 18 ✦ The Registry
✦ The Registry Editors: Windows 2000 provides two utilities,
regedit.ex
e and
regedt32.exe
, that enable you to view and modify the registry directly.
While you’ll want to perform most modification tasks using other utilities, the
Registry Editors make possible tasks such as direct modification, selected reg-

istry backup, and others.
The registry is in many ways the “brain” of the Windows 2000 OS. Nearly everything
the OS does is affected by or affects the registry. For that reason, it’s important to
not only understand the registry’s function and how to modify it, but also how to
protect it from catastrophe or unauthorized access. The following sections explain
the structure of the registry and how to manage it.
The Registry Structure
The registry forms a hierarchical (tree) database with five primary branches called
subtrees. A subtree can contain keys, which function as containers within the sub-
tree for subkeys and values. Subkeys are sub-branches within a key. Values are the
individual settings within a key or subkey. Perhaps the best way to understand the
registry structure is to view it through one of the Registry Editors, as shown in
Figure 18-1. (You’ll find detailed information about the Registry Editors later in this
chapter.)
Figure 18-1: The Registry Editors show the structure of the registry — a hierarchical
tree, with each subtree serving as a primary branch.
4667-8 ch18.f.qc 5/15/00 2:08 PM Page 691
692
Part V ✦ Availability Management
There are two physical subtrees in the Windows 2000 registry: HKEY_LOCAL_
MACHINE and HKEY_USERS, the former containing system- and hardware-related
settings and the latter containing user-related settings. These two physical subtrees
are divided into the five logical subtrees you see in the Registry Editors. Organizing
the registry into five logical subtrees makes it easier to navigate and understand
the logical structure of the registry. The five logical subtrees are as follows:
✦ HKEY_LOCAL_MACHINE: This subtree, often abbreviated as HKLM, stores
settings that apply to the local machine, defining hardware and operating sys-
tem settings that are the same regardless of which user is logged on. The set-
tings in HKLM, for example, define device drivers, memory, installed
hardware, and startup properties.

✦ HKEY_CLASSES_ROOT: Abbreviated HKCR, this subtree contains file associa-
tion data, such as associating a document file type with its parent application
and defining the actions taken on a given document type for various tasks
(open, play, edit, and so on). This subtree is built from HKLM\SOFTWARE\
Classes and HKEY_CURRENT_USER\SOFTWARE\Classes, with the value in
HKCU taking precedence. HKCR provides user- and computer-specific class
registration, providing different class registrations for each user. This per-user
class registration is different from previous versions of Windows that pro-
vided the same registration data for all users.
✦ HKEY_CURRENT_USER: This subtree (HKCU) stores the user profile for the
user who is currently logged on to the system locally. Settings include desktop
configuration and folders, network and printer connections, environment vari-
ables, Start menu and applications, and other settings that define the user oper-
ating environment and UI. This subtree is actually an alias of HKEY_USERS\
SID, where SID is the security ID of the current user.
✦ HKEY_USERS: This subtree (HKU) stores user profile data for users who log
on to the computer locally, as well as the default user profile for the local
computer.
✦ HKEY_CURRENT_CONFIG: This subtree (HKCC) stores hardware configura-
tion data about the local computer identified at startup and includes settings
relating to device assignments, device drivers, and so on. This subtree is an
alias of HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current.
Each of the subtrees listed previously represents a hive. Microsoft defines a hive
as describing a body of keys, subkeys, and values rooted at the top of the registry
hierarchy. An individual hive comprises three files:
✦ A registry file, in most cases stored in
systemroot\System32\Config
. This
file contains the registry structure and settings for the given hive.
✦ A log file, stored in

systemroot\System32\Config
. This file serves as a
transaction log for modifications to the hive registry file.
4667-8 ch18.f.qc 5/15/00 2:08 PM Page 692
693
Chapter 18 ✦ The Registry
✦ A repair (backup) file, located in
systemroot\System32\Repair
. This is a
backup copy of the registry file.
Table 18-1 lists the registry hives and their corresponding file names.
Table 18-1
Registry Hive Files
Hive Files
HKEY_LOCAL_MACHINE\SAM Sam and Sam.log
HKEY_LOCAL_MACHINE\SECURITY Security and Security.log
HKEY_LOCAL_MACHINE\SOFTWARE Software and Software.log
HKEY_LOCAL_MACHINE\SYSTEM System and System.alt
HKEY_CURRENT_CONFIG System and System.log
HKEY_CURRENT_USER Ntuser.dat and Ntuser.dat.log
HKEY_USERS\DEFAULT Default and Default.log
With the exception of
Ntuser.dat
and
Ntuser.data.log
, the hive files are stored
in
systemroot\System32\Config
. The
Ntuser.dat

and
Ntuser.dat.log
files are
stored in
\Documents
and
Settings\user
for systems with clean Windows 2000
installations or upgrades from Windows 9x. Systems upgraded from Windows NT
store the
Ntuser.dat
and
Ntuser.dat.log
files in
systemroot\Profiles\user
.
Windows 2000 uses a process know as flushing to ensure a reliable, working copy
of the registry at all times, guarding against attempted registry changes not being
completed. Attempted changes to the registry, when a given number of seconds has
passed or the modifying application explicitly requests it, are flushed or saved to
disk. The following explains how flushing occurs for all but the SYSTEM hive
(
HKLM\SYSTEM
):
1. Modified data is written to the hive log file so that the data can be recon-
structed if the system halts or fails before the data is written to the registry file.
2. The log file is flushed upon completion of a successful update to the log file.
3. Windows 2000 marks the first sector of the registry file to indicate that it is in
the process of being modified (dirty).
4. The changes are written to the registry file.

5. Upon successful completion of the write operation, the first sector is modified
to indicate successful completion (clean).
4667-8 ch18.f.qc 5/15/00 2:08 PM Page 693
694
Part V ✦ Availability Management
When Windows 2000 reads the hive files to construct the registry, it checks the sta-
tus of each file. If the system failed during a previous registry update operation, the
registry file will still be marked as dirty. In that situation, Windows 2000 attempts to
recover the registry file using the log file. The changes identified in the log file are
applied to the registry file, and if successful, the file is marked as clean.
The SYSTEM hive behaves a little differently from the others in terms of fault toler-
ance. The
systemroot\System32\Config
folder includes a file named
System.alt
,
which is a clean copy of the current System registry file. After a successful modifica-
tion of the System file, it is copied to
System.alt
for use as a backup. If a problem
occurs with the System hive file during boot, Windows 2000 switches to
System.alt
.
Having a backup of the registry is critical to being able to recover a failed system.
Although Windows 2000 provides fault-tolerant management of the registry hive
files, you should employ some additional procedures to ensure a valid, working
copy of the registry. See the section “Backing Up and Securing the Registry” later
in this chapter for detailed information. You’ll also find coverage of backup proce-
dures in Chapter 17.
Registry Hive Files

As we mentioned earlier, the registry is divided into five logical hives. This section
looks at each hive in a bit more detail.
HKEY_LOCAL_MACHINE
As explained earlier, the HKEY_LOCAL_MACHINE (HKLM) root key contains hard-
ware and operating system settings for the local computer. HKLM contains the fol-
lowing subkeys:
✦ HARDWARE: This key stores the physical hardware configuration for the
computer. Windows 2000 recreates this key each time the system boots suc-
cessfully, ensuring up-to-date hardware detection/configuration.
✦ SAM: The Security Account Manager key contains security data for users
and groups for the local machine.
✦ SECURITY: This key contains data that defines the local security policy.
✦ SOFTWARE: This key stores data about installed software.
✦ SYSTEM: This key stores data about startup parameters, device drivers,
services, and other system-wide properties.
When corresponding settings are found in the HKCU key, those settings override
settings in HKLM for the current user for certain data. If no corresponding settings
exist, those in HKLM are used. For certain items such as device drivers, the data in
HKLM is always used regardless of whether the data also resides in HKCU.
4667-8 ch18.f.qc 5/15/00 2:08 PM Page 694
695
Chapter 18 ✦ The Registry
HKEY_USERS
The HKEY_USERS (HKU) key stores user profile data for users who log on to the
computer locally, as well as the default user profile for the local computer. It con-
tains a subkey for each user whose profile is stored on the computer, in addition
to a key for the default user (.DEFAULT). It’s virtually impossible to identify a given
user from the SID, but you wouldn’t want to try to modify settings in this key any-
way except through the administrative tools that modify the registry. If you do need
to modify settings directly, use the HKCU key instead.

HKEY_CURRENT_USER
As explained previously, the HKCU key is an alias for the KHC\SID key, where SID is
the SID for the current local user. In other words, HKCU points to the registry key in
HKU where the currently logged-on user’s registry data is stored. It contains the fol-
lowing subkeys:
✦ AppEvents: This key contains data about application and event associations
such as sounds associated to specific events. Use the Sounds and Multimedia
object in the Control Panel to modify settings in this key.
✦ Console: This key contains data that defines the appearance and behavior of
the Windows 2000 command console (command prompt) and character-mode
applications. Use the application or command console’s Control menu to
define settings in this key.
✦ Control Panel: This key contains data normally set through the Control Panel
applets.
✦ Environment: This key contains environment variable assignments for the
current user.
✦ Identities: This key contains user-specific identity information such as last
user ID, last user name, and software-related identity settings for Outlook
Express, the address book, and so on.
✦ Keyboard Layout: This key stores information about the user’s keyboard
layout and key mapping for international settings. Use the Regional Options
object in the Control Panel to modify these settings.
✦ Network: This key stores data about the user’s network connections.
✦ Printers: This key stores data about the user’s printer connections.
✦ RemoteAccess: This key stores data about the user’s Internet profile and
dial-up connection settings.
✦ Software: This key stores data about the user’s installed applications.
✦ UNICODE Program Groups: This key stores data about the user’s UNICODE
Program Groups and is usually empty unless the system has migrated to
Windows 2000 from an original Windows 3.1 installation (unlikely in most

cases).
4667-8 ch18.f.qc 5/15/00 2:08 PM Page 695
696
Part V ✦ Availability Management
✦ Volatile Environment: This key stores volatile operating environment data
such as the user’s application directory (usually
\Documents
and
Settings\
user\Application Data
) and logon server.
HKEY_CLASSES_ROOT
The HKCR key stores data about file associations and is built from HKLM\SOFTWARE\
Classes and HKEY_CURRENT_USER\SOFTWARE\Classes, with the value in HKCU tak-
ing precedence. It contains numerous keys, one for each file/document type. Use the
File Types tab of the Folder Options object in the Control Panel to modify file associa-
tions. See Chapter 5 for more information about the Control Panel applets.
HKEY_CURRENT_CONFIG
The HKCC key is an alias of HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\
Current, and it stores hardware configuration data about the local computer relating
to device assignments, device drivers, and so on. It contains two keys: Software and
System. The Software key stores settings for system fonts and a handful of applica-
tion settings. The System key stores a partial copy of the CurrentControlSet key in
HKLM\SYSTEM\CurrentControlSet.
Keys and Values
As you’ve read up to this point, keys serve as containers in the registry. Keys can
contain other keys (subkeys). Keys can also contain value entries, or simply, values.
These are the “substance” of the registry. Values comprise three parts: the name,
data type, and value. The name identifies the setting. The data type describes the
item’s data format. The value is the actual data. The following list summarizes data

types currently defined and used by the system:
✦ REG_BINARY: This data type stores the data in raw binary format, one value
per entry. The Registry Editors display this data type using hexadecimal format.
✦ REG_DWORD: This data type stores data as a four-byte number, one value
per entry. The Registry Editors can display this data type in binary, hexadeci-
mal, or decimal formats.
✦ REG_EXPAND_SZ: This is a variable-length string that includes variables
expanded when the data is read by a program, service, and so on. The vari-
ables are represented by % signs, and an example is the use of the %system-
root% variable to identify the root location of the Windows 2000 folder, such
as a path entry to a file stored in
systemroot\System32
. One value is
allowed per entry.
✦ REG_MULTI_SZ: This data type stores multiple string values in a single entry.
String values within an item are separated by spaces, commas, or other such
delimiters.
4667-8 ch18.f.qc 5/15/00 2:08 PM Page 696