Windows Registry

The Registr y has to be one of the least understood aspects of the Windows
operating system family. Even seasoned professionals approach it with a degree of
caution, knowing that a wrong entry can potentially wreak havoc on the system.
Description of the registry. Wean defines the registry as:
A central hierarchical database used in Microsoft Windows used to store information
that is necessary to configure the system for one or more users, applications and
hardware devices. The Registry contains information that Windows continually
references during operation, such as profiles for each user, the applications installed
on the computer and the types of documents that each can create, property sheet
settings for folders and application icons, what hardware exists on the system, and
the ports that are being used. The Registry replaces most of the text-based .ini files
that are used in Windows 3.x and MS-DOS configuration files, such as the
Autoexec.bat and Config.sys. Although the Registry is common to several Windows
operating systems, there are some differences among them.

Some History
The Registry was introduced as a way out of the “INI files mess” that plagued early
versions of Windows. Configuration information regarding the operating system,
application files, hardware, and soon were stored in INI files scattered all over the
system. For example, when an application is installed, it needs to know various
parameters regarding the operating system and the available hardware. Much of
this information is common to other applications as well. However, if there was any
change in the hardware or operating system software, updating the application’s INI
files used to be hell. The Registry was conceived as a way out of this madness. It is
a hierarchical database that stores information regarding the hardware, operating
system software, application software, users preferences and system preferences.
The hierarchy separates the machine infor mation, user information and the
software infor mation into logically discrete units that can be manipulated with
greater ease.

Any changes made by users, the operating system, newly installed software, and
hardware are all updated and reflected in the Registry. During system startup,
Windows uses the registry to get configuration data regarding the hardware,
software and other peripherals that have been configured. It also maintains a
backup copy of the registry with which the system had successfully started up last.
Hence, if it encounters a problem with the current startup, it can then use the
configuration information from the backup to attempt to start the system. Some of
the information stored in the registry is specific to the particular startup session
only, and is mostly user-specific.
This flexibility has deeper significance when considering a networked scenario.
administrators can specify user rights and access to various system and network
components. They can control what users can and cannot do on their machines with
a fair degree of granular control. For example, Administrators can specify that users
are not allowed to install new applications on their machines. A Registr y entry
disabling the users’ right to install would secure the system. And a Registr y entr y
can be made to prevent unauthorized access to the registr y itself!

Physically, the Registry information in XP is stored in multiple files in the

\System32\Config folder of the operating system (or root) folder—usually
C:\Windows or C:\WINNT.

These files cannot be edited directly; they have to be accessed through a Registry-
editing program such as Regedit.exe or Regedt32.exe.

Registry Hives
A registry hive is a group of keys, subkeys, and values in the registry that has a set
of supporting files that contain backups of its data. The supporting files for all hives
except HKEY_CURRENT_USER are in the %SystemRoot%\System32\Config folder on
Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows
Vista. The supporting files for HKEY_CURRENT_USER are in the
%SystemRoot%\Profiles\Username folder. The file name extensions of the files in
these folders indicate the type of data that they contain. Also, the lack of an
extension may sometimes indicate the type of data that they contain..

Registry hive Supporting files

HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\Security Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\Software Software, Software.log, Software.sav
HKEY_LOCAL_MACHINE\System System, System.alt, System.log, System.sav
System, System.alt, System.log, System.sav, Ntuser.dat,
HKEY_CURRENT_CONFIG
Ntuser.dat.log
HKEY_USERS\DEFAULT Default, Default.log, Default.sav

In Windows 98, the registry files are named User.dat and System.dat. In Windows Millennium Edition,
the registry files are named Classes.dat, User.dat, and System.dat.

The registry contains 6 main keys:

HKEY_CURRENT_USER

Contains the root of the configuration information for the user who is currently
logged on. The user's folders, screen colors, and Control Panel settings are stored
here. This information is associated with the user's profile. This key is sometimes
abbreviated as "HKCU."

HKEY_USERS

Contains all the actively loaded user profiles on the computer.

HKEY_CURRENT_USER is a subkey of HKEY_USERS. HKEY_USERS is sometimes
abbreviated as "HKU."

HKEY_LOCAL_MACHINE

Contains configuration information particular to the computer (for any user). This
key is sometimes abbreviated as "HKLM."

HKEY_CLASSES_ROOT

Is a subkey of HKEY_LOCAL_MACHINE\Software. The information that is stored here

makes sure that the correct program opens when you open a file by using Windows
Explorer. This key is sometimes abbreviated as "HKCR."

HKEY_CURRENT_CONFIG

Contains information about the hardware profile that is used by the local computer
at system startup.

HKEY_DYN_DATA

Contains real-time performance statistics on the computer's hardware.

Structure
The registry is made up of "Keys". Each key is like the branch of a tree. Each key
has one parent key, and zero or more child keys. Each key can contain zero or more
"Values", each of which contains a single piece of data. To make navigating the
registry a bit easier, you can think of the registry's construction like your hard
drives.
Hard drive <-> Registry
Folders <-> Keys
Files <-> Values

The Registry Editor View

REGEDIT

Regedit is a program you can use to access and edit the Registry. It normally ships
with the default Windows installation and can be launched from the Run command
box in the Start Menu by typing in “regedit” or “regedit.exe”. Editing the Registry
should be done with care, and with as much understanding as possible as to why
and where you are making a change. Additionally, it is strongly recommended that
you back up the Registry immediately prior to making a change. You also need to
understand how to restore the Registry in case things go awry. The following
sections deal with how to back up and restore the Registry.

Value Types
As mentioned above, each of these hives contain keys and subkeys, which in turn
can contain further sub-keys or values. These values are of three major types:
DWORD, Binary and String.

REG_DWORD - (a DWORD Value) is usually used for Boolean values and is a four-
byte number. Many device drivers and services use DWORD values to toggle
between options. For example, the
UpdateMode setting that controls refresh rates can have a setting of either 0
(disabled) or 1 (enabled).
If the DWORD value is set to 0, refreshing does not take place. Each setting has a
specific default
DWORD value that is used by the system.

REG_BINARY - (a Binary Value) is used to store information as raw binary data, and
is usually used for hardware components. The String Value type, however, has
expansions to accommodate variables and multiple values. The Value types are
denoted as:

REG_SZ - is the standard string used to display human-readable text.

REG_EXPAND_SZ is an expandable data string that permits storing of variables that
can be replaced by actual values by the application calling the key. For example, an
application may refer to a particular key in a hive to obtain the location of a system
file. The key would contain a setting for that system file, and a string value which is,
say,
%systemroot%\filename . The %systemroot% will be replaced by the location of the
XP operating system folder, which on most machines will be C:\Windows or
C:\WINNT .

REG_MULTI_SZ - is used to store lists or multiple values, each entry being

separated by a NULL character. This is analogous to arrays in programming. For
example, a Registry entry could be
created to store the IP addresses of multiple timeservers. An application program
would then refer to this Registry entry and cycle through the list of IP addresses.

Backup And Restore

There are two things you can do in terms of backing up the Registry: either back up
the entire Registry, or export the specific key you are going to edit. To export a
Registry key, open Regedit using the Run command box. Find the key or sub-key you
want to edit and select it by clicking on it. Choose

File > Export . In the dialog box, select the location where you want to save the key,
select to save it as a .reg file, and select the “Selected Branch” option. Give a name
for the file and click Save. It will be saved as a .reg file. If you want to back up the
entire Registry, use the backup utility provided with XP.

Open the backup software from

All Programs > Accessories > System Tools > Backup.
Select the checkbox that says “System State Data”. This will back up the registry,
boot files, and the COM+ class registration database. At any later point, you can
either restore the individual key you
exported using the method above, or the entire system state. Restoring the
individual key is a simple double-click on the .reg file you saved.

To restore the system state, open the Backup utility, click Advanced Mode and
select the Restore and Manage Media tab. Select the backed up system state file
you want to restore. Check the System State box. In the “Restore Files to” box,
select Original Location. In the Tools menu, select Options, and click on “Always
replace the file on my computer”, then on OK. (If you don’t do this, you will be
asked for a confirmation for each and every file during the restore process.) Click
“Start Restore”. You will get a warning that says: “Restoring System State will
always overwrite current System State unless restoring to an alternative location”;
click OK. to overwrite. Click OK in the Confirm Restore dialog box. The
restore operation will start showing you the progress of the restore. When it
completes, click Close and accept the prompt to restart the computer.

Searching the Registry

You can search the Registry by choosing "Find" from the Edit menu, or pressing
Ctrl+F.

It is quite easy to search the Registry for items that might apply to a particular
aspect of Windows or your installed software that you want to change. However, it
can also be time-consuming - especially if you have an older, slow computer. It can
be misleading as well, since you may not be sure what the references you find in
the Registry actually do, so be cautious.

In the "Find What" field, type in what you're looking for and, in the "Look At" section,
check off whether you want to search the Keys, Value Names, or Value Data, or any
combination of these. If it finds an instance, you may want to check to see if there
are any further references. Under the File menu, select Find Next, or just hit the F3
key.

Editing the Registry

Modifying the registry can potentially make Windows unbootable. Be careful!
Always make a backup of the registry before making changes.

To edit a registry value, first navigate the tree until the value is displayed . For
example, we have navigated to the registry value that controls the delay before a
menu pops up.
To edit a value, double click on its name. If you are following this example, go
ahead and change the MenuShowDelay value from 100 to 0. After making this
change, like most changes made in the registry, you will need to reboot. After
rebooting, all menus should pop up noticeably faster.

Removing Entries

• Navigate to the key or value that you wish to delete.

• Make sure the key or value is selected.
• Right-click on the name of the key or value, then select Delete. Or, press the
Delete key.

Adding to the Registry

 • Navigate to the parent key where you wish to add a value.
• Right click on the key name, and open the "New" submenu. Choose the type
of data you wish to add.
• Enter the name of the value.
• Edit the value by double clicking on its name.
• It may be necessary to reboot to make the change take effect.

How to recover from a corrupted registry that prevents

Windows XP from starting
When you try to start or restart your Windows XP-based computer, you may receive
one of the following error messages:

Windows XP could not start because the following file is missing or corrupt:
\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Windows XP could not start because the following file is missing or corrupt:
\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

Stop: c0000218 {Registry File Failure} The registry cannot load the hive (file):
\SystemRoot\System32\Config\SOFTWARE or its log or alternate

System error: Lsass.exe

When trying to update a password the return status indicates that the value
provided as the current password is not correct.

Part one
In part one, you start the Recovery Console, create a temporary folder, back up the
existing registry files to a new location, delete the registry files at their existing
location, and then copy the registry files from the repair folder to the
System32\Config folder. When you have finished this procedure, a registry is
created that you can use to start Windows XP. This registry was created and saved
during the initial setup of Windows XP. Therefore any changes and settings that
occurred after the Setup program was finished are lost.

To complete part one, follow these steps:

1. Insert the Windows XP startup disk into the floppy disk drive, or insert the
Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Click to select any options that are required to start the computer from the
CD-ROM drive if you are prompted to do so.
2. When the "Welcome to Setup" screen appears, press R to start the Recovery
Console.
3. If you have a dual-boot or multiple-boot computer, select the installation that
you want to access from the Recovery Console.
 4. When you are prompted to do so, type the Administrator password. If the
administrator password is blank, just press ENTER.
5. At the Recovery Console command prompt, type the following lines, pressing
ENTER after you type each line:

md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

copy c:\windows\repair\system c:\windows\system32\config\system

copy c:\windows\repair\software c:\windows\system32\config\software
copy c:\windows\repair\sam c:\windows\system32\config\sam
copy c:\windows\repair\security c:\windows\system32\config\security
copy c:\windows\repair\default c:\windows\system32\config\default

6. Type exit to quit Recovery Console. Your computer will restart.

Note This procedure assumes that Windows XP is installed to the C:\Windows folder.
Make sure to change C:\Windows to the appropriate windows_folder if it is a
different location.

If you have access to another computer, to save time, you can copy the text in step
five, and then create a text file called "Regcopy1.txt" (for example). To use this file,
run the following command when you start in Recovery Console:

batch regcopy1.txt

With the batch command in Recovery Console, you can process all the commands in
a text file sequentially. When you use the batch command, you do not have to
manually type as many commands.

Part two
To complete the procedure described in this section, you must be logged on as an
administrator, or an administrative user (a user who has an account in the
Administrators group). If you are using Windows XP Home Edition, you can log on as
an administrative user. If you log on as an administrator, you must first start
Windows XP Home Edition in Safe mode. To start the Windows XP Home Edition
computer in Safe mode, follow these steps.
Note Print these instructions before you continue. You cannot view these
instructions after you restart the computer in Safe Mode. If you use the NTFS file
system, also print the instructions from Knowledge Base article KB309531. Step 7
contains a reference to the article.

1. Click Start, click Shut Down (or click Turn Off Computer), click Restart, and
then click OK (or click Restart).
2. Press the F8 key.
On a computer that is configured to start to multiple operating systems, you
can press F8 when you see the Startup menu.
3. Use the arrow keys to select the appropriate Safe mode option, and then
press ENTER.
4. If you have a dual-boot or multiple-boot system, use the arrow keys to select
the installation that you want to access, and then press ENTER.

In part two, you copy the registry files from their backed up location by using
System Restore. This folder is not available in Recovery Console and is generally not
visible during typical usage. Before you start this procedure, you must change
several settings to make the folder visible:

1. Start Windows Explorer.

2. On the Tools menu, click Folder options.
3. Click the View tab.
4. Under Hidden files and folders, click to select Show hidden files and folders,
and then click to clear the Hide protected operating system files
(Recommended) check box.
5. Click Yes when the dialog box that confirms that you want to display these
files appears.
6. Double-click the drive where you installed Windows XP to display a list of the
folders. If is important to click the correct drive.
7. Open the System Volume Information folder. This folder is unavailable and
appears dimmed because it is set as a super-hidden folder.

Note This folder contains one or more _restore {GUID} folders such as
"_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}".

8. Open a folder that was not created at the current time. You may have to click
Details on the View menu to see when these folders were created. There may
be one or more folders starting with "RPx under this folder. These are restore
points.
9. Open one of these folders to locate a Snapshot subfolder. The following path
is an example of a folder path to the Snapshot folder:

C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-

A81BE6EE3ED8}\RP1\Snapshot
 10.From the Snapshot folder, copy the following files to the C:\Windows\Tmp
folder:
o _REGISTRY_USER_.DEFAULT
o _REGISTRY_MACHINE_SECURITY
o _REGISTRY_MACHINE_SOFTWARE
o _REGISTRY_MACHINE_SYSTEM
o _REGISTRY_MACHINE_SAM
11.Rename the files in the C:\Windows\Tmp folder as follows:
o Rename _REGISTRY_USER_.DEFAULT to DEFAULT
o Rename _REGISTRY_MACHINE_SECURITY to SECURITY
o Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
o Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
o Rename _REGISTRY_MACHINE_SAM to SAM

These files are the backed up registry files from System Restore. Because you used
the registry file that the Setup program created, this registry does not know that
these restore points exist and are available. A new folder is created with a new GUID
under System Volume Information and a restore point is created that includes a
copy of the registry files that were copied during part one. Therefore, it is important
not to use the most current folder, especially if the time stamp on the folder is the
same as the current time.

The current system configuration is not aware of the previous restore points. You
must have a previous copy of the registry from a previous restore point to make the
previous restore points available again.

The registry files that were copied to the Tmp folder in the C:\Windows folder are
moved to make sure that the files are available under Recovery Console. You must
use these files to replace the registry files currently in the
C:\Windows\System32\Config folder. By default, Recovery Console has limited folder
access and cannot copy files from the System Volume folder.

Part Three
In part three, you delete the existing registry files, and then copy the System
Restore Registry files to the C:\Windows\System32\Config folder:

1. Start Recovery Console.

2. At the command prompt, type the following lines, pressing ENTER after you
type each line:

del c:\windows\system32\config\sam

del c:\windows\system32\config\security

del c:\windows\system32\config\software
 del c:\windows\system32\config\default

del c:\windows\system32\config\system

copy c:\windows\tmp\software c:\windows\system32\config\software

copy c:\windows\tmp\system c:\windows\system32\config\system

copy c:\windows\tmp\sam c:\windows\system32\config\sam

copy c:\windows\tmp\security c:\windows\system32\config\security

copy c:\windows\tmp\default c:\windows\system32\config\default

Note Some of these command lines may be wrapped for readability.

3. Type exit to quit Recovery Console. Your computer restarts.

Note This procedure assumes that Windows XP is installed to the C:\Windows folder.
Make sure to change C:\Windows to the appropriate windows_folder if it is a
different location.

If you have access to another computer, to save time, you can copy the text in step
two, and then create a text file called "Regcopy2.txt" (for example). To use this file,
run the following command when you start in Recovery Console:
batch regcopy2.txt

Part Four

1. Click Start, and then click All Programs.

2. Click Accessories, and then click System Tools.
3. Click System Restore, and then click Restore to a previous RestorePoint.

How to gain access to the System Volume Information folder

To gain access to the System Volume Information folder, use the steps in the
appropriate section.

Microsoft Windows XP Professional or Windows XP Home Edition Using the FAT32 File
System

1. Click Start, and then click My Computer.

2. On the Tools menu, click Folder Options.
3. On the View tab, click Show hidden files and folders.
 4. Clear the Hide protected operating system files (Recommended) check box.
Click Yes when you are prompted to confirm the change.
5. Click OK.
6. Double-click the System Volume Information folder in the root folder to open
it.

Windows XP Professional using the NTFS File System on a Workgroup or Standalone

Computer

1. Click Start, and then click My Computer.

2. On the Tools menu, click Folder Options.
3. On the View tab, click Show hidden files and folders.
4. Clear the Hide protected operating system files (Recommended) check box.
Click Yes when you are prompted to confirm the change.
5. Clear the Use simple file sharing (Recommended) check box.
6. Click OK.
7. Right-click the System Volume Information folder in the root folder, and then
click Properties.
8. Click the Security tab.
9. Click Add, and then type the name of the user to whom you want to give
access to the folder. Typically, this is the account with which you are logged
on. Click OK, and then click OK again.

Double-click the System Volume Information folder in the root folder to open it.

Using CACLS with Windows XP Home Edition Using the NTFS File System
In Windows XP Home Edition with the NTFS file system, you can also use the Cacls
tool, which is a command-line tool, to display or modify file or folder access control
lists (ACLs). For more information about the Cacls tool, including usage and
switches, search the Help and Support Center for "cacls."

1. Click Start, click Run, type cmd, and then click OK.
2. Make sure that you are in the root folder of the partition for which you want
to gain access to the System Volume Information folder. For example, to gain
access the C:\System Volume Information folder, make sure that you are in
the root folder of drive C (at a "C:\" prompt).
3. Type the following line, and then press ENTER:

cacls "driveletter:\System Volume Information" /E /G username:F

Make sure to type the quotation marks as indicated. This command adds the
specified user to the folder with Full Control permissions.

4. Double-click the System Volume Information folder in the root folder to open
it.
5. If you need to remove the permissions after troubleshooting, type the
following line at a command prompt:
 cacls "driveletter:\System Volume Information" /E /R username

This command removes all permissions for the specified user.

The following steps also work if you restart the computer to Safe mode because
simple file sharing is automatically turned off when you run the computer in Safe
mode.

1. Open My Computer, right-click the System Volume Information folder, and

then click Properties.
2. Click the Security tab.
3. Click Add, and then type the name of the user to whom you want to give
access to the folder. Typically, this is the account with which you are logged
on.
4. Click OK, and then click OK again.
5. Double-click the System Volume Information folder to open it.