Windows Registry Basics

Posted on |



Overview

  1. Fix Windows Registry
  2. Windows Registry Basics
  3. Windows Registry Key
  4. Windows Registry Basics Download
  5. Windows Registry Basics Professional

The Registry is a database used to store settings and options for the 32 bit versions of Microsoft Windows including Windows 95, 98, ME and NT/2000. It contains information and settings for all the hardware, software, users, and preferences of the PC. Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry.

A previous article discussed some basic facts about the Registry. In this tutorial, I’ll explain how the Registry Editor works and show how to tweak the Registry. Applies to Windows XP/ Vista/ 7/ 8.x/ 10. —Vic Laurie Introduction Many people like to configure Windows their own way and Windows is a system with numerous possible tweaks. Most of these tweaks are actually edits of the Registry.

The physical files that make up the registry are stored differently depending on your version of Windows; under Windows 95 & 98 it is contained in two hidden files in your Windows directory, called USER.DAT and SYSTEM.DAT, for Windows Me there is an additional CLASSES.DAT file, while under Windows NT/2000 the files are contained seperately in the %SystemRoot%System32Config directory. You can not edit these files directly, you must use a tool commonly known as a 'Registry Editor' to make any changes (using registry editors will be discussed later in the article).

The Windows registry is a database that contains information regarding almost everything in your computer — preferences, applications, users, attached devices, and other important machine-specific settings. The registry contains two basic elements: registry keys and values. Guide How to Create Registry Script (.REG) Files in Windows - Last updated on March 29, 2017 by VG. Today in this tutorial, we are going to tell you how to create.REG files also known as registry script files in Windows operating system. Registry script files are similar to batch scripts, they are used to modify Windows registry automatically.

The Structure of the Registry

The Registry has a hierarchal structure, although it looks complicated the structure is similar to the directory structure on your hard disk, with Regedit being similar to Windows Explorer.

Each main branch (denoted by a folder icon in the Registry Editor, see left) is called a Hive, and Hives contains Keys. Each key can contain other keys (sometimes referred to as sub-keys), as well as Values. The values contain the actual information stored in the Registry. There are three types of values; String, Binary, and DWORD - the use of these depends upon the context.

There are six main branches, each containing a specific portion of the information stored in the Registry. They are as follows:

  • HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.
  • HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.
  • HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.
  • HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.
  • HKEY_CURRENT_CONFIG - This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.
  • HKEY_DYN_DATA - This branch points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dymanic and will change as devices are added and removed from the system.

Each registry value is stored as one of five main data types:

  • REG_BINARY - This type stores the value as raw binary data. Most hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format.
  • REG_DWORD - This type represents the data by a four byte number and is commonly used for boolean values, such as '0' is disabled and '1' is enabled. Additionally many parameters for device driver and services are this type, and can be displayed in REGEDT32 in binary, hexadecimal and decimal format, or in REGEDIT in hexadecimal and decimal format.
  • REG_EXPAND_SZ - This type is an expandable data string that is string containing a variable to be replaced when called by an application. For example, for the following value, the string '%SystemRoot%' will replaced by the actual location of the directory containing the Windows NT system files. (This type is only available using an advanced registry editor such as REGEDT32)
  • REG_MULTI_SZ - This type is a multiple string used to represent values that contain lists or multiple values, each entry is separated by a NULL character. (This type is only available using an advanced registry editor such as REGEDT32)
  • REG_SZ - This type is a standard string, used to represent human readable text values.

Other data types not available through the standard registry editors include:

  • REG_DWORD_LITTLE_ENDIAN - A 32-bit number in little-endian format.
  • REG_DWORD_BIG_ENDIAN - A 32-bit number in big-endian format.
  • REG_LINK - A Unicode symbolic link. Used internally; applications should not use this type.
  • REG_NONE - No defined value type.
  • REG_QWORD - A 64-bit number.
  • REG_QWORD_LITTLE_ENDIAN - A 64-bit number in little-endian format.
  • REG_RESOURCE_LIST - A device-driver resource list.

Editing the Registry

The Registry Editor (REGEDIT.EXE) is included with most version of Windows (although you won't find it on the Start Menu) it enables you to view, search and edit the data within the Registry. There are several methods for starting the Registry Editor, the simplest is to click on the Start button, then select Run, and in the Open box type 'regedit', and if the Registry Editor is installed it should now open and look like the image below.

An alternative Registry Editor (REGEDT32.EXE) is available for use with Windows NT/2000, it includes some additional features not found in the standard version, including; the ability to view and modify security permissions, and being able to create and modify the extended string values REG_EXPAND_SZ & REG_MULTI_SZ.

Windows Registry Basics

Fix Windows Registry

Create a Shortcut to Regedit
This can be done by simply right-clicking on a blank area of your desktop, selecting New, then Shortcut, then in the Command line box enter 'regedit.exe' and click Next, enter a friendly name (e.g. 'Registry Editor') then click Finish and now you can double click on the new icon to launch the Registry Editor.

Using Regedit to modify your Registry
Once you have started the Regedit you will notice that on the left side there is a tree with folders, and on the right the contents (values) of the currently selected folder.

Like Windows explorer, to expand a certain branch (see the structure of the registry section), click on the plus sign [+] to the left of any folder, or just double-click on the folder. To display the contents of a key (folder), just click the desired key, and look at the values listed on the right side. You can add a new key or value by selecting New from the Edit menu, or by right-clicking your mouse. And you can rename any value and almost any key with the same method used to rename files; right-click on an object and click rename, or click on it twice (slowly), or just press F2 on the keyboard. Lastly, you can delete a key or value by clicking on it, and pressing Delete on the keyboard, or by right-clicking on it, and choosing Delete.

Note: it is always a good idea to backup your registry before making any changes to it. It can be intimidating to a new user, and there is always the possibility of changing or deleting a critical setting causing you to have to reinstall the whole operating system. It's much better to be safe than sorry!

Importing and Exporting Registry Settings

A great feature of the Registry Editor is it's ability to import and export registry settings to a text file, this text file, identified by the .REG extension, can then be saved or shared with other people to easily modify local registry settings. You can see the layout of these text files by simply exporting a key to a file and opening it in Notepad, to do this using the Registry Editor select a key, then from the 'Registry' menu choose 'Export Registry File...', choose a filename and save. If you open this file in notepad you will see a file similar to the example below:

REGEDIT4
[HKEY_LOCAL_MACHINESYSTEMSetup]
'SetupType'=dword:00000000
'CmdLine'='setup -newsetup'
'SystemPrefix'=hex:c5,0b,00,00,00,40,36,02

The layout is quite simple, REGEDIT4 indicated the file type and version, [HKEY_LOCAL_MACHINESYSTEMSetup] indicated the key the values are from, 'SetupType'=dword:00000000 are the values themselves the portion after the '=' will vary depending on the type of value they are; DWORD, String or Binary.

Windows Registry Basics

So by simply editing this file to make the changes you want, it can then be easily distributed and all that need to be done is to double-click, or choose 'Import' from the Registry menu, for the settings to be added to the system Registry.

Deleting keys or values using a REG file
It is also possible to delete keys and values using REG files. To delete a key start by using the same format as the the REG file above, but place a '-' symbol in front of the key name you want to delete. For example to delete the [HKEY_LOCAL_MACHINESYSTEMSetup] key the reg file would look like this:

REGEDIT4
[-HKEY_LOCAL_MACHINESYSTEMSetup]

The format used to delete individual values is similar, but instead of a minus sign in front of the whole key, place it after the equal sign of the value. For example, to delete the value 'SetupType' the file would look like:

REGEDIT4
[HKEY_LOCAL_MACHINESYSTEMSetup]
'SetupType'=-

Use this feature with care, as deleting the wrong key or value could cause major problems within the registry, so remember to always make a backup first.

Regedit Command Line Options
Regedit has a number of command line options to help automate it's use in either batch files or from the command prompt. Listed below are some of the options, please note the some of the functions are operating system specific.

regedit.exe [options] [filename] [regpath]

[filename]

Import .reg file into the registry

/s [filename]

Silent import, i.e. hide confirmation box when importing files

/e [filename] [regpath]

Export the registry to [filename] starting at [regpath] e.g. regedit /e file.reg HKEY_USERS.DEFAULT

/L:system

Specify the location of the system.dat to use

/R:user

Specify the location of the user.dat to use

C [filename]

Compress (Windows 98)

/D [regpath]

Delete the specified key (Windows 98)

Maintaining the Registry

On Windows NT you can use either the 'Last Known Good' option or RDISK to restore to registry to a stable working configuration.

How can I clean out old data from the Registry?
Although it's possible to manually go through the Registry and delete unwanted entries, Microsoft provides a tool to automate the process, the program is called RegClean. RegClean analyzes Windows Registry keys stored in a common location in the Windows Registry. It finds keys that contain erroneous values, it removes them from the Windows Registry after having recording those entries in the Undo.Reg file.

One of the most important components of the Windows operating system is the Registry, yet documentation on it for those who support Windows is sparse. You are expected to know it — and in particular the Regedit.exe tool — for the CompTIA A+ certification exam (220-802) where it falls under two different objectives:

— Given a scenario, use appropriate operating system features and tools.
— Given a scenario, troubleshoot operating system problems with appropriate tools.

In this overview, we’ll look at what it can do and some of the administrative tasks that you can perform with it.

What is the Registry

In older versions of Windows, applications would write values all over the place — in .ini files, in .txt files, and so on. This lack of consistency between configuration files added a lot of ways for problems to occur, including the need for administrators to know the specifics of each application, one program overwriting settings for another, a user accidentally deleting an important file or changing values in it, and so on.

Those problems have all but gone away now that the Windows Registry stores nearly every configuration parameter available. Unfortunately, some problems remain: Its structure is incredibly complex and there’s no “undo” feature or Save button (once you delete something, it’s immediately gone). In other words, be very careful anytime you make any changes to it.

To understand the Registry, think of a giant relational database that can be read from and written to by a plethora of applications. When you want to access it directly, you do so using the Registry Editor (REGEDIT.EXE or REGEDT32.EXE). A short video on how to use this powerful tool can be viewed online.

This tool works on the local Registry of the machine you are sitting at by default, but can also be used to connect to a Remote Registry to allow technical support personnel to access that system’s Registry remotely. The service can be quite useful in some situations, but it can also function as a means for an attacker to get into your system. If you don’t need it, turn it off.

One of the best ways to understand how to use the tool, as well as what it can do, is to use it. There are four common tasks given as examples next. Following that, we will talk about how to go beyond just local settings.

Task One: Create a Message Before Login

One of the least expensive security tools that can be implemented is a sign. Signs can be placed around secure areas telling those who venture by that only authorized access is allowed, that trespassers will be prosecuted, and so on. There is a story told of a couple of magicians who drove across country while on tour. To prevent anyone from breaking into their car, they put a sign on it identifying the car as a transport vehicle for the Center for Disease Control. As the story goes, the ruse worked and no one ever broke into the vehicle.

Within Microsoft Windows, you have the ability to put signs (in the form of onscreen pop-up banners) that appear before the login telling similar information — authorized access only, violators will be prosecuted, and so forth. Such banners convey warnings or regulatory information to the user that they must “accept” in order to use the machine or network.

In Windows, this “banner” is turned on in the Registry through an entry beneath HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem. You can configure legalnoticecaption as the caption of the “sign” that you want to appear and legalnoticetext as the text that will show up and need to be dismissed before the user can move on. Both are string values accepting any alphanumeric combination.

Windows Registry Basics

The Steps

  1. Start a command window (CMD).
  2. Start the Registry Editor (REGEDIT).
  3. Go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows.
  4. Choose CurrentVersionWinlogon.
  5. Double-click LegalNoticeCaption.
  6. Change the value to Attention.
  7. Click OK.
  8. Double-click LegalNoticeText.
  9. Change the value to Do not log in unless you are an authorized user.
  10. Click OK.
  11. Exit the Registry Editor.
  12. Exit the command window.

Task Two: Change the Registered Organization for Windows

When Windows is installed, there are a few values given that keep popping up time and time again. One of those values is the Registered Organization. Each time you go to install new software, it will default to that. When you create some new documents, the default will be that as one of the properties that goes along with it, and so on. When you need to change that value (getting rid of a PC, hostile takeover of the company by another, etc.), you can do so with one simple change:

The Steps

  1. Start a command window (CMD).
  2. Start the Registry Editor (REGEDIT).
  3. Go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNT.
  4. Choose CurrentVersion.
  5. Double-click RegisteredOwner.
  6. Change the value to Dulaney Enterprises.
  7. Click OK.
  8. Exit the Registry Editor.
  9. Exit the command window.

Task Three: Enable Shutdown Without Login

As a system administrator, you must often reboot a workstation. Needing to log in first before having the ability to shut it down takes up unnecessary time that could be better allocated to solving other problems. You can allow a system to be shut down without a user first needing to log in.

The Steps

  1. Start a command window (CMD).
  2. Start the Registry Editor (REGEDIT).
  3. Go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows.
  4. Choose CurrentVersionWinlogon.
  5. Double-click on ShutdownWithoutLogon (if it is not there, create it as a DWORD value).
  6. Set the value to 1.
  7. Click OK.
  8. Exit the Registry Editor.
  9. Exit the command window.

Task Four: Don’t Display the Last User’s Username

In order to gain access to a workstation, a user must provide two values — a username and its associated password. If you give the username to an unauthorized user who is trying to break in, then all they have to do is guess the password. Therefore, for security reasons, it is never a good idea to display the username of the previous user for someone trying to login. To prevent this, you can create a setting to keep the name of the last user who used a system from displaying it for the next user.

The Steps

  1. Start a command window (CMD).
  2. Start the Registry Editor (REGEDIT).
  3. Go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows.
  4. Choose CurrentVersionPoliciesSystem.
  5. Double-click dontdisplaylastusername (if it is not there, create it as a DWORD value).
  6. Set the value to 1.
  7. Click OK.
  8. Exit the Registry Editor.
  9. Exit the command window.

Going Beyond Local Settings

Changes made in the Registry Editor apply to the machine that you are working on (whether it be local or remote). When you want to change settings for more than one machine, the best solution is to use a Group Policy. With a Group Policy, you create restrictions that will apply to workstations when users authenticate. Upon each authentication, those restrictions are then applied as Registry settings, providing an efficient way to manage a large number of computers.

Basics

Windows Registry Key

The restrictions you set come from choices within template files and can be as simple as not allowing the user to access the game Solitaire, or as complex removing their ability to access other networks. Security templates are those template files that hold Registry setting choices that relate to security settings.

Not every configuration setting needs to be downloaded through the domain. Every current Microsoft operating system also includes local policies — settings that apply to the workstation when the user has yet to authenticate with the network. The purpose of these policies is to restrict the user locally, just as you would across the network, when they have yet to log into the domain. To see the local polices, choose Start > Run and type secpol.msc.

As a security administrator, you should routinely monitor the settings made throughout your network in local and Group Policies and tweak them as needed.

Windows Registry Basics Download

Summing it Up

Windows Registry Basics Professional

The Windows Registry holds the configuration settings for the machine and the user. While it is intended to simplify operations, the lack of good documentation for administrators leaves many underprepared to manage it and lacking adequate knowledge of it for some certification exams. The best way to overcome this is through exposure to it and this article walked through four common administrative tasks that can be done through the Registry Editor.