Inside the Windows NT Registry

Tour the Registry and find out how it organizes data, and check out a few handy Registry settings.

Mark Russinovich

March 31, 1997

15 Min Read
ITPro Today logo in a gray background | ITPro Today

Uncover its usefulness

One of the most mysterious parts of Windows NT is the Registry. Often, evenexperienced NT users and administrators have only a vague notion of what itstores and how it organizes data. That users must view the Registry's contentsthrough NT's Registry editors (Regedt32 and Regedit) supplied with NT does notmake the Registry's mysteriousness any less surprising. The Registry is large,and its organization often seems to verge on the haphazard.

Knowing where the Registry displays different types of information makesthe Registry less intimidating. Let's start with an overview of its structureand then look at the specific values each of its major data branches contains.(I won't talk about just documented or undocumented keys, or describe only datathat you can't access from system administration utilities, because suchrestrictions lead to notions that the Registry is somehow more mysterious thanit really is.) I'll conclude with a brief section that provides some usefulRegistry settings. For information about NT's Registry editors and how to backup the Registry, see Christa Anderson, "Care and Feeding of the Registry,"December 1996.

The Registry's Structure
This section introduces the Registry, so if you're already familiar with theRegistry, skip ahead to the next section. Because the Registry is a database,its structure is much like that of a logical disk volume. The Registry containskeys, which are similar to a disk's directories, and values,which compare to files on a disk. A key is a container that can consistof other keys (subkeys) or values. Values, on the other hand,store data. Top-level keys are root keys. Throughout the article, I'lluse subkey and key interchangeably (only the root keys are not subkeys).

Both keys and values borrow their naming convention from the file system.Thus, you can uniquely identify a value with the name mark, which isstored in a key called trade, with the name trademark. Oneexception to this naming scheme is each key's unnamed value. Regedit displaysthe unnamed value as Default; Regedt32 uses .

Values store different kinds of data and can be one of the 11 types listedin Table 1. The majority of Registry values are either REG_DWORD, REG_BINARY, or REG_SZ. Values of type REG_DWORD can store numbers or Booleans(on/off values); REG_BINARY values can store numbers larger than 32 bits,or raw data such as encrypted passwords; REG_SZ values store strings (Unicode,of course) that can represent names, filenames, paths, and types.

The REG_LINK type is particularly interesting because it lets a valuetransparently point at another key or value. When you traverse the Registrythrough a link, the path searching continues at the target of the link. Forexample, if Root1Link has a REG_LINK value of Root2RegKey and RegKeycontains the value RegValue, two paths identify RegValue: Root1LinkRegValueand Root2RegKeyRegValue. NT prominently uses Registry links: Three of the sixRegistry root keys, listed in Table 2, are links to subkeys within the threenon-link root keys.

Registry Root Keys
You can chart the organization of the Registry via the data stored withinit. The six root keys divide the Registry data into categories. (You cannot addnew root keys or delete existing ones.) Data associated with the currentlylogged-on user (HKEY_CURRENT_USER), information about all the accounts onthe machine (HKEY_USERS), file association and Object Linking and Embedding(OLE) registration information (HKEY_CLASSES_ROOT), system-related information(HKEY_LOCAL_MACHINE), performance data (HKEY_DYN_DATA), and someinformation about the current hardware profile (HKEY_CURRENT_CONFIG) comprisethe six data categories.

Why do root key names begin with an H? The root key names represent Win32handles (H) to keys (KEY). Throughout the rest of the article, I'll abbreviatethe root key names. For example, HKLM represents HKEY_LOCAL_MACHINE.Table 3lists the root key names and corresponding abbreviations.

HKEY_CURRENT_USER
The HKCU root key contains data regarding the preferences and softwareconfiguration of the locally logged-on user. Within HKCU, you find the 10subkeys shown in Table 4.Whenever a user logs on, HKCU is created as a link tothe user's key under HKEY_USERS.

HKCUAppEvents contains two subkeys: EventLabels, where you find eventnames (e.g., mail arrival, window minimize), and Schemes, where you find soundand event associations. Under SchemesApps you find groups of event keys whosevalues can point at wave files. You can easily change these settings via theControl Panel Sounds applet.

HKCUConsole contains a subkey for each Command Prompt shortcut in theuser's account. Under these subkeys, you find all the properties (e.g.,foreground and background text colors, window size, edit mode) for the commandwindow that's created when you execute a particular shortcut. You can access allthese values through the Properties menu item on the individual command promptwindows.

HKCUControl Panel contains GUI settings such as desktop and screen-saverparameters, cursor file associations, and window attributes such as colors andgeometry settings. As the key's name suggests, you can edit most of these valuesthrough Control Panel applets; however, you must edit some values via a Registryeditor. For example, to make the window focus follow the mouse, you must set thevalue of HKCUControlPanelMouseActiveWindowTracking to 1 (and reboot forthe change to take effect). To tell Windows how long (in milliseconds) to pausebefore it displays the cascading menus of the Start menu, you must editHKCUControl PanelDesktopMenuShowDelay.

You find environment variable definitions in HKCUEnvironment. You canchange these definitions with the Control Panel System applet under theEnvironment tab.

HKCUNetwork and HKCUPrinters contain network drive-letter mappinginformation and printer connection data, respectively. You can set these valuesthrough Explorer, File Manager, and the Control Panel Printers applet.

The heftiest subkey under HKCU is Software. Most applications createsubkeys under HKCUSoftware that consist of the vendor's name (e.g., Microsoft)and contain subkeys for the vendor's applications (e.g., Windows NT). Subkeysand values within the application keys are where programs locate user-dependentinformation, such as most recently used (MRU) menu items, appearancecharacteristics, and usage preferences.

The HKCUUNICODE Program Groups and HKCUWindows 3.1 Migration Statussubkeys contain upgrade information if you've upgraded the system from aprevious version of NT or from Windows 3.x. NT 4.0 does not use the UNICODEProgram Groups subkey, and the subkey doesn't contain any information if you'venever installed a previous version of NT. Upgraded machines may display obsoleteprogram group data under this subkey. The Windows 3.1 Migration Status subkeycontains information about whether Windows 3.x .grp and .ini files havebeen converted to NT 4.0 format.

HKEY_USERS
HKU contains a subkey for each user who has a local account on the system,as I alluded to in the description of HKCU. The .DEFAULT subkey contains theHKCU settings that the system account uses. They are in effect when the logonbox appears. The other user subkeys are named with the Security Identifier (SID)of the user's account that they serve.

HKEY_CLASSES_ROOT
The HKCR root key first appeared in the Windows 3.1 Registry; Microsoftmigrated HKCR to the NT 4.0 Registry for compatibility purposes. HKCR consistsof two types of information: file extension associations and OLE class

registrations. A key exists for every registered filename extension. Mostkeys contain a REG_SZ value that points at another key in HKCR containing theassociation information for the class of files that extension represents. Forexample, if you install Microsoft Word, the .doc subkey has an unnamed value, "Word.Document.6".If you look at the Word.Document.6 subkey, you find an unnamed value thatdescribes the file type (which Explorer's file-association window uses) and keysthat associate that type of files to icons (DefaultIcon); other keys specifydynamic data exchange (DDE) commands created whenever you open, create, or printWord.Document.6 files. Keys without defined unnamed values have DDE commandinformation stored in subkeys.

HKCR keys such as Word.Document.6 also contain OLE registrationinformation. That way, OLE client applications can look up and establishcommunication with OLE server applications to support functionality such asinserting an Excel spreadsheet into a Word document. CLSID subkeys storeregistration numbers as very long representations of OLE registrationidentifiers.

HKEY_LOCAL_MACHINE
HKLM is the most interesting but often least understood root key of theRegistry--HKLM contains an incredible amount of unrelated information groupedunder five subkeys: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM.

The HKLMHARDWARE subkey maintains descriptions of the system's hardwareand all hardware device-to-driver mappings. NTDETECT on x86 machines, or ARCfirmware on RISC machines, collects information on the system's hardwarecharacteristics as the machine boots. NTDETECT or ARC passes this information onto NT once NT's image has been started. NT then stores this information in theHKLMHARDWAREDESCRIPTION subkey. As device drivers start up and claimdevices, they inform NT so that it can associate devices with the drivers thatcontrol them. NT places this mapping data in the HKLMHARDWAREDEVICEMAPsubkey. Serving a similar purpose, HKLMHARDWAREOWNERMAP associates thesystem's buses (e.g., PCI and ISA) to drivers that control them. Finally, devicedrivers inform NT of system resources that they claim for their devices. Suchresources include port addresses, physical memory ranges, and interrupt numbers.NT keeps track of this information in the HKLMHARDWARERESOURCEMAP subkeyto prevent conflicts. Windows NT Diagnostics (Winmsdp.exe) lets you viewRegistry hardware information that it obtains by simply reading values out ofthe HARDWARE key.

HKLMSAM holds local and domain account information, such as userpasswords, group definitions, and domain associations. By default, this key isunreadable by even the system administrator account. Looking inside HKLMSAM isnot very revealing because the data is undocumented and the passwords areencrypted with a one-way mapping (e.g., you cannot determine a password from itsencrypted form).

HKLMSECURITY stores user and group policies. Examples of policies includewhether a particular user is allowed to reboot the machine, load device drivers,back up files, or access the system remotely. SECURITY's information is alsoencrypted. HKLMSAM is linked into the SECURITY subkey under HKLMSECURITYSAM.

Like HKCUSoftware, applications use HKLMSOFTWARE to store privatesettings. HKLMSOFTWARE uses the same naming convention I described forHKCUSoftware, but the type of data stored is usually different. Because theHKLM root key is the same for all users who log on, it serves as a repositoryfor system-wide program settings. The information usually includes paths toapplication files and directories and licensing, and expiration dateinformation.

One particularly interesting subkey is HKLMSOFTWAREMicrosoftWindowsNTCurrent Version. Here you can find the NT build number, whether the versionis uniprocessor or multiprocessor, and the system root directory path. If youinstalled a service pack, its name appears in CSDVersion. Current Version has auseful subkey: Winlogon. By modifying entries in Winlogon (I'll describe how tomodify entries at the end of the article), you can set up the system toautomatically log on a user whenever the system boots.

Another HKLMSOFTWARE subkey is WindowsCurrent Version. This key is aWindows 95-compatability key that contains system software parameters. Forexample, the Explorer key includes information about desktop name-spaceextensions such as Network Neighborhood and My Computer. Applications putpointers to their uninstall programs in the Uninstall key. And AppPaths is whereNT stores the paths of applications it knows about. Executing an AppPathsprogram from the Start menu's Run dialog box launches the program by looking atits hard-wired location.

NT's command central is under HKLMSYSTEM. NT Setup creates theHKLMSYSTEMSetup subkey, which points subsequent invocations of Setup at theSystem's root partition. NT uses the SetupSystemSetupInProgress value todetermine whether to be in Setup or regular operation mode.

Another subkey under HKLMSYSTEM is DISK. It is present on onlysystems that have run NT's Disk Administrator program. HKLMSYSTEMDISK iswhere Disk Administrator stores information about drive letter mappings, volumesets, mirrored volumes, and striped sets.

HKLMSYSTEM also contains two or more subkeys with the prefix ControlSetand another subkey called CurrentControlSet. NT links CurrentControlSet to theControlSet subkey that corresponds to the profile the system used in the boot ofthe current session. The other ControlSet subkeys represent configurations suchas Last Known Good Configuration, a copy of the last profile the systemsuccessfully booted with. You can look at the value Current underHKLMSYSTEMSelect to find out which ControlSet subkey CurrentControlSet mapsto. Other values under Select point at control sets associated with Last KnownGood Configuration, and the control set that last resulted in a failed bootattempt.

Within HKLMSYSTEMCurrentControlSet are the four subkeys listed inTable 5.NT keeps its static configuration information in the Control subkey, whichcontains about 30 different subkeys of its own. One of Control's noteworthysubkeys is ComputerName, which displays the system's name underActiveComputerName. ControlCrashControl is a handy subkey for device driverdevelopers and systems administrators. It contains values that give NTdirections for what to do when the machine goes down, including whether toproduce a crash dump and whether to immediately reboot.

Controlhivelist contains the paths to files where NT stores Registryinformation. Controlhivelist values point at the files for HKLMSAM, HKLMSECURITY, HKLMSOFTWARE, HKLMSYSTEM, HKU.DEFAULT, and individual useraccounts.

ControlProductOptions deserves mention: It's the subkey that contains theProductType value, which identifies whether the system is a workstation ("WinNT")or a server ("ServerNT"). Microsoft applications check the ProductTypevalue and adjust their behavior according to its setting (for more informationabout this Registry value, see "Inside the Difference Between Windows NTWorkstation and Windows NT Server," November 1996).

ControlSession Manager contains a variety of interesting parameters.Values for this key include BootExecute, which can point at a program that willautomatically execute early in the system boot, and LicensedProcessors, which isthe number of processors that the system's license supports (two for NTWorkstation and four for NT Server). NT uses only the number of licensedprocessors, even if the system has more.

The ControlSession ManagerEnvironment subkey contains system-levelenvironment variables. The ControlSession ManagerSubSystems subkey keepspointers to the files that the NT environment subsystems (Win32, WOW, OS/2, andPosix) use.

ControlSession Manager's Executive and Memory Management subkeys containvalues for advanced system tuning. For instance, Executive holds values that candirect NT to create additional operating system worker threads. Another valuestored there, PriorityQuantumMatrix, has an enticing name that implies theability to fine-tune NT's scheduling algorithm, but the value actually storesencrypted NT beta and release candidate expiration dates. Memory Managementholds memory subsystem tuning parameters. One setting, PagingFiles, directs thesystem to the location of the paging files; you can use other settings tooverride internal defaults that specify the amounts of memory set aside forvarious internal operations.

The final key I'll mention under HKLMSYSTEMCurrentControlSetControl is WOW. It contains entries related to the execution of command windows,including the path to the command window executable, ntvdm.exe, in the cmdlinevalue.

HKLMSYSTEMCurrentControlSetServices is the control center for NTOS's dynamically added parts: Win32 services and kernel-mode device drivers.Every service and device driver that NT ships with support for and any serviceor driver that you install later has a key under Services. A Services subkeytypically contains several values from the list shown inTable 6. Afew Services subkeys allow a driver or service to control when it will be loadedin the NT boot sequence. The required Start value is the primary ordercontroller. NT loads services and drivers in three phases, each of whichcorresponds to a particular Start definition. The first phase, Boot, occurs justafter NTOSKRNL starts. At this time, the system loads only those driversessential to NT's boot. The second phase, System, is when the system loads themajority of device drivers. The system is still in its text mode (blue screen)during this phase. The system initiates the third phase, Auto, about the timethe Win32 subsystem starts. You can identify approximately when the Win32services start by the appearance of the system logon dialog box.

Developers use other Services subkey values (Group, Tag, DependOnService,DependOnGroup) to fine-tune the start location of a driver or service within aboot phase. They need these values when dependencies exist between drivers orservices.

Drivers and services often have a Parameters subkey that contains privatesettings. For example, the Browser service's Parameters subkey is a value thatdenotes whether the browser is the domain master browser. The Parameters subkeyof the Busmouse driver stores the number of buttons and its sample rate.

HKEY_DYN_DATA
HKDD is a fake key--it doesn't really exist. It serves as a convenientdoorway to device driver, Win32 application, and native NT performance countersvia the Registry API. When a Win32 program queries a value or key in HKDD, therequest gets routed as an I/O request to the appropriate driver or Win32program, which returns information that looks like the result of an authenticRegistry access. The Performance Monitor (Perfmon) program accesses this rootkey to provide the intricate performance information it displays.

HKEY_CURRENT_CONFIG

HKCC, a new root key in NT 4.0, is a link toHKLMSYSTEMCurrentControlSetHardware ProfilesCurrent, which contains theconfiguration data for the hardware profile in use on the system. Microsoftadded HKCC to NT to let applications that access this key run on both Windows 95and NT. To create, configure, and change hardware profiles, you can use ControlPanel's System, Services, and Device applets.

Registry Gems
Now that you understand the basic structure of the Registry, let's look at afew handy settings for data stored in the Registry. As always, before you tryany of the following suggestions, back up your Registry. Editing Registryentries incorrectly can cause systemwide problems that may require you toreinstall NT to correct them.

Auto-logon. If you have a private NT system (e.g., amachine you use at home), you can configure NT to automatically log you on whenyou boot NT. To enable auto-logon, you must modify four values in HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon. First, set the AutoAdminLogon value to 1. Then specify appropriate strings for DefaultDomainName,DefaultPassword, and DefaultUserName. The next time you reboot, you'llautomatically be logged on.

Tuning a workstation for server-like workloads. NTWorkstation and NT Server have vastly different performance characteristicsbecause of the internal tuning NT performs. You cannot access most tuningparameters, but you can find a few in the Registry. If you run NT Server anddouble-click the Server entry of the Services tab in Control Panel's Networkapplet, you get a dialog box that lets you determine what type of applicationsyou want to tune the machine for. You can choose among Minimize Memory Used,Balance, Maximize Throughput for File Sharing, and Maximize Throughput forNetwork Applications. Systems running NT Workstation do not present this dialogbox. The options change two Registry values:HKLMSYSTEMCurrentControlSetControlSession ManagerMemory ManagementLargeSystemCacheand HKLMSYSTEMCurrentControlSetServicesLanmanServerParametersSize.Table 7lists the value data you need to enter in the Registry of a system running NTWorkstation to achieve the same tuning options the NT Server dialog box offers.

Previewing bitmaps in their icons. How many times have youwished you could get a quick look at what's in a bitmap file without opening it?You can, with a simple Registry setting. Just change the value ofHKCRPaint.PictureDefaultIcon to "%1". Reboot for the change totake effect.

After the Tour
These few tips conclude a whirlwind tour of the Registry. If you want tolearn more about the Registry, get Microsoft Windows NT Workstation ResourceKit or Microsoft Windows NT Server Resource Kit, which includeextensive online documentation about the Registry. If your interest lies inprogramming the Registry API, refer to the Win32 software development kit (SDK).

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like