Skip to main content

Part of a registry FAQ, need some input on it.

More
18 years 9 months ago #12687 by Ozzy_98
I've been writing some computer and networking faqs in my spare time, and decided to load up one of my older ones on the registry and fix it up some. Anyone notice any mistakes in it, or recomend new sections to put in, please do so. I been meaning to add more on using group policy, and how to make administrative templates. I also might cover the reg command some too. And if anyone can think of a better way for me to least the registy keys in that section, let me know. I'm still not happy with it.
Windows registry is often a topic most people shy away from. They view the registry as some black box that you can not tamper with, or seem to think that it's written in some language no mortal could ever understand. In truth, the registry is very simple. While it may be hard or impossible to figure out what some keys mean, the registry in it's self is very simple. It is not a mess of configurations with no order, most settings are placed in a logical location. If you know how the registry works, you can quickly find what you want.

NOTE: Regedit on XP\2K3 is a merging of both regedit and regedt32 on windows 2K. If you can, it's recommended you use regedit from one of these two operating systems.

What is the registry?

The registry is nothing more then a central place to store all settings on the computer. While a program doesn't have to store any data in the registry, it's free to if it likes. It's a lot like the configuration files for Linux and Unix, but rather then being stored in folders, it's stored in hives, a folder-like structure.

What are the registry keys?

When opening the registry in RegEdit, you are presented with 5 keys, or hives. The five keys are:

HKey_Classes_Root (HKCR)
HKey_Current_User (HKCU)
HKey_Local_Machine (HKLM)
HKey_Users (HKU)
HKey_Current_Config (HKCC)

Of the five, three are actually subtrees of other keys. HKey_Users and HKey_Local_Machine are the two "full" keys. The other keys Are sub keys of these two, or combinations of two or more keys. HKey_Users holds all "Per User" settings in the registry. If you make a change to a program that records to the registry, and another user is not effect by it, then it must be in this section. You can also use this key to edit .default, the key that is used to make the default keys for all new users. When a new user is made, .default is copied into the new hive, using their SID to tell them apart.

HKey_Current_User is the HKey_Users key for the user running regedit. It is a shortcut to the current users settings, so you don't have to find out what one of the HKey_Users you need to edit.

HKey_Current_Config is the current hardware profile listed in HKey_Local_Machine\System\ControllSet001\Hardware Profiles. HKCC is nothing more then a pointer to this key.

HKey_Classes_Root is a combo of HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes keys. The data is a merged, so if there's no data listed for the current user, then the one for the local machine is used.

What are Keys? Hives? Values?

The registry hives normally refer to the 5 main keys. I have seen hives refer to sub keys, however. The key's are the ones that look like small folders. Values for each of the keys can be binary, string, dword, multi-string and expandable string. In general, when editing you do not need to know what these values mean, since you have to use the type that value needs. You can not use a string when a dword is called for. Strings are the most common, followed by dwords. On windows 2K, regedit only supports string, dword and binary. You will have to use regedt32 to edit multi and expandable strings.


Why do I have to reboot for some programs?

So all these keys fall under HKey_Users and HKey_Local_Machine, HKU should be thought of as the user part of all configuration, while HKLM is the computer part. May settings that are per computer are looked at when the computer boots, like settings for services, and are then never checked. A reboot forces all programs to check any changes in the machine section of the registry. This is one of the reasons you may need to reboot, some others may be because a file is in use during normal operation, and needs changed during boot.

Some programs read the HKCU key on login, and never again. When changed, these programs will generally tell you to reboot, but actually a login is all that's needed.

What is group policy?

Group policy is used to ease the change of many registry settings on a windows computer. This is generally only done on windows 2000, XP, and 2003 or newer machines. Administrative tools should have group policy editor, listed as local policy editor. If not listed there, from the run menu, type in mmc, and file -> Add\Remove Snap in. In the local computer policy, you have two keys, computer and user configuration.

These change settings in HKU and HKLM. There are a fair amount of options here predefined, like computer configuration, windows settings, startup\shutdown scripts. while called scripts, these can be .bat or .exe files ran when the computer starts up\shuts down. This is NOT the same as log on\log off. Most normal users will want to play with the user configurations, computer configuration is more for higher level users.

In the user section, you have options for login\log off scripts, and administrative templates. The templates are the main thing here that
users will want to mess with. Click on desktop, and there's a listing of options. This is mostly simple stuff, hide icons or show them, nothing in there should really be considered advanced. There's other ways to do the same things. Look in the active desktop section.

There's places where you can assign backgrounds, and control them from doing more then a few neat tricks. What options you have depends on windows version, 2K has less options then 2K3 and XP.

Lets look in system, under CTRL-ALT-DEL. There's options to control what buttons you get in ctrl-alt-del. There's all sorts of options that you never knew you could do, like network -> network connections. A bunch of options in there.

In almost every key, clicking on it will get you a dialog with three options, enable, disable, and not set. And an explain tab. Make sure you read the explain to understand what the option does.

Think you understand group policy? You don't. Group policy isn't meant to change settings on A computer. It's meant to change settings on hundreds, or thousands of computers at once. In a windows network, you have what's called OU's. They're basically folders, the network administrators can put computers and users into these OU's. For example, maybe your in the Sales\Users OU. All people in the Sales department are required to have the same desktop settings. The administrator makes a group policy setting, and hooks the group policy onto Sales\Users.

It now effects ALL users in sales. Get moved to Tech\DesktopAdmins? The administrator simply change what OU you're in, and the settings for your desktop change based on the new rules. With the group policy templates, plus security settings, and the ability to assign permissions and programs to users and\or computers, group policy is a powerful tool. Any registry changes learned here can be applied via group policy to effect all users in a company with a few clicks of the mouse.

How do I back-up the registry?

Open Regedit, and on the computer icon, right click and hit export. Make sure you're using the icon for the computer, and not one of the 5 keys, otherwise you won't export all the keys. This creates a .reg file. Simply clicking on it in explorer will import it back. This will cause it to MERGE with the current registry, so any new keys created after the backup will not be affected. There are other ways, many other ways, to back up the registry, like a system state backup using the built in windows backup tool. But exporting can be the simplest.

You can use the export to export any key. Make a neat change to the registry and want to share it? Right click the key, and export just that key. The .reg files are nothing more then text files, and can be edited with ease. If you have any sort of basic programming skills, you can make a program that makes .reg files to change registry settings.


What is the structure of the registry?

HKey_Classes_Root is where file types are stored. It's how the computer knows what to use to open .bmp files, and it's how it knows what items to put on it's context menu, the menu you get when you right click the file. Open regedit and open HKCR, the first one you get is *.

This as you may have guessed, is a wild card. It basically effects all files. Click on the + sign to open the key, and you get openwith, shell, and shellex. Shell might not be there, so don't worry. Shellex keys are ones you don't want to mess with, at least not with a registry editor, They're com based, and can be very easy to mess up. The shell key is the main one you'll hand edit, and the most fun. If you don't have the shell key, right click the *, and hit new -> key. It should say New Key #1, rename it to shell.

Now right click shell, and hit new key. Name this one OpenCMD. This doesn't really matter, it can be any name you want. On the right pane, double click (Default) and in value data, type in Open Command Line Here. Now highlight the OpenCMD on the left pane, and hit new key. Name this one command, and it MUST be named command. Then click on command, and double click (Default) again. Set this value to "cmd /k ver & date /t & time /t" without the quotes. Now right click any file, except folders, and you now have the option to open a command window in that folders directory.

Next, right click the OpenCMD key, and hit export. Save it on your desktop to whatever you want. Right click the file, and hit edit. You can now change anything in the key, and import it back in. You can also take this file with you, and add this command to any computer you wish, with ease.

Let's try another one. Find the Folder key. NOT .folder, just folder. Under shell, make a new key, OpenNewWin. Change it's default to Open Folder In New Window. Make a new sub key, command. Change it's default to explorer %1. Now when you open a folder up on your desktop, if you want to open a second folder inside the same tree, just right click it. Doesn't seem like much, but I'm sure you'll use it more then you expect.

How does software use the registry?

Think of the registry as a directory structure holding all the .ini files used for programs. If you open a programs .ini file, you may understand some of the settings in it, but without some sort of list of commands you can never figure out anything not listed. When you look at the keys made in the registry by a program, some of the keys you can understand, others you will never figure out without looking up or trial and error.

Software can store it's settings in one of two areas, HKey_Current_User, or HKey_Local_Machine. If it's in current user, it's a per-user setting, while local machine stores settings for all users. HKCU\Software and HKLM\Software is the default key for this information. HKCU settings override conflicting HKLM settings.

Now let's try an example of software settings. Go to HKey_Current_User\Software\Microsoft Then from there, pick Windows\CurrentVersion.

Inside here there are 5 different run keys, Run, RunEX, RunOnce, RunOnceEX, and RunServices. Depending on the systems, not all these keys may be there by default. These keys control programs that start at logon. If you have some program starting up at logon that you want to kill, if it's not in the start menu then chances are it's located in the run key. Like most software settings, the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key is only for the current user, while HKLM\Software\Microsoft\Windows\CurrentVersion\Run is for all users.

Have windows 2K, and use the command prompt? It has the ability to automatically fill out file and directory names for you, like in XP. If your in XP, and you type in win while in c:\, pressing tab will complete win to windows. This can be of great help if you have some really large file\folder names. 2K does not come with this option enabled. (HKCU|HKLM)\Software\Microsoft\Command Processor holds the settings for cmd, the command processor in windows 2K\XP. Inside there, you will see a completion char key. Double click it, change the value to the key you want, for example, TAB key has a hex value of 9, so put in a 9 if you want tab to complete file names. Quick and simple.

A list of different software keys will be on the bottom of this FAQ.

I see a number like this: {A671EBA0-895B-11D4-98B2-00A0C9EE6FD9} what is it?

This is a GUID, a Globally Unique Identifier. It's used to identify this item from any other item like it int he world. The GUID is generated in part by the MAC address on the current machine, and time, among other items. This helps to make sure that no two GUID's are the same.

GUIDs are used mostly for COM programming, a special type of Object programming. Without getting into too much depth, GUIDs are normally used on complex keys in the registry, and are a good sign to stay away from that item. They're always the same length, with 4 hyphens in them.

This lets you tell them apart from SID's used to identify user accounts.

In general, items with GUIDs are more complex, and have more then one piece of software that interfaces with them. Stay away from GUIDs unless you know what your doing.

How can I restrict access to the registry?

There's lots of ways to restrict access to the registry. To disable registry tools, such as regedit and regedt32, try (HKCU|HKLM)\Software\Microsoft\Windows\CurrentVersion\Policies\System and add the key DisableRegistryTools with a REG_DWORD value of 1. On many systems, you will have to create the system sub key. These policies will in general require you to reboot to take effect. Be warned about using this key! You will NOT be able to use registry editing tools to fix this key. You can import a .reg file like normal, however, and most 3rd party registry editing software will work. Only the regedit and regedt32 programs check this bit. This does NOT make the registry secure, it just disables a simple path to it. They can use 3rd party tools, .reg files, the reg command from the command prompt, or even regedit on another machine connected remotely. This key has the same effect as removing file-level access to regedit.exe and regedt32.exe, just a different error message.

The hives in the registry have DACLs (discretionary access-control lists) just like the NTFS file system in windows. As long as your not using windows XP home, right clicking any key will give the permissions... option. From there, it's just like the file system, set up permissions for users or groups, and used advanced for finer control. Giving a use read-only access to their own HKCU key will break some programs, but will also prevent them from changing any settings.

XP home CAN edit registry permissions like this, it requires an add-on program for windows NT to enable the security tab for explorer. Google can show you this.

How can I access another computers registry?

Remotely accessing a registry is almost the same as any other remote administrative task. Open regedit, then file->connect network registry... key. Like other networking tools, you need rights on the other machine. If on a domain, your domain account needs to be mapped to an administrative group, or if not on a domain, you need to have the same username\password as an account on the target. Otherwise you're asked for a username\password with the permissions.

For massive registry changes over groups of computers, group policy is recommended.

How can I see what programs access what keys in the registry?

Regmon is a free program from sysinternals that monitors all registry activity. Be ready for a shock at how often the registry is accessed.

You will need to use filters to find any one program\key's access. The program can be found here:

" www.sysinternals.com/ntw2k/source/regmon.shtml "

What are some good keys to edit?
To Disable Desktop right Click
Key: (HKCU|HKLM)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value Name: NoViewContextMenu
Value Type: DWord
Set To: 1


Show Windows Version On Desktop
Key: HKCU\Control Panel\Desktop
Value Name: PaintDesktopVersion
Value Type: DWord
set To: 1

Disable Shutdown
Key: (HKCU|HKLM)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value Name: NoClose
Value Type: DWord
Set To: 1

Disallow These Programs From Running:
Key: (HKCU|HKLM)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value Name: DisallowRun
Value Type: DWord
Set To: 1

And then...

Key: (HKCU|HKLM)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Value Name: 1+
Value Type: String
Set To: Application name.

Each program should be placed in the DisallowRun key. The first program's value should be called 1. And if the program was, for example, cmd.exe, then the string value should be cmd.exe. Renaming files will bypass this.

Allow ONLY These Programs To Run:
Key: (HKCU|HKLM)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value Name: RestrictRun
Value Type: DWord
Set To: 1

And then...

Key: (HKCU|HKLM)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
Value Name: 1+
Value Type: String
Set To: Application name.

Be warned, applying restrict run to HKLM will disable registry tools.
Time to create page: 0.112 seconds