End-User Support:Operating Systems
Editing the registry is not as hard as you might think, but you need to understand
what you’re doing, and it’s essential to make a backup before you make any
changes so that you can back them out if necessary.
By Mike Lewis
P ut simply, the Windows registry
is a central repository of infor-
mation about all aspects of the
computer - in particular, its hardware,
The registry has several advantages
over INI files. Because the information
is centralised, it is easier for applica-
tions to access it. It is more hierarchical
registry is spread over a series of files,
sometimes called hives.
SYSTEM.DAT and USER.DAT are
usually held in the Windows directory.
operating system, applications and us- than INI files, and so better suited for However, it is also possible to place
ers. It can be accessed and updated storing large amounts of structured USER.DAT in the user’s login direc-
under software control and also di- data. It is also free of the size limita- tory on a network, thus allowing the
rectly by users. tions which affect INI files (although user to log in at other workstations. In
The registry first appeared in Win- there is still a maximum total registry NT, the hive files are located in the
dows 3.1. In that system it was a single size limit). SYSTEM32\CONFIG directory, which
file, called REG.DAT, and was mainly is off the Windows directory.
used to store information about OLE Storage
objects. Most other configuration data Architecture
was held in various INI files, of which Although the registry is usually
WIN.INI and SYSTEM.INI were the considered to be a single entity, its con- When you view the registry in the
most important. tents are in fact stored in more than one Microsoft Registry Editor its hierarchi-
The modern registry, as found in physical file. In Windows 9x, there are cal nature becomes obvious. (To
Windows 9x and NT, brings together two such files: SYSTEM.DAT and launch the editor, run REGEDIT.EXE
all the information that was previously USER.DAT. These hold computer-spe- from the Start/Run menu. I’ll describe
held in REG.DAT and the separate INI cific and user-specific information re- it in more detail later in the article.) The
files. spectively. In Windows NT, the editor presents an Explorer-like view
of the registry, with a tree in the left
pane and data in the right (see Figure
The registry tree is divided into six
broad sections (five in NT). These sec-
tions, which all have names beginning
with HKEY_, are called root keys or
top-level keys (see Figure 2). Each root
key contains sub-keys, which might in
turn contain further sub-keys and so
on. The lowest level keys along a given
branch are called values.
Taking a hard disk as an analogy,
keys are like directories and values are
like files. Keys and values both hold
data, which can either be binary values
or ASCII strings.
Each item of data has an associated
name. As a minimum, each key and
value holds a single data item, named
Figure 1 - The Microsoft Registry Editor shows the registry’s Default. The data and names are dis-
hierarchical structure. played in the right pane of the editor,
Update 127 (May 1999) Page 5
PC Support Advisor File: E1209.1
End-User Support:Operating Systems
along with an icon which shows alias for HKEY_LOCAL_MACH- cludes REGEDIT.EXE, although this
whether the data is binary or string. INE\Software\Classes. might not be the same as the one found
Continuing with the hard disk anal- An alias is not a copy. Rather, it is in Windows 9x. If you upgraded from
ogy, you can identify any key or value another view of the same information. Windows 3.1 to Windows NT, you will
by specifying the path along its branch, If you edit the data in the alias, the have the original 3.1 version of RE-
using the familiar backslash notation. change is immediately reflected in the GEDIT.EXE.
For example, information about in- part of the tree to which the alias refers, As far as the Windows 9x version is
stalled dial-up networking connec- and vice versa. Only one edit actually concerned, its operation is completely
tions is held in HKEY_CUR- takes place, but you are seeing it from straightforward, with all its functions
RENT_USER\RemoteAccess\Addre- two different viewpoints. Figure 3 lists being easily accessible from the regis-
sses. If you drill down through this the aliases in the Windows 9x registry. try and Edit menus. You can also right-
path in the left pane, you will see the One of the root keys, click on an item to edit, delete or
relevant data in the right pane. In this HKEY_DYN_DATA, works slightly rename it, or to create new keys or
example, each data item corresponds differently. This key is essentially a values.
to one DUN connection. RAM-resident copy of certain parts of When you edit a data item in the
the registry which Windows needs to editor, the change is written to the reg-
Aliases get at quickly. It is created at boot time istry almost immediately - you do not
and discarded at shut-down; it never explicitly save the file. If you make a
I said earlier that the registry is di- gets written back to disk. mistake, the only recourse (apart from
vided into six broad sections, one for Because aliases only exist while restoring from a backup) is to edit the
each root key. This is certainly how the Windows is running, they will not get same item again.
registry is usually regarded, but it is backed up if you create your backup Conversely, if another process
not strictly true. The reason is that all copies from DOS. This is not a problem changes a registry item while the edi-
but two of the root keys are in fact as the information in the aliases is all tor is open, the editor will pick up the
aliases for other parts of the tree. available elsewhere in the registry. new setting straight away - although
To see an example of this, drill Windows always re-creates the aliases you might need to refresh the display
down from HKEY_CLASSES_ROOT. during startup. in order to see it (to do so, select View,
You will see that this root key contains Refresh, or press F5).
a large number - perhaps many hun- Registry Editors
dreds - of sub-keys at the first level Remote Registries
down. The first group of these sub- The main tool for viewing and edit-
keys have names which look like file ing the registry is the Microsoft Regis- As well as letting you view and edit
extensions, while the names of the re- try Editor, REGEDIT.EXE. Although the registry on your local machine, the
mainder resemble those of applica- third-party editors exist, you will Microsoft Registry Editor can also ac-
tions. probably want to stick with the official cess registries on other computers on
Now locate HKEY_LOCAL_MA- Microsoft product, given the critical the network. If your machine and the
CHINE\Software\Classes. As you nature of the registry editing process. remote computer are both running NT
can see, this contains exactly the same (That’s not to say that REGEDIT.EXE 4.0, this operation is completely
sub-keys, values and data as is itself completely reliable; the Mi- straightforward. But if either or both
HKEY_CLASSES_ROOT. That’s be- crosoft Knowledge Base notes several machines have Windows 9x, you must
cause HKEY_CLASSES_ROOT is an bugs in the Windows 95 version, but first install the Remote Registry serv-
these are unlikely to cause problems in ice, which in turn depends on having
day-to-day operations.) user-level security enabled and Re-
HKEY_CLASSES_ROOT Windows NT 4.0 comes with a sec- mote Administration services in-
HKEY_CURRENT_USER ond editor: REGEDT32.EXE. This sup- stalled. For step-by-step instructions
HKEY_LOCAL_MACHINE ports certain NT-specific features on setting this up, see Article Q141460
which REGEDIT.EXE does not know in the Microsoft Knowledge Base.
HKEY_DYN_DATA about, such as the ability to maintain Once you have installed the neces-
security settings. However, it lacks the sary components, you can access the
very useful search function found in other computer’s registry by selecting
Figure 2 - The six root keys. the standard version. NT 4.0 also in- Connect Network Registry from the
Root key Alias for
HKEY_CURRENT_USER User’s branch within HKEY_USERS
HKEY_CURRENT_CONFIG Hardware profile within HKEY_LOCAL_MACHINE\Config
Figure 3 - Aliases on the Windows 9x registry.
PC Support Advisor Update 127 (May 1999) Page 6
End-User Support:Operating Systems
registry menu within the editor. Hav- this number can be varied by editing In the case of NT, if the system is
ing done so, you will be able to view SCANREG.INI. configured for dual-booting you
and edit the remote registry in the Windows NT does not include a should boot to DOS or Windows 9x
same way as the local registry. When specific registry backup tool. How- before copying the registry files. Alter-
you have finished, go back to the reg- ever, the standard NT backup utility, natively, boot to DOS from a startup
istry menu and select Disconnect Net- NTBACKUP.EXE, is able to back up floppy. The files which you should
work Registry. the registry, but only to supported tape copy are those stored in the SYS-
drives. TEM32\CONFIG directory, which is
Registry Backup off the Windows directory. Note that
Manual Backups you cannot use this method if the Win-
Backing up the Windows registry Another way of backing up the reg- dows directory is on an NTFS parti-
presents a specific problem: you can- istry is simply to copy the relevant tion, as the booted operating system
not directly copy the relevant files files. You cannot do this while Win- will not be able to access it.
while they are open, and they are al- dows is running but, in the case of Whatever the operating system,
ways open while Windows is running. Windows 9x, you can work round this you can restore the registry by revers-
However, there are a couple of tech- either by booting to DOS (hold down ing the above process.
niques you can use to work round this. F8 during startup, then select Com-
mand Prompt Only) or by exiting to Exporting The Registry
Backup Utilities DOS from the Shut Down dialog. Another approach to backing up
For Windows 95 users, the easiest The two registry files, SYS- the registry is to export it. Exporting
approach is to use the Configuration TEM.DAT and USER.DAT, are the registry is not the same as copying
Backup utility (Figure 4). This copies flagged as hidden, system and read- it. Instead, the process creates a text file
the registry to a compressed backup only. Before copying them, you will which contains the registry data in a
file, the name of which is REG- need to use the ATTRIB command to format similar to that of an INI file (see
BACKn.RBK, where n is a sequence switch off these flags. Once that’s done, Figure 5). If you need to restore the
number. Up to nine generations of you can copy the two files from the registry, you can do so by re-importing
backup can be made. You are Windows directory to another suitable the text file.
prompted to enter a description for the location. Finally, use ATTRIB again to An advantage of this approach is
backup to help you subsequently iden- restore the flags. that you do not have to export the en-
tify it. The backup is always created in
the Windows directory, but you are
free to move it elsewhere.
The same utility can be used to re-
store and delete backups. It can only
restore from the Windows directory
so, if you have moved the file to an-
other directory, you must move it back
before running the utility.
The Configuration Backup utility is
not installed by default. You will find
it on the Windows CD-ROM, in the
tory. You can copy the two files
(CFGBACK.EXE and a help file) from
this directory to your hard disk, or you
can run the executable directly from
In Windows 98, the best way of
backing up the registry is to use the
Registry Checker (SCANREGW.EXE).
This creates a backup automatically
each time the computer starts, but it
can also be run on demand. The
backup is held in a CAB file, named
RBn.CAB (where n is a sequence
number), in the SYSBCKUP directory
(this is a hidden directory off the Win-
dows directory). By default, five gen- Figure 4 - The Configuration Backup tool provides the simplest way of
erations of backup are maintained, but backing up and restoring the registry in Windows 95.
Update 127 (May 1999) Page 7
PC Support Advisor File: E1209.3
End-User Support:Operating Systems
tire registry. If you want to try out Automatic Backups ple of extra benefits. As its name sug-
changes which only affect one branch, If the worst happens and you find gests, it performs a check, albeit a rudi-
you can limit the export to that branch. yourself with a damaged registry and mentary one, on the integrity of the
Another benefit is that you can per- no recent backup, there is an escape registry. It does this at boot time. If it
form both the export and import op- route. As soon as Windows has suc- detects a problem, it will automatically
erations from within Windows. cessfully booted, it automatically cre- restore the most recent backup. It will
To start the export process, launch ates a backup, which you can then use also defragment the registry if it de-
the Microsoft Registry Editor, select to restore the registry if the need arises. tects more than half a megabyte of
the branch that you wish to copy, This is not always an ideal solution, as empty space.
choose Export Registry File from the you can only restore the registry as it In the case of Windows 95, only one
Registry menu, and specify the name was at the start of the session, but it generation of automatic backup is
and location of the export file. Note should be enough to get you out of maintained. This consists of two files,
that the Save dialog includes a choice trouble. named SYSTEM.DA0 and USER.DA0.
between exporting the selected branch In Windows 98, these automatic They are hidden, system read-only
and exporting “all”, that is, the whole backups are held in the CAB files cre- files in the Windows directory. If you
registry. ated by the Registry Checker. If you need to restore from them, boot to
The resulting file has the extension need to restore from them, boot to DOS, change the attributes (on the
REG. You can view its contents by DOS, then type SCANREG /RE- backup and the existing registry files),
opening it in a text editor. When work- STORE to launch the command-line and copy the backups over the existing
ing with this file, take care not to dou- version of the utility. You will see a list files. This will only work if you have
ble-click on it, as this will re-import it. of the available backups, from which not booted to Windows since the reg-
You can also import the REG file by you can select the one you wish to istry became corrupted.
selecting Import Registry File from the restore.
Registry menu. The Registry Checker offers a cou- Registry Contents
For the remainder of the article, I
will describe the most important keys
and values in the registry of a typical
PC. As you read this, you might want
to follow along by having your own
registry open in the editor. For conven-
ience, I’ll deal with the root keys in the
order in which they appear in the edi-
This branch is an alias for
re\Classes (see below), and is a direct
descendant of the REG.DAT file found
in Windows 3.1. It is mainly used to
keep track of file extensions and their
associated applications, documents
and OLE objects. It is a particularly
large branch, with a very large number
of sub-keys at the first level down (I
counted over a thousand on my own
The first group of these first-level
sub-keys have names that look like file
extensions: .JPG, .XLS and the like.
There is one of these for each “regis-
tered” document type, that is, for each
type of file listed in the File Types tab
in the Options dialog in Windows Ex-
plorer. As a minimum, the sub-key’s
data contains a reference to the class
definition associated with the docu-
Figure 5 - You can export the registry to a text file, in INI format. ment.
PC Support Advisor Update 127 (May 1999) Page 8
End-User Support:Operating Systems
The class definitions themselves are certain installation routines to create a tion and state of every toolbar and win-
held in the remaining first-level sub- history list for the control which dow, a recently-used file list, the recent
keys. These contain a descriptive name prompts the user for the location of the locations for opening and saving each
for the document type (as it appears in source files. of the file types, and quite a lot more.
the Type column in folder windows), This is followed by Keyboard Lay- This is an unusually large example -
a pointer to the default icon and, where out, which contains settings from the most applications don’t store as much
relevant, information about how the Language tab in Keyboard Properties. as this.
application handles the documents as It includes a key named Preload, which Although HKEY_CURRENT_-
OLE objects and how the documents in turn holds a key for each installed USER\Software is mainly intended for
are manipulated from the Windows keyboard layout. These keys act as third-party vendors, Microsoft also
shell - for example, the actions avail- pointers to keys within HKEY_LO- has a presence there. The key includes
able from the menu which appears CAL_MACHINE\System\Curren sub-keys for each installed Microsoft
when you right-click on the file. t-ControlSet\Control\Keyboard Lay- application (for example, HKEY_-
Although HKEY_CLASSES_ROOT outs, which in turn contain references CURRENT_USER\Software\Micro-
is updated automatically as applica- to the keyboard drivers. soft\Office\8.0\PowerPoint) and also
tions are installed and uninstalled, The next first-level sub-key is Net- for Windows itself (HKEY_CUR-
there might be times when you need to works. It in turn contains two keys: RENT_USER\Software\Microsoft-
edit it yourself. For example, you Persistent lists the mapped drives \Windows\CurrentVersion) . The lat-
might want to restore a file association which are configured for reconnection ter holds user-specific settings for the
which a new application has taken at logon; Recent holds a key for each Windows applets, Internet Explorer,
over from an existing one. However, share on a connected computer which Task Manager and other components.
rather than editing the registry di- has been accessed from this computer. In Windows NT, there are some ad-
rectly, it is easier and safer to make this In each case, this shows the connection ditional first-level keys below
type of change from the File Types tab type and provider name. HKEY_CURRENT_USER. They in-
in the Options dialog. Next, the RemoteAccess sub-key clude Console (settings for the Com-
contains details of the user’s Dial-Up mand Prompt window), Environment
HKEY_CURRENT_USER Networking connections. The key it- (environment variables read at logon)
This root key contains information self contains settings common to all and Unicode (references to applica-
specific to the user, and is an alias for connections, such as the area code and tions that support Unicode).
the user’s branch within HKEY_US- the number of redial attempts. Below
ERS (described below). If user profiles this, the Addresses and Profile keys HKEY_LOCAL_MACHINE
are enabled, it relates to the user who contains settings for specific connec- This is another large root key. It is
is currently logged on. The key con- tions. the home of all the computer-specific
tains seven first-level sub-keys. The last of the first-level sub-keys in information, including details of the
The first of the first-level sub-keys HKEY_CURRENT_USER is easily the hardware configuration and any ma-
is named AppEvents, and contains de- largest. It is named Software, and it is chine-specific settings for the installed
tails of the sounds which the user has one of the two parts of the registry applications. Whereas each user who
associated with system or application specifically intended for use by appli- logs onto the PC sees different settings
events. It is organised into two subsidi- cations (the other is also named Soft- in HKEY_CURRENT_USER, they all
ary keys: EventLabels contains the ware, and is in HKEY_LOCAL- see the same information in
names of the events, and Schemes con- _MACHINE). HKEY_LOCAL_MACHINE. It con-
tains references to the corresponding Immediately below HKEY_CUR- tains seven first-level sub-keys.
sound files. Schemes is itself organised RENT_USER\Software, there is a key The first of the first-level sub-keys,
by application, and for each event for each vendor which has applica- named Config, contains all the hard-
within the application there is a cur- tions installed on the computer. This in ware profiles which have been set up
rent and a default setting. turn contains a key for each of the ven- for the machine (do not confuse these
The second of the first-level sub- dor’s installed applications and, in with user profiles, which are in
keys is named Control Panel. This con- some cases, a further sub-key for each HKEY_USERS). Each hardware pro-
tains the settings that used to be made installed version of the application. Be- file has its own key, one level down
from Control Panel in Windows 3.1: yond that, the content of each key is for from HKEY_LOCAL_MACHINE\-
colour schemes, screen savers, wallpa- the vendor to decide. Typically, they Config; these are named 0001, 0002,
per, keyboard repeat rate, mouse contain user preferences, histories and etc. Each profile contains configura-
speed and so on. These settings are the like. tion details for the monitor, printers
spread over a number of subsidiary As an example, my own registry and other devices present in the pro-
keys, each of which roughly corre- includes a key named HKEY_CUR- file, as well as certain Internet-related
sponds to one of the old Control Panel RENT_USER\Software\JASC\Paint- settings.
modules. Shop Pro 5, which in turn contains 43 The second of the first-level sub-
The next first-level sub-key is called sub-keys. As well as my preferences keys is Enum. This holds information
InstalledLocationsMRU. It is used by for PaintShop Pro, these store the posi- about all the devices and peripherals
Update 127 (May 1999) Page 9
PC Support Advisor File: E1209.5
End-User Support:Operating Systems
installed in the computer, including HKEY_LOCAL_MACHINE is named identical to HKEY_LOCAL_MA-
such details as the device type, drive System. It contains a single key (in CHINE\Config\nnnn, where nnnn is
letter, hardware ID and manufacturer. Windows 9x), named CurrentControl- the profile number.
It might also include devices that are Set, which in turn contains two keys: In Windows NT, hardware profiles
not currently available. For example, if Control and Services. The former are stored in HKEY_LOCAL_MA-
you have changed your monitor, both stores certain information needed at CHINE\System\CurrentControlSet-
monitors might have an entry (in boot time, including the computer \Hardware Profiles, and HKEY_CUR-
HKEY_LOCAL_MACHINE\Enum\- name, file system settings, multimedia RENT_CONFIG is an alias for
Monitor), with a further entry, named resources, descriptions of network HKEY_LOCAL_MACHINE\System-
Default_Monitor, used to point to the providers and information about na- \CurrentControlSet\Hardware Pro-
one currently installed. tional language support. The Services files\Current.
Enum contains a key for each class key lists the device drivers which Win-
of hardware. These vary according to dows must load during booting. HKEY_DYN_DATA
the installed devices, but will typically In Windows NT, HKEY_LO- This final root key (which is not
include: BIOS (devices used with a CAL_MACHINE does not have Con- present in NT) is a memory-resident
plug-and-play BIOS), ESDI (installed fig, Enum or Network sub-keys; some copy of certain other registry items. It
ESDI drives), Flop (floppy disk drives), of their settings can be found under the contains information which Windows
LptEnum (plug-and-play printers), System key instead. The Hardware key needs to retrieve particularly quickly.
MF (multi-function boards), Monitor contains more extensive information The root key contains two sub-keys.
(monitors), Network (network proto- about hardware devices and their cur- The first, named Config Manager,
cols and bindings), PCI (PCI devices), rent status (roughly corresponding to holds details of the current hardware
Root (certain legacy devices), SCSI the details shown in the Windows NT configuration as seen by the Plug-and-
(SCSI devices) and SerEnum (serial Diagnostics applet). The Security key Play Configuration Manager. Win-
plug-and-play devices). is also more extensive; it contains the dows builds this information (which is
The next first-level sub-key, named settings which are configured from sometimes referred to as the hardware
Hardware, contains a few details about User Manager. And there is one addi- tree) by examining the hardware dur-
the CPU, floating-point processor and tional first-level key in NT: the SAM ing booting; the information is then
serial ports. This is followed by Net- key holds user and group account in- updated dynamically as plug-and-
work, which stores information about formation. play devices are installed and re-
the current network logon (if any), in- moved.
cluding the user name and the name of HKEY_USERS The other sub-key is named
the primary network provider. Next, This root key contains a sub-key for PerfStats. This contains performance
the Security sub-key contains details of each user profile. There is a further information about network compo-
any security provider. sub-key, named .Default, which pro- nents.
The largest of the first-level sub- vides default values for new user pro-
keys comes next. It is named Software, files. If user profiles are not enabled,
and it closely parallels the Software .Default stores the settings for the ac- New Report: "The 16
key in HKEY_CURRENT_USER. tual user. Best-ever Freeware Utilities"
However, while HKEY_CUR- When a user logs on, Windows cre-
RENT_USER\Software contains user- ates the HKEY_CURRENT_USER Click here to get it for free
related settings for the installed alias from the corresponding profile.
applications, the HKEY_LOCAL_MA- The contents of the profile key within
CHINE version contains computer- HKEY_USER are therefore identical to
specific settings. For example, that of HKEY_CURRENT_USER (de-
HKEY_CURRENT_USER\Software\- scribed above).
cludes the current user’s preferences HKEY_CURRENT_CONFIG
for PowerPoint; the corresponding As mentioned earlier, HKEY_LO-
branch in HKEY_LOCAL_MACHINE CAL_MACHINE\Config contains de-
contains the application’s directories, tails of the installed hardware profiles
details of the installed filters and so on. (this applies only to Windows 9x).
In addition, HKEY_LOCAL_MA- Each profile has its own key within
CHINE\Software includes a key Config - named 0001, 0002 etc - which The Author
named Classes, which holds informa- holds configuration details for the pro- Mike Lewis is a freelance technical
tion about registered file types and file. There is always at least one profile journalist and a regular contribu-
their associated applications. This key key. tor to PCSA. You can contact him
is aliased by HKEY_CLASSES_ROOT, The HKEY_CURRENT_CONFIG by email at mike.lewis@itp-jour-
which is described above. root key is an alias for the current hard- nals.com.
The last of the first-level sub-keys in ware profile. Its content is therefore
PC Support Advisor Update 127 (May 1999) Page 10
New Reviews from Tech Support Alert
Anti-Trojan Software Reviews
A detailed review of six of the best anti trojan software programs. Two products
were impressive with a clear gap between these and other contenders in their
ability to detect and remove dangerous modern trojans.
Inkjet Printer Cartridge Suppliers
Everyone gets inundated by hundreds of ads for inkjet printer cartridges, all
claiming to be the cheapest or best. But which vendor do you believe? Our
editors decided to put them to the test by anonymously buying printer cartridges
and testing them in our office inkjet printers. Many suppliers disappointed but we
came up with several web sites that offer good quality cheap inkjet cartridges
with impressive customer service.
Windows Backup Software
In this review we looked at 18 different backup software products for home or
SOHO use. In the end we could only recommend six though only two were good
enough to get our “Editor’s Choice” award
The 46 Best Freeware Programs
There are many free utilities that perform as well or better than expensive
commercial products. Our Editor Ian Richards picks out his selection of the very
best freeware programs and he comes up with some real gems.
Tech Support Alert