This is intended to be part of a larger series on the registry. I have always loved the registry because there is just so much potential there. Group policy has really made that evident and now more than ever with group policy preferences. However, there is a lot that is misunderstood in the registry – and much of it by me. So, this will be an exercise in my own education as much as an exposition.
Let’s start with the staples of the registry. The five keys that we see when we open the Registry Editor are often referred to as hives. However, these keys are not registry hives. Many of them are part of registry hives or part of them are registry hives, but they themselves are not. Rather, these five registry keys are actually known as Predefined Keys. They are not the only predefined keys – there are others related to performance data and non-roaming data for roaming profiles (new to Vista) – but these are the five with which we are most familiar.
A key in the registry is very much the equivalent of a folder in the file system. These keys, from the predefined keys down through the subkeys, make up the hierarchical representation of the registry database. When you connect to the registry of a remote machine, it appears that only two of these predefined keys exist:
- HKEY_LOCAL_MACHINE
- HKEY_USERS
However, the other common predefined keys are available through other paths which are presented underneath of these two predefined keys.
HKEY_CLASSES_ROOT is a subkey of HKLM|Software. Interestingly, the data here may exist in two locations, HKCU and HKLM. Data in HKLM is global information which is the default application for all users of the machine. Data stored in HKCU overrides the default configuration stored in HKLM. When data is written to HKCR, if the subkey already exists in HKCU|Software|Classes then the data is written to the user registry path. If no key exists, the data is written to HKLM|Software|Classes.
HKEY_CURRENT_USER is available remotely via the HKEY_USERS predefined key under the subkey for that user’s security identifier. This is also where the Classes subkey for the user portion of HKEY_CLASSES_ROOT can be found when accessed remotely.
HKEY_CURRENT_CONFIG, which is the hardware profile that was used at system startup, can be found under HKLM|System|CurrentControlSet|Hardware Profiles|Current.
We often hear the term, ‘key’ used for leaf objects which reside in keys and subkeys. The proper term for these leaf objects is actually ‘values’, and are of a variety of types. The type which is elected depends on the data that will make up that value. For instance, a value of type REG_DWORD may have alphanumeric data which can be as simple as a ‘1’ or a ‘0’ representing that a behavior is ‘on’ or ‘off’.
In the registry there is no ability to disable a value so be cautious of setting values with no data which are intended to be placeholders for future use. Setting a value with no data will very often result in a disabling configuration. Setting unintended or unused values often occurs when importing REG files which were exported from other machines. Take caution to ensure that only those values and subkeys which are required are present in the REG file.