Windows Registry Flashcards
What is the Windows Registry?
A central hierarchical database used to store information that is necessary to configure
the system for one or more users, applications and hardware devices.
Name 3 types of Registry Usage.
- Boot process
During boot process, when boot loader reads configuration data and list of device drivers for loading into memory before
initializing kernel. Kernel then reads the stored device driver settings as needed - User Logon
When a user logs on, user profile settings are restored to provide the user with a consistent user profile experience, to
include network drive letter mappings, wallpaper, most recently used (MRU) files, etc; - Application startup
When applications are accessed, the application settings, data, per user settings, MRU, are obtained from registry.
Registry Structure
Root keys = set of logical sections (top-level). All begin with HKEY (i.e. Handle to Key).
Organized hierarchical: root keys => subkeys. Using backslashes to indicate levels of hierarchy.
Windows Registry has KEYS (Folders)
and VALUES (Value Name, Type, Data).
Hives = are the logical sections into which the registry is divided.
Keys = are similar to folders, and may contain subkeys.
Values = are Name / Data Pairs stored in the keys.
Value types
What is stored in a key?
string value,
binary value,
DWORD value (32 bit number),
multi string value.
Name the most common Data Types
REG_DWORD,
REG_QWORD,
REG_BINARY,
REG_SZ
What does HKEY_LOCAL_MACHINE (HKLM) contain?
Contains configuration information particular to the computer (for any user). This key is sometimes
abbreviated as “HKLM.”
What does HKEY_USERS (HKU) contain?
Contains all the actively loaded user profiles on the computer. HKEY_CURRENT_USER is a subkey
of HKEY_USERS. HKEY_USERS is sometimes abbreviated as “HKU.”
What does HKEY_CURRENT_USER (HKCU) => linked contain?
Contains the root of the configuration information for the user who is currently logged on. The user’s
folders, screen colors, and Control Panel settings are stored here. This information is associated with
the user’s profile. This key is sometimes abbreviated as “HKCU.”
Linked to users profile under HKU e.g. HKEY_Users\S-1-5-21-….
HKEY_CLASSES_ROOT (HKCR) => linked
Is a subkey of HKEY_LOCAL_MACHINE\Software.
The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer.
This key is sometimes abbreviated as “HKCR.” Starting with Windows 2000, this information is stored under
both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER keys.
The HKEY_LOCAL_MACHINE\Software\Classes key contains default settings that can apply to all users
on the local computer.
The HKEY_CURRENT_USER\Software\Classes key contains settings that
override the default settings and apply only to the interactive user.
The HKEY_CLASSES_ROOT key
provides a view of the registry that merges the information from these two sources.
HKEY_CLASSES_ROOT also provides this merged view for programs that are designed for earlier
versions of Windows. To change the settings for the interactive user, changes must be made under
HKEY_CURRENT_USER\Software\Classes instead of under HKEY_CLASSES_ROOT. To change
the default settings, changes must be made under HKEY_LOCAL_MACHINE\Software\Classes. If
you write keys to a key under HKEY_CLASSES_ROOT, the system stores the information under
HKEY_LOCAL_MACHINE\Software\Classes. If you write values to a key under
HKEY_CLASSES_ROOT, and the key already exists under
HKEY_CURRENT_USER\Software\Classes, the system will store the information there instead of
under HKEY_LOCAL_MACHINE\Software\Classes.
Linked to HKLM\Software\Classes
What does HKEY_CURRENT_CONFIG (HKCC) => linked contain?
Contains information about the hardware profile that is used by the local computer at system startup.
Linked to HKLM\System\CurrentControlSet\Hardware Profiles\Current
HKEY_PERFORMANCE_DATA
Allow you to access performance data. Only accessible via Win32 API.