Registry hives


hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data.
Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile. This is called the user profile hive. A user's hive contains specific registry information pertaining to the user's application settings, desktop, environment, network connections, and printers. User profile hives are located under the HKEY_USERS key.
Registry files have the following two formats: standard and latest. The standard format is the only format supported by Windows 2000. It is also supported by later versions of Windows for backward compatibility. The latest format is supported starting with Windows XP. On versions of Windows that support the latest format, the following hives still use the standard format: HKEY_CURRENT_USERHKEY_LOCAL_MACHINE\SAM,HKEY_LOCAL_MACHINE\Security, and HKEY_USERS\.DEFAULT; all other hives use the latest format.
Most of the supporting files for the hives are in the %SystemRoot%\System32\Config directory. These files are updated each time a user logs on. The file name extensions of the files in these directories, or in some cases a lack of an extension, indicate the type of data they contain. The following table lists these extensions along with a description of the data in the file.
ExtensionDescription
none
A complete copy of the hive data.
.alt
A backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file.
.log
A transaction log of changes to the keys and value entries in the hive.
.sav
A backup copy of a hive.
Windows Server 2003 and Windows XP/2000:  Copies of the hive files as they looked at the end of the text-mode stage in Setup. Setup has two stages: text mode and graphics mode. The hive is copied to a .sav file after the text-mode stage of setup to protect it from errors that might occur if the graphics-mode stage of setup fails. If setup fails during the graphics-mode stage, only the graphics-mode stage is repeated when the computer is restarted; the .sav file is used to restore the hive data.

The following table lists the standard hives and their supporting files.
Registry hiveSupporting files
HKEY_CURRENT_CONFIGSystem, System.alt, System.log, System.sav
HKEY_CURRENT_USERNtuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SAMSam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\SecuritySecurity, Security.log, Security.sav
HKEY_LOCAL_MACHINE\SoftwareSoftware, Software.log, Software.sav
HKEY_LOCAL_MACHINE\SystemSystem, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULTDefault, Default.log, Default.sav
The Microsoft Computer Dictionary, Fifth Edition, defines the registry as:
A central hierarchical database used in Microsoft Windows 98, Windows CE, Windows NT, and Windows 2000 used to store information that is necessary to configure the system for one or more users, applications and hardware devices.

The Registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system, and the ports that are being used.

The Registry replaces most of the text-based .ini files that are used in Windows 3.x and MS-DOS configuration files, such as the Autoexec.bat and Config.sys. Although the Registry is common to several Windows operating systems, there are some differences among them.
A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files that contain backups of its data. The supporting files for all hives except HKEY_CURRENT_USER are in the %SystemRoot%\System32\Config folder on Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The supporting files for HKEY_CURRENT_USER are in the %SystemRoot%\Profiles\Username folder. The file name extensions of the files in these folders indicate the type of data that they contain. Also, the lack of an extension may sometimes indicate the type of data that they contain.
Registry hiveSupporting files
HKEY_LOCAL_MACHINE\SAMSam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\SecuritySecurity, Security.log, Security.sav
HKEY_LOCAL_MACHINE\SoftwareSoftware, Software.log, Software.sav
HKEY_LOCAL_MACHINE\SystemSystem, System.alt, System.log, System.sav
HKEY_CURRENT_CONFIGSystem, System.alt, System.log, System.sav, Ntuser.dat, Ntuser.dat.log
HKEY_USERS\DEFAULTDefault, Default.log, Default.sav


In Windows 98, the registry files are named User.dat and System.dat. In Windows Millennium Edition, the registry files are named Classes.dat, User.dat, and System.dat.

Note Security features in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista let an administrator control access to registry keys.

The following table lists the predefined keys that are used by the system. The maximum size of a key name is 255 characters.
Folder/predefined keyDescription
HKEY_CURRENT_USERContains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored here. This information is associated with the user's profile. This key is sometimes abbreviated as "HKCU."
HKEY_USERSContains all the actively loaded user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. HKEY_USERS is sometimes abbreviated as "HKU."
HKEY_LOCAL_MACHINEContains configuration information particular to the computer (for any user). This key is sometimes abbreviated as "HKLM."
HKEY_CLASSES_ROOTIs a subkey of HKEY_LOCAL_MACHINE\Software. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as "HKCR." Starting with Windows 2000, this information is stored under both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER keys. The HKEY_LOCAL_MACHINE\Software\Classes key contains default settings that can apply to all users on the local computer. The HKEY_CURRENT_USER\Software\Classes key contains settings that override the default settings and apply only to the interactive user. The HKEY_CLASSES_ROOT key provides a view of the registry that merges the information from these two sources. HKEY_CLASSES_ROOT also provides this merged view for programs that are designed for earlier versions of Windows. To change the settings for the interactive user, changes must be made under HKEY_CURRENT_USER\Software\Classes instead of under HKEY_CLASSES_ROOT. To change the default settings, changes must be made under HKEY_LOCAL_MACHINE\Software\Classes. If you write keys to a key under HKEY_CLASSES_ROOT, the system stores the information under HKEY_LOCAL_MACHINE\Software\Classes. If you write values to a key under HKEY_CLASSES_ROOT, and the key already exists under HKEY_CURRENT_USER\Software\Classes, the system will store the information there instead of under HKEY_LOCAL_MACHINE\Software\Classes.
HKEY_CURRENT_CONFIGContains information about the hardware profile that is used by the local computer at system startup.
Note The registry in 64-bit versions of Windows XP, Windows Server 2003, and Windows Vista is divided into 32-bit and 64-bit keys. Many of the 32-bit keys have the same names as their 64-bit counterparts, and vice versa. The default 64-bit version of Registry Editor that is included with 64-bit versions of Windows XP, Windows Server 2003, and Windows Vista displays the 32-bit keys under the following node:
HKEY_LOCAL_MACHINE\Software\WOW6432Node
For more information about how to view the registry on 64-Bit versions of Windows, click the following article number to view the article in the Microsoft Knowledge Base:
305097  How to view the system registry by using 64-bit versions of Windows

The following table lists the data types that are currently defined and that are used by Windows. The maximum size of a value name is as follows:
  • Windows Server 2003, Windows XP, and Windows Vista: 16,383 characters
  • Windows 2000: 260 ANSI characters or 16,383 Unicode characters
  • Windows Millennium Edition/Windows 98/Windows 95: 255 characters
Long values (more than 2,048 bytes) must be stored as files with the file names stored in the registry. This helps the registry perform efficiently. The maximum size of a value is as follows:
  • Windows NT 4.0/Windows 2000/Windows XP/Windows Server 2003/Windows Vista: Available memory
  • Windows Millennium Edition/Windows 98/Windows 95: 16,300 bytes
Note There is a 64K limit for the total size of all values of a key.
NameData typeDescription
Binary ValueREG_BINARYRaw binary data. Most hardware component information is stored as binary data and is displayed in Registry Editor in hexadecimal format.
DWORD ValueREG_DWORDData represented by a number that is 4 bytes long (a 32-bit integer). Many parameters for device drivers and services are this type and are displayed in Registry Editor in binary, hexadecimal, or decimal format. Related values are DWORD_LITTLE_ENDIAN (least significant byte is at the lowest address) and REG_DWORD_BIG_ENDIAN (least significant byte is at the highest address).
Expandable String ValueREG_EXPAND_SZA variable-length data string. This data type includes variables that are resolved when a program or service uses the data.
Multi-String ValueREG_MULTI_SZA multiple string. Values that contain lists or multiple values in a form that people can read are generally this type. Entries are separated by spaces, commas, or other marks.
String ValueREG_SZA fixed-length text string.
Binary ValueREG_RESOURCE_LISTA series of nested arrays that is designed to store a resource list that is used by a hardware device driver or one of the physical devices it controls. This data is detected and written in the \ResourceMap tree by the system and is displayed in Registry Editor in hexadecimal format as a Binary Value.
Binary ValueREG_RESOURCE_REQUIREMENTS_LISTA series of nested arrays that is designed to store a device driver's list of possible hardware resources the driver or one of the physical devices it controls can use. The system writes a subset of this list in the \ResourceMap tree. This data is detected by the system and is displayed in Registry Editor in hexadecimal format as a Binary Value.
Binary ValueREG_FULL_RESOURCE_DESCRIPTORA series of nested arrays that is designed to store a resource list that is used by a physical hardware device. This data is detected and written in the \HardwareDescription tree by the system and is displayed in Registry Editor in hexadecimal format as a Binary Value.
NoneREG_NONEData without any particular type. This data is written to the registry by the system or applications and is displayed in Registry Editor in hexadecimal format as a Binary Value
LinkREG_LINKA Unicode string naming a symbolic link.
QWORD ValueREG_QWORDData represented by a number that is a 64-bit integer. This data is displayed in Registry Editor as a Binary Value and was introduced in Windows 2000.


Comments

Popular posts from this blog

Boot configuration Data Store --BCDEdit /set

ADSI Edit

How to analyze SFC /scannow logs