Understanding the Windows 2003 Registry

Introduction
Introduced with Windows 95, the Registry is a central repository for unique user and
machine configuration data. In basic terms, it is a big database that holds all of the
Windows 2003 configuration information – settings relative to user accounts, machine
hardware and applications. Everything from user preferences (such as the background
colour, screensaver, etc), to encrypted local account passwords are in there.

The registry was brought about to replace the old .INI files (that stored configuration
settings in editable txt files). INI files were good because they were short and easy to edit.
They did however have some restrictions such as size limitations and no support for
multiple users. In came the registry to rid us of these restrictions and make it easier to
recover settings after a crash, control access to and track system changes. The Registry is
fault tolerant, in that, if you are installing an application that is writing a new bunch of
keys to the registry and there is a power failure, everything remains intact and you can
start a fresh when the system is back up and running again.

Note:
Some applications still use INI files to store custom user settings or languages for the
GUI. For example, at the time of writing this article, I opened language.ini which I found
in a directory of one of my installed applications and changed some of the strings. When I
then opened my application, the GUI showed my text on it, instead of the default text.

The majority of the information in the Registry is placed there automatically by Windows
when you install the OS. The rest comes from utilities and applications via their
installation routines. It’s also possible to edit Registry data manually, allowing you to
tweak, enable or fix certain settings.

WARNING!
Any changes you make to the registry using Registry Editor are permanent, there is no
“undo” button, so be very careful what you do. Only mess around with the registry if you
know what you are doing, the consequences of your mistakes could be disastrous (i.e.: at
its worst, you will have to re-install Windows from scratch). I am not responsible for any
loss or damage as a result of your tampering with the registry. Edit at your own risk, and
as a rule of thumb always make a backup (discussed later on in this article).

Below is a screenshot showing the structure of the registry, which is made up of five
subtrees (discussed in the next section of this article). You can browse to a key from the
left and its values will be displayed in the window on the right. To open the Registry
Editor, click Start > Run… and type “regedit.exe”.
Figure 1: Regedit.exe showing the structure of the registry

Setting Permissions
You can set permissions on specific subtrees or keys so that users or applications will be
allowed or not allowed access. By default, users are allowed read access while
administrators are allowed read/write access on most keys.

While testing a .NET application recently, I found that the installation routine was not
correctly assigning permissions to a specific key, so a part of the application was failing.
Once I set the correct permissions, everything worked smoothly again. In this case, it was
the application vendor’s fault and luckily I was able to implement a temporary fix using
regedit.exe.

To set permissions, open regedit.exe, right click a key and select “Permissions…”. This
will bring up the ACL list for that key and allow you to edit permissions as you would
normally do on an NTFS file or folder.
Figure 2: The ACL list for setting permissions on the SOFTWARE key

It goes without saying, but be careful who/what you allow and deny permissions to.

The Five SubTrees of the Registry

The following five sections of the registry contain a logical grouping of registry
information called SubTrees. These are the five main sections of the registry and they
each hold a set of sub keys. When making changes, you will most likely do most of the
work in the _MACHINE and _USER subtrees.

SUBTREE DESCRIPTION
HKEY_CLASSES_ROOT The HKEY_CLASSES_ROOT subtree contains data that
associates file types with applications and configuration for
COM objects.
HKEY_LOCAL_USER Also known to have the common abbreviation HKCU, the
HKEY_LOCAL_USER subtree contains settings and
preferences for the user currently logged on to the system.
These settings are dynamic and unique to each user.
HKEY_LOCAL_MACHI Also known to have the common abbreviation HKLM, the
NE HKEY_LOCAL_MACHINE subtree contains information
 about the hardware currently installed, and the settings for
systems running on the machine. These are normally static for
all users until a change is made.
HKEY_USERS This subtree simply contains a pointer to
HKEY_LOCAL_USER and the DEFAULT user profile (a
template used when assigning a profile to new users).
HKEY_CURRENT_CON This subtree stores configuration data for the current hardware
FIG profile and points to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ha
rdware Profiles

Data Types defined by the Registry

On the right hand side of the Registry Editor, you will notice various data types and their
values.

DATA TYPE DESCRIPTION

REG_SZ A simple string value. Would usually contain a URL, Path, or
port number for example.
REG_BINARY Raw binary data represented in hexadecimal format.
REG_DWORD Another type of REG_BINARY but this one is 4 bytes long.
REG_MULTI_SZ A character string of variable size that allows you to enter a
number of parameters in this single value entry.
REG_EXPAND_SZ This is a character string of variable size that can contain
dynamic information which will change at startup (such as
%username% which is of a different size for every name)

Remote Registry Configuration

Regedit.exe allows you to remotely configure another machine’s registry quickly and
easily. All you need is the right permissions (Administrator permissions) to do so.

TIP:
Make sure that a group policy isn’t in place that disallows remote registry connections.

Open regedit.exe and from the File menu select “Connect Network Registry…”. Type the
computer name, or press [Advanced…] and search for one, and press OK. After entering
the correct credentials, the registry of the remote machine is loaded into the console, as if
it was that of the local machine.

Once you’re done making changes simply select “Disconnect Network Registry…” from
the file menu and regedit.exe will break the connection.
Once again, remember that any changes you make will be reflected on the remote
machine immediately, or in some cases after the next restart.

Figure 3: Screenshot showing a remote registry connection

When you connect to a registry remotely, you will only be able to edit the
HKEY_LOCAL_MACHINE and HKEY_USERS keys.

In this example I have, from a local machine, connected to another server called
ZTABONA and am able to make the necessary changes to the above mentioned keys.

Backing up and Restoring the Registry

There are three methods of backing up the registry – or portions of it - in Windows 2003.
You can backup/restore the entire Registry using the Windows Backup utility,
import/export certain subtrees or keys from regedit.exe, or use a little tool called reg.exe
from the command line. These are explained in more detail below.

Backup and Restore Utility (or Wizard)

From the Start menu, navigate to Programs > Accessories > System Tools and open
Backup – this will start the Backup and Restore Wizard or go straight to the Backup and
Restore utility (depending on your previously chosen settings).
Figure 4: The Backup and Restore utility

From the Backup tab, expand My Computer and select the System State check box.

Note:
On a domain controller, backing up the System State will also backup Active Directory,
Boot Files, Certificate Server (if installed), COM object class registries, and SYSVOL,
apart from the full Registry.

Browse for a location to which the backup file should be placed (ideally removable
storage or another partition) and click Start Backup. A new dialog box will appear
showing the status of the backup procedure. When backup is complete, press OK and
close.

To restore a backup file, go to the Restore and Manage Media tab and select Tools >
Catalog a backup file. Browse to the location of the backup file and select it. Choose
what you want to restore (in this case it is the entire System State) and press the Start
Restore button.

Importing/Exporting Registry Files

When you export a section of the registry, it is saved as a .reg file which, when executed,
will add its values back to the registry. This is commonly used when a software vendor
needs a client to enable “debug mode”, for example.

To export a registry file, select the desired key from the left pane in regedit.exe, right
click and choose Export. Select where you want the .reg file to be saved, and press Save.
Once the file has been exported, you can edit it using Notepad.exe or any text editor.

An example of a .reg file:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\Accessibility\MouseKeys]
"Flags"="62"
"MaximumSpeed"="80"
"TimeToMaximumSpeed"="3000"

To import a reg file, simply double click it to bring up the dialog and press Yes. The
information will then be added to the registry.

Figure 5: The registry editor confirmation message box

Only import information to the registry if you know exactly what the key contains.

Note:
You can also import/export a registry file using the command line tool reg.exe.

Using the Command Line

Using reg.exe you can backup and restore portions of the registry with a few simple
commands. This tool will allow you to backup one subtree at a time - while the system is
running.

For the purpose of this explanation I will demonstrate the uses of REG SAVE and REG
RESTORE.

REG save
Use the REG save command to save root keys for future restoration. The syntax for this
command is:

reg save <root_subtree> <save_location>

In my example, using the above syntax I have saved the HKEY_CLASSES_ROOT,

HKEY_CLASSES_CONFIG and HKEY_CLASSES_USER subtrees, as seen below.

Figure 6: Using the command line tool reg.exe to save registry keys

The registry files will be saved to the specified directory, as shown in the screenshot
below.

Figure 7: A folder for storing saved registry keys

REG restore
Using the reg restore command you can restore keys you previously saved using the reg
save command. Using my example, if I wanted to restore HKEY_CLASSES_ROOT I
would run the following command at the command prompt:

Reg restore hkcr c:\regbackup\hkcr

And so on and so forth for the other keys.

Conclusion
Knowing how the registry is laid out and how to backup and restore it will prove to be
valuable knowledge for everyone. As a network administrator you will find that editing
the registry is sometimes the only answer to many problems. As much as nobody likes to
mess around with the Registry, one is sometimes left with no other choice. Don’t be
scared to make changes, just be careful and know exactly what you are about to do. The
risks are obvious – one false move and the game is over. I cannot stress it enough!