Working with the Windows Registry Computer Club of the Sandhills November 12, 2012

Registry Definition The registry was developed to overcome the restrictions of the INI and REG.DAT files. The registry was developed to overcome the restrictions of the INI and REG.DAT files. The registry is composed of two pieces of information: The registry is composed of two pieces of information: System-Wide Information – This is data about software and hardware settings. This information tends to be apply to all users of the computer. System-Wide Information – This is data about software and hardware settings. This information tends to be apply to all users of the computer. User Specific Information – This is data about an individual configuration. This information is specific to a users profile. User Specific Information – This is data about an individual configuration. This information is specific to a users profile.

Registry Definition The Microsoft Computer Dictionary defines the registry as: The Microsoft Computer Dictionary defines the registry as: A central hierarchical database used in the Microsoft Windows family of Operating Systems to store information necessary to configure the system for one or more users, applications and hardware devices. A central hierarchical database used in the Microsoft Windows family of Operating Systems to store information necessary to configure the system for one or more users, applications and hardware devices. The registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can crate, property sheet settings for folders and application icons, what hardware exists on the system and the ports that are being used. The registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can crate, property sheet settings for folders and application icons, what hardware exists on the system and the ports that are being used.

Details The registry is a database that is used by all windows operating systems that followed Win95. The registry is a database that is used by all windows operating systems that followed Win95. The registry is used by the Windows OS to store hardware and software configuration information, user preferences and setup information. The registry is used by the Windows OS to store hardware and software configuration information, user preferences and setup information. A healthy registry is essential for proper windows performance and function, this is why the registry is usually attacked by viruses and other malicious software. A healthy registry is essential for proper windows performance and function, this is why the registry is usually attacked by viruses and other malicious software.

Registry vs. File System The registry is analogous to a file system. The registry is analogous to a file system. File system: Folders Folders Files FilesRegistry: Keys Keys Keys have inside them either other keys or name/value pairs which correspond to object name and content. Keys have inside them either other keys or name/value pairs which correspond to object name and content.

Registry Content The registry holds critical information about the system, the users of the system, and installed applications: The registry holds critical information about the system, the users of the system, and installed applications: Operating System version number, build number, and registered user. Operating System version number, build number, and registered user. Information for every properly installed application, Information for every properly installed application, Information about the computers processor type and system memory. Information about the computers processor type and system memory. User-specific information (home directory, app. preferences) User-specific information (home directory, app. preferences) Security information such as user account names. Security information such as user account names. Installed services Installed services Mapping from file names to programs/executables. Mapping from file names to programs/executables. Mapping network addressees to host machine names. Mapping network addressees to host machine names.

Registry contents: Security Information the registry includes: System Configuration System Configuration Devices on the System Devices on the System User Names User Names Personal Settings and Browser Preferences Personal Settings and Browser Preferences Web Browsing Activity Web Browsing Activity Files Opened Files Opened Programs Executed Programs Executed Passwords Passwords

Windows 9x Registry FilenameLocationContent system.datC:\Windows Protected storage area for all users All installed programs and their settings System settings user.dat If there are multiple user profiles, each user has an individual user.dat file in windows\profiles\user account C:\Windows Most Recently Used (MRU) files User preference settings

Modern Windows Registry FilenameLocationContent ntuser.dat If there are multiple user profiles, each user has an individual user.dat file in windows\profiles\user account \Documents and Settings\user account Protected storage area for user Most Recently Used (MRU) files User preference settings Default\Windows\system32\config System settings SAM\Windows\system32\config User account management and security settings Security\Windows\system32\config Security settings Software\Windows\system32\config All installed programs and their settings System\Windows\system32\config System settings

Windows Security and Relative ID The Windows Registry utilizes a alphanumeric combination to uniquely identify a security principal or security group. The Windows Registry utilizes a alphanumeric combination to uniquely identify a security principal or security group. The Security ID (SID) is used to identify the computer system. The Security ID (SID) is used to identify the computer system. The Relative ID (RID) is used to identity the specific user on the computer system. The Relative ID (RID) is used to identity the specific user on the computer system. The SID appears as: The SID appears as: S S

Registry Structure

Registry has five top level branches or Hives: Registry has five top level branches or Hives: HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT COM server info, file associations, shortcuts COM server info, file associations, shortcuts HKEY_CURRENT-USER HKEY_CURRENT-USER Logged in user name, desktop, start menu Logged in user name, desktop, start menu HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE Hardware, software, preferences for all users Hardware, software, preferences for all users HKEY_USERS HKEY_USERS Individual preferences for each user, represented by Security ID (SID) Individual preferences for each user, represented by Security ID (SID) HKEY_CURRENT_CONFIG HKEY_CURRENT_CONFIG Links to part of HKEY_LOCAL_MACHINE for current hardware Links to part of HKEY_LOCAL_MACHINE for current hardware HKEY_DYN_DATA HKEY_DYN_DATA Links to part of HKEY_LOCAL_MACHINE for PlugAndPlay Links to part of HKEY_LOCAL_MACHINE for PlugAndPlay

Registry Value Types REG_BINARY REG_BINARY Raw binary data Raw binary data REG_DWORD REG_DWORD 32 bit integers – often representing bools 32 bit integers – often representing bools REG_SZ REG_SZ string string REG_EXPAND_SZ REG_EXPAND_SZ Expandable string Expandable string REG_MULTI_SZ REG_MULTI_SZ Container for null separated strings Container for null separated strings

Exporting and Importing In RegEdit select a key In RegEdit select a key File Export File Export Provide filespec info in resulting save dialog Provide filespec info in resulting save dialog

Using Regedit

Using CCleaner