Getting to Know the Registry’s Root Keys
The
root keys are your Registry starting points, so you need to become
familiar with what kinds of data each key holds. The next few sections
summarize the contents of each key.
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT—usually abbreviated as HKCR—contains
data related to file extensions and their associated programs, the
objects that exist in the Windows 7 system, as well as applications and
their automation information. There are also keys related to shortcuts
and other interface features.
The top part of this key contains subkeys for various file extensions. You see .bmp for bitmap (Paint) files, .txt for text (Notepad) files, and so on. In each of these subkeys, the Default
setting tells you the name of the registered file type associated with
the extension. For example, the .txt extension is associated with the txtfile file type.
These registered file types appear as subkeys later in the HKEY_CLASSES_ROOT
branch, and the Registry keeps track of various settings for each
registered file type. In particular, the shell subkey tells you the
actions associated with this file type. For example, in the shell\open\command subkey, the Default setting shows the path for the executable file that opens. Figure 2 shows this subkey for the txtfile file type.
HKEY_CLASSES_ROOT is actually a copy (or an alias, as these copied keys are called) of the following HKEY_LOCAL_MACHINE key:
HKEY_LOCAL_MACHINE\Software\Classes
The Registry creates an alias for HKEY_CLASSES_ROOT to make these keys easier for applications to access and to improve compatibility with legacy programs.
HKEY_CURRENT_USER
HKEY_CURRENT_USER—usually abbreviated as HKCU—contains
data that applies to the user that’s currently logged on. It contains
user-specific settings for Control Panel options, network connections,
applications, and more. Note that if a user has group policies set on
his account, his settings are stored in the HKEY_USERS\sid subkey (where sid is the user’s security ID). When that user logs on, these settings are copied to HKEY_CURRENT_USER. For all other users, HKEY_CURRENT_USER is built from the user’s profile file, ntuser.dat (located in %UserProfile%).
Tip
How do you find out each user’s SID? First, open the following Registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
Here you’ll find a list of SIDs. The ones that begin S-1-5-21 are the user SIDs. Highlight one of these SIDs and then examine the ProfileImagePath setting, which will be of the form %SystemDrive%\Users\
user, where user is the username associated with the SID.
Here’s a summary of the most important HKEY_CURRENT_USER subkeys:
AppEvents | Contains sound files that play when particular system events occur (such as maximizing of a window) |
Control Panel | Contains settings related to certain Control Panel icons |
Keyboard Layout | Contains the keyboard layout as selected via Control Panel’s Keyboard icon |
Network | Contains settings related to mapped network drives |
Software | Contains user-specific settings related to installed applications and Windows |
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE (HKLM)
contains non-user-specific configuration data for your system’s
hardware and applications. You’ll use the following three subkeys most
often:
Hardware | Contains subkeys related to serial ports and modems, as well as the floating-point processor. |
Software | Contains computer-specific settings related to installed applications. The Classes subkey is aliased by HKEY_CLASSES_ROOT. The Microsoft subkey contains settings related to Windows (as well as any other Microsoft products you have installed on your computer). |
System | Contains subkeys and settings related to Windows startup. |
HKEY_USERS
HKEY_USERS (HKU) contains settings that are similar to those in HKEY_CURRENT_USER. HKEY_USERS is used to store the settings for users with group policies defined, as well as the default settings (in the .DEFAULT subkey) which get mapped to a new user’s profile.
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG (HKCC) contains settings for the current hardware profile. If your machine uses only one hardware profile, HKEY_CURRENT_CONFIG is an alias for HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001. If your machine uses multiple hardware profiles, HKEY_CURRENT_CONFIG is an alias for HKEY_LOCAL_MACHINE\SYSTEM\ControlSet
nnn, where nnn is the numeric identifier of the current hardware profile. This identifier is given by the CurrentConfig setting in the following key:
HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB
Understanding Hives and Registry Files
The Registry database actually consists of a number of files that contain a subset of the Registry called a hive.
A hive consists of one or more Registry keys, subkeys, and settings.
Each hive is supported by several files that use the extensions listed
in Table 1.
Table 1. Extensions Used by Hive Supporting Files
Extension | Descriptions |
---|
None | A complete copy of the hive data. |
.log1 | A log of the changes made to the hive data. |
.log, .log2 | These files are created during the Windows 7 setup, but remain unchanged as you work with the system. |
Note
To
see all of these files, you must display hidden files on your system.
In Windows Explorer, select Organize, Folder and Search Options, select
the View tab, and then activate the Show Hidden Files, Folder, and
Drives option. While you’re here, you can also deactivate the Hide
Extensions for Known File Types check box. Click OK.
Table 2 shows the supporting files for each hive. (Note that not all of these files might appear on your system.)
Table 2. Supporting Files Used by Each Hive
Hive | Files |
---|
HKLM\BCD00000000 | %SystemRoot%\System32\config\BCD-Template%SystemRoot%\System32\config\BCD-Template.LOG
|
HKLM\COMPONENTS | %SystemRoot%\System32\config\COMPONENTS
%SystemRoot%\System32\config\COMPONENTS.LOG
%SystemRoot%\System32\config\COMPONENTS.LOG1
%SystemRoot%\System32\config\COMPONENTS.LOG2 |
HKLM\SAM | %SystemRoot%\System32\config\SAM
%SystemRoot%\System32\config\SAM.LOG
%SystemRoot%\System32\config\SAM.LOG1
%SystemRoot%\System32\config\SAM.LOG2 |
HKLM\SECURITY | %SystemRoot%\System32\config\SECURITY
%SystemRoot%\System32\config\SECURITY.LOG
%SystemRoot%\System32\config\SECURITY.LOG1
%SystemRoot%\System32\config\SECURITY.LOG2 |
HKLM\SOFTWARE | %SystemRoot%\System32\config\SOFTWARE
%SystemRoot%\System32\config\SOFTWARE.LOG
%SystemRoot%\System32\config\SOFTWARE.LOG1
%SystemRoot%\System32\config\SOFTWARE.LOG2 |
HKLM\SYSTEM | %SystemRoot%\System32\config\SYSTEM
%SystemRoot%\System32\config\SYSTEM.LOG
%SystemRoot%\System32\config\SYSTEM.LOG1
%SystemRoot%\System32\config\SYSTEM.LOG2 |
HKU\.DEFAULT | %SystemRoot%\System32\config\DEFAULT
%SystemRoot%\System32\config\DEFAULT.LOG
%SystemRoot%\System32\config\DEFAULT.LOG1
%SystemRoot%\System32\config\DEFAULT.LOG2 |
Also, each user has his or her own hive, which maps to HKEY_CURRENT_USER during logon. The supporting files for each user hive are stored in \Users\user, where user is the username. In each case, the ntuser.dat file contains the hive data, and the ntuser.dat.log1 file tracks the hive changes. (If a user has group policies set on her account, the user data is stored in an HKEY_USERS subkey.)