WINDOWS REGISTRY

Microsoft does not profide white papers that help users to unlock it's secrets in Registry


WHAT IS WINDOWS REGISTRY ?

The registry is a hierarchical database, which
you can describe as a central repository for configuration data (Microsoft's terminology) or a
configuration database (my terminology). A hierarchical database has characteristics that make it ideally suited to storing configuration data.


With every click, Windows XP consults the registry. Every time we
launch a program, the operating system consults the registry. Every application WE use looks for its settings in the registry. The registry is certainly the center of attention.


>> right-click different types of files and you see different shortcut menus.
Settings in the registry make this type of context-sensitive user interface possible


>> Even Plug and Play depends on the registry.


MICROSOFT'S GAME :
Microsoft doesn't say much about it. You don't find the registry's editor on the Start menu. You find very little information about the registry in Help. Microsoft doesn't provide white papers that help users unlock its secrets.
And why should they? Do you really want the average user mucking around in the registry?




Security Identifiers-SID


Globally Unique Identifiers-GUID


All GUIDs have the same interesting format. They're 16-byte hexadecimal numbers in groups of 8,
4, 4, 4, and 12 digits (0 through 9 and A through F). A dash divides each group of digits, and curly
b r a c k e t s e n c l o s e t h e w h o l e n u m b e r . A n e x a m p l e o f a r e a l G U I D i s
{645FF040-5081-101B-9F08-00AA002F954E}, which represents the Recycle Bin object that you
see on the desktop. The GUID {127A89AD-C4E3-D411-BDC8-001083FDCE08} belongs to one
of the computers in my lab.
Programmers often use the tool Guidgen.exe to create GUIDs, but Windows XP generates them,
too




0,1,2,3,4,5,6,7,8,9
A=10
B=11
C=12
D=13
E=14
F=15




WHY Ox ?


Is 12 a decimal number or a hexadecimal number? You don't have enough
information to know for sure. The solution is to always use the prefix 0x at the beginning of
hexadecimal numbers. 0x12 is then a hexadecimal number, whereas 12 is a decimal number. This
is the standard format for hexadecimal numbers, and it's the format that Microsoft uses in its
documentation and in all the tools you'll use in this book.




use calc in scientific mode for conversion




Bits and Bit Masks




Little-Endian and Big-Endian




In a hexadecimal number such as 0x0102, the 0x01 is the most significant byte and the 0x02 is the
least significant. The left-most bytes are more significant because you multiple these digits by a
higher power of 16. The right-most digits are less significant, and the digits become more significant
as you move from right to left.




Programs store numbers in memory in two ways: big-endian or little-endian. When a program
stores a number using big-endian (big end first) storage, it stores the most significant bytes in
memory first, followed by the less significant bytes. When stored in memory using big-endian
storage, the number 0x01020304 is 0x01 0x02 0x03 0x04. Makes sense, doesn't it? The problem is
that Intel-based processors don't store numbers in memory this way. Intel-based processors use
the little-endian (little end first) architecture, which means they store the least significant bytes first,
followed by the more significant bytes. Thus, the number 0x01020304 is 0x04 0x03 0x02 0x01 in
memory.
Although most of the tools you'll use display all n






HKEY_USERS
HKU contains at least three subkeys:
.DEFAULT contains the per-user settings that Windows XP uses to display the desktop
before any user logs on to the computer. This isn't the same thing as a default user profile,
which Windows XP uses to create settings for users the first time they log on to the
computer.
·
SID, where SID is the security identifier of the console user (the console user is the user
sitting at the keyboard), contains per-user settings. HKCU is linked to this key. This key
contains settings such as the user's desktop preferences and Control Panel settings.
·
SID_Classes, where SID is the security identifier of the console user, contains per-user
class registrations and file associations. Windows XP merges the contents of keys
HKLM\SOFTWARE\Classes and HKU\SID_Classes into HKCR.
·
You'll usually see other SIDs in HKU, including the following (see Table 1-1 for a refresher):
S-1-5-18 is the well-known SID for the LocalSystem account. Windows XP loads this
account's profile when a program or service runs in the LocalSystem account.
·
S-1-5-19 is the well-known SID for the LocalService account. Service Control Manager
uses this account to run local services that don't need to run as the LocalSystem account.
·
S-1-5-20 is the well-known SID for the NetworkService account. Service Control Manager
uses this account to run network services that don't need to run as the LocalSystem
account.


HKEY_LOCAL_MACHINE
HKLM contains per−computer settings, which means the settings in this branch apply to the
computer's configuration and affect every user who logs on to it. Settings run the gamut from device
driver configurations to Windows XP settings. HKLM contains the following subkeys (notice that
these subkeys are capitalized; I'll explain why later):
HARDWARE. Stores data describing the hardware that Windows XP detects as it starts.
The operating system creates this key each time it starts, and it includes information about
devices and the device drivers and resources associated with them. This key contains
information that IT professionals find useful during a network inventory, as you learn in
Chapter 15, "Working Around IT Problems."
·
SAM. Contains Windows XP's local security database, the Security Accounts Manager
(SAM). Windows XP stores local users and groups in SAM. This key's access control list
(ACL) prevents even administrators from viewing it. SAM is a link to the key
HKLM\SECURITY\SAM.
·
SECURITY. Contains Windows XP's local security database in the subkey SAM, as well as
other security settings. This key's ACL prevents even administrators from viewing it, unless
they take ownership of it.
·
SOFTWARE. Contains per−computer application settings. Windows XP stores settings in
this key, too. Microsoft standardized this key's organization so that programs store settings
in HKLM\SOFTWARE\Vendor\Program\Version\. Vendor is the name of the program's
publisher, Program is the name of the program, and Version is the program's version
number. Often, as is the case with Windows XP, Version is CurrentVersion. HKCR is a link
to the key HKLM\SOFTWARE\Classes.
·
SYSTEM. Contains control sets, one of which is current. The remaining sets are available
for use by Windows XP. Each subkey is a control set named ControlSetnnn, where nnn is an
incremental number beginning with 001. The operating system maintains at least two control
sets to ensure that it can always start properly. These sets contain device driver and service
configurations. HKLM\SYSTEM\CurrentControlSet is a link to ControlSetnnn, and the key
HKLM\SYSTEM\Select indicates which ControlSetnnn is in use.


HKEY_CLASSES_ROOT
HKCR contains two types of settings. The first is file associations that associate different types of
files with the programs that can open, print, and edit them. The second is class registrations for
Component Object Model (COM) objects. This root key is one of the most interesting in the registry
to customize, because it enables you to change a lot of the operating system's behavior. This root
key is also the largest in the registry, accounting for the vast majority of the space that the registry
consumes.
Before Windows 2000, HKCR was a link to the key HKLM\SOFTWARE\Classes, but this root key is
more complicated now. To derive HKCR, the operating system merges two keys:
HKLM\SOFTWARE\Classes, which contains default file associations and class registrations; and
HKCU\Software\Classes, which contains per−user file associations and class registrations.
HKCU\Software\Classes is really a link to HKU\SID_Classes, which you learned about in the
"HKEY_USERS" section. If the same value appears in both branches, the value in HKCU
\Software\Classes has higher precedence and wins over the value in HKLM\SOFTWARE \Classes.
This new merge algorithm has several benefits:
Programs can register per−computer and per−user program file associations and program
classes. (One user can have file associations that other users who share the computer don't
·
29

have.) This is probably the biggest benefit of the merge.
Users who share a single computer can use two different programs to edit the same type of
file without affecting each other.
·
Because per−user file associations and class registrations are in the users' profiles, they
follow users from computer to computer when using roaming user profiles.
·
IT professionals can limit access to HKLM\SOFTWARE\Classes without preventing users
from changing HKCU\Software\Classes, allowing for greater security in the registry without
crippling users' ability to change associations.
·
Create a new key in the root of HKCR, and Windows XP actually creates it in HKLM
\SOFTWARE\Classes. Windows XP doesn't provide a user interface other than Registry Editor to
add class registrations to HKCU\Software\Classes, because the intention is to allow programs to
register per−user program classes. When you edit an existing program class, the change is
reflected in HKLM or HKCU, depending on where the program class already exists. If the program
class exists in both places, Windows XP updates only the version in HKCU.
Note HKCR is significant enough that it gets its own appendix. Appendix A, "File Associations,"
describes this root key in detail. You learn how it associates file extensions with file types,
how Windows XP registers COM objects, and which subkeys are the most interesting to
customize.


HKEY_CURRENT_CONFIG
HKCC is a link to configuration data for the current hardware profile, the key HKLM\SYSTEM
\CurrentcontrolSet\Hardware Profiles\Current. In turn, Current is a link to the key HKLM
\SYSTEM\CurrentcontrolSet\Hardware Profiles\nnnn, where nnnn is a incremental number
beginning with 0000.
·