New Ways to Mine the Registry

Editing the Registry using nontraditional tools such as batch files, the command prompt, and your Web browser can help prevent a system crash.

Eric Pearce

November 30, 1997

12 Min Read
ITPro Today logo in a gray background | ITPro Today

Using nontraditional methods that improve safety and efficiency

Mining for fixes and workarounds in Windows NT can be a hazardous pursuit, especially when you are exploring the depths of the NT Registry. Microsoft is quick to point out the dangers of accessing the Registry. The company precedes many of the instructions that accompany NT with scary sounding warnings about how dangerous entering the realm of the Registry can be. But despite these warning signs, you can use some nontraditional methods to enter and explore the Registry in an efficient and relatively safe manner. These tools include bypassing the usual interactive mode of Registry editing, and instead involve editing the Registry from the command prompt, batch files, and Web browsers. These methods reduce the risk of damaging the Registry because they automate the process of making changes within the Registry.

For the most part, the applets in the Control Panel and the AdministrativeTools in NT are front ends to the Registry. These tools organize system settingsthat have a similar context, such as user administration. However, under thesurface the tools only add, delete, or modify values within the Registry. If youwant to change a particular Registry setting that does not have a correspondingControl Panel applet or Administrative Tool to manipulate it, you have to use aRegistry editor to reach the setting. You can also use NT's Registry editors tocircumvent the Control Panel applets and Administrative Tools in the interest ofspeed and efficiency.

Accessing the Registry
Before you begin to explore the Registry, you need to know that you caneasily trash your system by fooling around with Registry settings. Make sure youback up the Registry before you go further. If you are new to diving into theRegistry, I also suggest that you run a practice drill and go through all thesteps for recovering from a damaged Registry before you actually need to.

NT 4.0 includes two traditional tools for editing the Registry:Regedt32.exe, which has the old NT 3.x interface, and Regedit.exe, which lookssimilar to the Windows 95 Registry editor. You might assume you would only wantto use Regedit with its newer interface, but you need both editors because eachhas features lacking in the other.

For example, Regedt32 is the better of the two editors for loading,editing, and unloading Registry hives (hives are disk files that containsections of the Registry), while keeping the hive in a separate disk space fromother sections of the Registry. Hives contain a top-level key and its subkeys ora subkey of a top-level key and all its subkeys.

Regedt32 creates a separate window for each top-level Registry key (HKEY_),whereas Regedit organizes all the top-level keys in one window under MyComputer. Regedt32 has a read-only mode (click Options, Read Only Mode) thatlets you browse the Registry without fear of accidentally changing something.

Regedt32 can display Registry changes in realtime (click Options, AutoRefresh), so you can watch the Registry change while another Registry editor orprogram accesses it. You have to select the location of the Registry beingchanged to observe the changes.

You use Regedt32 to administer the access control lists (ACLs) in NT'sRegistry. ACLs are analogous to directories in the NT file system (think of keysas directories and subkeys as subdirectories). You can use both Registry editorsto edit the Registry remotely. Therefore, keep in mind that the ACL for aparticular Registry key determines which users (local and remote) can accessthat key and how.

Regedit is better for searching for values, data, and key names. Forexample, if you want to find every place in the Registry where NT stores thecomputer name, Regedit is the best tool.

You can read in and write out Registry data files when you run Regedit fromthe command prompt. This feature makes Registry editing available from withinbatch files, Telnet sessions, and scripting languages.

If you use both Registry editors often, you will want to add shortcutswithin the Administrative Tools menu to both editors. Table 1 presents acomparative list of each editor's features.

Registry Changes
Most edits you make to the Registry are one-time changes. You typicallychange a Registry entry once and reboot. For example, you may designate aspecific NT server as a domain master browser by setting the value ofHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBrowserParametersIsDomainMaster to TRUE, and setting this value to FALSE on other NT servers.

However, other times you may want to toggle a Registry value to observe theeffects. On these occasions, you want to use a systematic approach to editingthe Registry that helps ensure safety and efficiency. A good example of thisconcept is turning on and off Point-to-Point Protocol (PPP) logging (forinformation on PPP logging, see Microsoft Knowledge Base article Q115929). Ifyou are having trouble starting a Remote Access Service (RAS) session with aremote computer using PPP, you can log the entire PPP transaction to a file foranalysis. The Microsoft Knowledge Base article describes how to change theLogging value in the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManPPP key. The log file contains a record of each PPP packet sent or received during the RAS session. For example:

>PPP packet received at 05/15/1997 08:53:36:145

>Protocol = LCP, Type = Identification, Length = 0x33, Id = 0x1, Port = 1

>C0 21 0C 01 00 31 12 BE 11 A0 53 68 69 76 61 20 |.!...1....Shiva |

>4C 61 6E 52 6F 76 65 72 2F 38 45 2C 20 56 65 72 |LanRover/8E, Ver|

>73 69 6F 6E 20 34 2E 35 2E 34 20 39 37 2F 30 32 |sion 4.5.4 97/02 |

>2F 32 38 |/28 |

I frequently experiment with different PPP servers, and I use this feature alot. I want PPP logging turned on only when I'm trying to resolve a PPP-relatedproblem, and shut off at all other times. I quickly grew tired of starting aRegistry editor, finding the right key, and changing the Logging value everytime I wanted to turn logging on or off.

To automate this process, I use Regedit's import and export features. Whenyou use the import feature, Regedit can read in data from a Registry data file(usually with a .reg extension) that you specify from the command prompt.Regedit can write out a selected Registry section to a Registry data file. Whenreading the Registry data file, Regedit replaces any existing keys or valueswith those from the data file and adds any keys or values that do not match anexisting Registry entry. If your goal is to edit an existing key or value, thestructure (i.e., the Registry's tree-like hierarchy, which includes keys,subkeys, and values for the configuration settings) of the Registry data withinthe file will have to exactly match the current Registry. Otherwise, NT willsimply append and ignore the new entries. To ensure that the Registry data fileis always in the correct format, use the export feature to generate the file.You can export the entire Registry or any selected subkey.

For the PPP logging example, NT turns logging on when you set the Loggingvalue to 1 and turns logging off when you set this value to 0 (the default). Usethe following steps to create two Registry data files, each with a differentsetting for the Logging value:

  1. Start Regedit.

  2. Select the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManPPP key.

  3. Select Export Registry File from the Registry menu. This command writesout the selected key to a disk file. Choose a meaningful file name, such asPpplogof.reg for PPP Logging Off.

  4. Use the Edit menu to change the Logging value from 0 to 1.

  5. Select Export Registry File from the Registry menu. This command writesout the new setting to a disk file. Choose another meaningful file name, such asPpplogon.reg, for PPP Logging On.

The Ppplogon.reg file will contain a subset of the Registry. An excerpt fromthis file is as follows:

REGEDIT4

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManPPP]

"MaxConfigure"=dword:0000000a

"MaxTerminate"=dword:00000002

"MaxFailure"=dword:0000000a

"MaxReject"=dword:00000005

"NegotiateTime"=dword:00000096

"Logging"=dword:00000001

"RestartTimer"=dword:00000003

"ForceEncryptedPassword"=dword:00000002

"ForceEncryptedData"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManPPPCBCP]

"Path"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,59,53,54,45,4d,33,32,

5c,52,41,53,43,42,43,50,2e,44,4c,4c,00

...

The only difference between this file and the Ppplogof.reg file is thesetting (1 or 0) for the Logging value. If you don't know what the differencesare, you can type FC at the command prompt to compare the files. You canuse the /L switch with the FC command to compare the files in ASCII mode and usethe /N switch to number each line during the comparison.

Now you have two Registry files that you can safely import into theRegistry to toggle PPP logging on and off. You don't have to manually search forthe right Registry key or worry about making typing mistakes in the Registry.

To turn logging on, use the Import Registry File option from the Registrymenu on Ppplogon.reg. To turn logging off, use this same option on Ppplogof.reg.

An easier way to import changes into the Registry is to use NT Explorerto browse a directory for the .reg files, and double-click the files. Aslong as you have associated the .reg file type with Regedit.exe (i.e., so thatRegedit opens when you double-click a file with a .reg extension), NT willimport the file automatically. However, this approach can lead to a serioussecurity concern. For example, someone can put data in a .reg file that wouldcompromise your system or ruin data. You usually want to associate the .regextension with a safer application, such as Notepad.

A better solution is to use NT's import and export features from thecommand prompt. You can toggle PPP logging from the command prompt using theRegistry data files you have created. To turn PPP logging on, go to the commandprompt and type

regedit /s ppplogon.reg

To turn PPP logging off, go to the command prompt and type

regedit /s ppplogof.reg

The /s switch suppresses the pop-up message saying that information in has been successfully entered into the Registry. You can even import the same.reg file multiple times without having to worry about damage, because you'reoverwriting only one value.

To confirm that the Registry files are doing the right thing, you can useRegedt32's Auto Refresh feature to watch the Registry changes take place inrealtime.

  1. Start Regedt32.

  2. Make sure you select the Auto Refresh feature under the Options menu.

  3. Select the key you want to observe (e.g., HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManPPP).

  4. Start a new command window.

  5. In the command window, run Regedit /s ppplogon.reg.

  6. Run Regedit /s ppplogof/reg.

As you run Regedit from the command prompt, Regedit32 will display theLogging value changing from 0 to 0x1 and back.

To further simplify the process, you can put the commands in batch files.For example, create a Ppplogon.bat file that contains regedit /s ppplogon.regand a Ppplogof.bat file that contains regedit /s ppplogof.reg. Now all you haveto do is type ppplogon or pplogof at the command prompt.

Editing the Registry on Multiple Computers
To make Registry changes to several computers across the network, you canuse the System Policy Editor (SPE) to create policies that download to eachcomputer as it logs on to the network. (For information on SPE, see RelatedArticles in Windows NT Magazine.) You can also use Regedit's importfeature as a low-tech alternative to the SPE. For example, if you want to changea specific Registry setting on multiple computers, you can create a Registrydata file with the new setting and import it on each computer you want tomodify. In Clayton Johnson's, "Installing Applications Across the Network,"April 1997, the author suggests that you use a share that anybody on the networkcan connect to and install optional software from. This approach requires thatyou visit each workstation and add a new value (AppInstallPath) to the Registrybefore the user can take advantage of the share. You can create a .reg file withthe new value and place it on the share. The first time a workstation connectsto the share, the user imports the Registry file, which enables the networkinstallation feature on the user's computer.

For the example in Clayton Johnson's article, you need to add theAppInstallPath value to the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion key. Following theinstructions in the article, edit the Registry, add the value, and give it thepath of the Apps.inf file. Then use Regedit to export the Registry key to afile. The file will look similar to the following:

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion]

"DevicePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,69,6e,66,00

"MediaPathUnexpanded"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,4d,65,64,

69,61,00

"ProgramFilesDir"="D:\Program Files"

"CommonFilesDir"="D:\Program Files\Common Files"

"MediaPath"="D:\WINNT\Media"

"AppInstallPath"="\\server1\winnt\inf\apps.inf"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAppPaths]

...

Using a text editor, remove everything from the file except REGEDIT4, thefirst key, and the AppInstallPath items. This step will leave you with just thefollowing:

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion]

"AppInstallPath"="\\server1\winnt\inf\apps.inf"

The file now contains only the new entry, so NT won't overwrite any existingentries when you import the file. The [HKEY...] line simply identifies the rightlocation for the new entry.

Name this file something intuitive, such as Appinst.reg, and place it onthe share you are using for software distribution. Create a batch file that runsRegedit on the .reg file. For example, Appinst.bat could contain regedit/sappinst.reg. Now when users want to enable their workstation for the networksoftware installation, all they have to do is go to the network share and runAppinst. This approach is a vast improvement over visiting each workstation andediting the Registry by hand.

Registry Editing Over the Web
You can also use a Web browser to edit the Registry, but this practice canbe risky. If someone maliciously or accidentally causes your Web browser toimport a Registry file, that user can corrupt or compromise your system. Listing1, page 178, shows HTML that uses links to the Registry scripts I createdearlier.

After I created the HTML, I selected the Programs tab from Options underthe View menu in Internet Explorer (IE) to designate Regedit as a viewer for.reg files. I set the action to be Open with the application command line set toC:WinntRegedit.exe /s "%1". When you view the HTML file anddouble-click the link, the Web server downloads the .reg file to the Webbrowser, which runs Regedit on the file (%1). Screen 1 shows the HTLM page inIE. Obviously, this example is not the most sophisticated HTML front end to theRegistry, but it demonstrates some powerful features.

Never leave your Web browser configured this way when you're browsing theInternet, but this method has possibilities for intranet use. For example, youcan create a Web page that lets your remote NT users make Registry edits ontheir machines simply by going to your Web site, reading the instructions, andclicking a few buttons.

If you are administering NT computers in a complex production environment,you'll want to develop some tools for making Registry changes in a safe andefficient manner. You have several choices mining the NT Registry.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like