Windows注册表(Registry)是 Windows 应用程序以及 Windows 操作系统的配置、值和属性的集合,它以分层方式组织和存储在单一存储库中。
每当在Windows系统中安装新程序时,都会在(Windows)Windows 注册表(Windows Registry)中创建一个条目,其中包含其大小、版本、存储位置等属性。
因为,此信息已存储在数据库中,不仅操作系统知道所使用的资源,其他应用程序也可以从此信息中受益,因为它们知道如果某些资源或文件要共同使用可能出现的任何冲突存在。
什么是Windows 注册表(Windows Registry)及其工作原理(How)?
Windows 注册表(Windows Registry)确实是Windows工作方式的核心。它是唯一使用这种中央注册表方法的操作系统。如果我们想象一下,操作系统的每个部分都必须与Windows 注册表(Windows Registry)交互,从引导顺序到重命名文件名这样简单的事情。
简单地(Simply)说,它只是一个类似于图书馆卡片目录的数据库,其中注册表中的条目就像存储在卡片目录中的一叠卡片。注册表项将是一张卡片,而注册表值将是写在该卡片上的重要信息。Windows操作系统使用注册表来存储大量用于控制和管理我们的系统和软件的信息。这可以是从 PC 硬件信息到用户首选项和文件类型的任何内容。我们对Windows系统所做的(Windows)几乎(Almost)任何形式的配置都涉及编辑注册表。
Windows 注册表的历史
在Windows的初始版本中,应用程序开发人员必须在单独的 .ini 文件扩展名中包含可执行文件。此 .ini 文件包含给定可执行程序正常运行所需的所有设置、属性和配置。然而,由于某些信息的冗余,这被证明是非常低效的,并且它也对可执行程序构成了安全威胁。因此,标准化、集中化和安全技术的新实施显然是必要的。
随着Windows 3.1的出现,这种需求的一个基本版本通过一个称为Windows 注册表(Windows Registry)的所有应用程序和系统通用的中央数据库来满足。
然而,这个工具非常有限,因为应用程序只能存储可执行文件的某些配置信息。多年来,Windows 95 和Windows NT在此基础上进一步发展,在较新版本的Windows Registry中引入了集中化作为核心功能。
也就是说,将信息存储在Windows 注册表(Windows Registry)中是软件开发人员的一种选择。因此,如果软件应用程序开发人员要创建可移植应用程序,他不需要向注册表添加信息,可以创建并成功交付具有配置、属性和值的本地存储。
Windows 注册表(Windows Registry)与其他操作系统的相关性
Windows是唯一使用这种中央注册表方法的操作系统。如果我们想象一下,操作系统的每个部分都必须与Windows 注册表(Windows Registry)交互,从引导顺序到重命名文件名。
所有其他操作系统(如 iOS、Mac OS、Android和Linux )继续使用文本文件作为配置操作系统和修改操作系统行为的一种方式。
在大多数Linux变体中,配置文件以.txt格式保存,当我们必须使用文本文件时,这会成为一个问题,因为所有.txt文件都被视为关键系统文件。因此,如果我们尝试在这些操作系统中打开文本文件,我们将无法查看它。这些操作系统试图隐藏它作为一种安全措施,因为所有系统文件,如网卡、防火墙、操作系统、图形用户界面、视频卡接口等的配置都以ASCII 格式保存。(ASCII format.)
为了规避这个问题,macOS 和 iOS 都通过实现.plist 扩展名(.plist extension)部署了一种完全不同的文本文件扩展名方法,其中包含所有系统和应用程序配置信息,但仍然具有单一注册表的好处。胜过文件扩展名的简单更改。
Windows 注册表(Windows Registry)有什么好处?
因为操作系统的每个部分都在不断地与(Every)Windows 注册表(Windows Registry)通信,所以它必须存储在非常快的存储空间中。因此(Hence),该数据库专为极快的读取和写入以及高效的存储而设计。
如果我们要打开并检查注册表数据库的大小,它通常会徘徊在 15 到 20 兆字节之间,这使得它足够小,可以始终加载到RAM(随机存取存储器(Random Access Memory))中,顺便说一下,这是可用的最快存储空间操作系统。
由于注册表需要始终加载到内存中,如果注册表的大小很大,则不会为所有其他应用程序顺利运行或根本运行留下足够的空间。这将不利于操作系统的性能,因此Windows 注册表(Windows Registry)的设计核心目标是高效。
如果有多个用户与同一设备交互,并且他们使用的应用程序很多,那么重新安装相同的应用程序两次或多次将浪费相当昂贵的存储空间。Windows注册表在应用程序配置在不同用户之间共享的这些场景中表现出色。
这不仅减少了使用的总存储空间,而且还允许其用户从一个交互端口更改应用程序的配置。这也节省了时间,因为用户不必手动访问每个本地存储.ini文件。
多用户(Multi-User)场景在企业设置中非常常见,这里非常需要用户权限访问。由于并非所有信息或资源都可以与所有人共享,因此通过集中式 Windows 注册表轻松实现了基于隐私的用户访问需求。在此,网络管理员保留根据所承担的工作拒绝或允许的权利。这使得单一数据库具有通用性,也使其变得强大,因为可以在远程访问网络中多个设备的所有注册表的同时进行更新。
Windows 注册表如何工作?
在开始动手之前,让我们先了解一下Windows 注册表(Windows Registry)的基本元素。
Windows 注册表(Windows Registry)由两个称为注册表(Registry Key)项的基本元素组成,它是一个容器对象,或者简单地说,它们就像一个文件夹,其中存储了各种类型的文件,而注册表值(Registry Values)是非容器对象,类似于文件可以是任何格式。
您还应该知道:(You should also know:) 如何完全控制或拥有 Windows 注册表项(How to Take Full Control or Ownership of Windows Registry Keys)
如何访问 Windows 注册表?
我们可以使用注册表编辑器(Registry Editor)工具访问和配置Windows 注册表, (Windows Registry)Microsoft包括一个免费的注册表编辑实用程序及其Windows 操作系统(Windows Operating System)的每个版本。
可以通过在命令提示符中键入“Regedit”或在“(Command Prompt)开始(Start)”菜单的搜索或运行框中键入“Regedit”来访问此注册表编辑器。(Registry Editor)这个编辑器是访问Windows注册表的门户,它可以帮助我们探索和更改注册表。注册表是位于Windows(Windows)安装目录中的各种数据库文件使用的总称。
编辑注册表编辑器是否安全?(Is it Safe to edit Registry Editor?)
如果您不知道自己在做什么,那么在注册表(Registry)配置中玩耍是很危险的。每当您编辑注册表(Registry)时,请确保您遵循正确的说明,并且只更改您被指示更改的内容。
如果您有意或无意地删除了Windows 注册表(Windows Registry)中的某些内容,那么它可能会改变您的系统配置,从而导致蓝屏(Blue Screen)死机(Death)或Windows无法启动。
因此,通常建议在对其进行任何更改之前备份 Windows 注册表。(backup Windows Registry)您还可以创建一个系统还原点(create a system restore point)(自动备份注册表(Registry)),如果您需要将注册表(Registry)设置恢复正常,可以使用该还原点。但是,如果您只按照您被告知的内容进行操作,那应该没有任何问题。如果您需要知道如何恢复 Windows 注册表,那么本教程(restore Windows Registry then this tutorial)将解释如何轻松完成此操作。
让我们探索一下Windows 注册表的结构(Windows Registry)
在一个无法访问的存储位置中存在一个用户,该位置仅用于操作系统的访问。
这些密钥(Keys)在系统引导阶段加载到RAM中,并在特定时间间隔内或发生特定系统级事件时不断进行通信。
这些注册表项的一部分存储在硬盘中。这些存储在硬盘中的密钥称为配置单元。注册表的这一部分包含注册表项、注册表子项和注册表值。根据授予用户的权限级别,他将访问这些密钥的某些部分。
注册表中以HKEY开头的处于层次结构顶峰的键被视为配置单元。
在Editor中,当查看所有键而不展开时,配置单元位于屏幕左侧。这些是显示为文件夹的注册表项。
让我们探索一下 Windows 注册表项及其子项的结构:
键名示例 – “HKEY_LOCAL_MACHINESYSTEMInputBreakloc_0804”
这里的“loc_0804”指的是子键“Break”指的是子键“Input”,它指的是HKEY_LOCAL_MACHINE根键的子键“SYSTEM”。
Windows 注册表中的通用根键(Common Root Keys in Windows Registry)
以下每个键都是其自己的单独配置单元,其中包含顶级键中的更多键。
一世。HKEY_CLASSES_ROOT
这是Windows 注册表(Windows Registry)的注册表配置单元,由文件扩展名关联信息、程序标识符(programmatic identifier)( ProgID )、接口 ID(Interface ID) ( IID ) 数据和类 ID (CLSID)(Class ID (CLSID))组成。
此注册表配置单元 HKEY_CLASSES_ROOT是在(HKEY_CLASSES_ROOT)Windows操作系统中发生的任何操作或事件的网关。假设(Suppose)我们要访问Downloads文件夹中的一些 mp3 文件。操作系统通过它运行它的查询以采取所需的操作。
在您访问HKEY_CLASSES_ROOT(HKEY_CLASSES_ROOT)配置单元的那一刻,看到如此庞大的扩展文件列表真的很容易不知所措。但是,这些正是使 Windows 流畅运行的注册表项
以下是HKEY_CLASSES_ROOT配置单元注册表项的一些示例,
HKEY_CLASSES_ROOT\.otf
HKEY_CLASSES_ROOT\.htc
HKEY_CLASSES_ROOT\.img
HKEY_CLASSES_ROOT\.mhtml
HKEY_CLASSES_ROOT\.png
HKEY_CLASSES_ROOT\.dll
每当我们双击并打开一个文件,比如说一张照片,系统就会通过HKEY_CLASSES_ROOT发送查询,其中清楚地给出了请求此类文件时要做什么的说明。所以系统最终会打开一个显示请求图像的照片查看器。
在上面的示例中,注册表调用了存储在HKEY_CLASSES_ROOT\.jpg键中的键。HKEY_CLASSES_ROOT配置单元是在(HKEY_CLASSES_ROOT)HKEY_LOCAL_MACHINE配置单元 ( HKEY_LOCAL_MACHINE\Software\Classes ) 和 HKEY_CURRENT_USER配置单元 ( HKEY_CURRENT_USER\Software\Classes ) 中找到的集合数据。因此,当注册表项存在于两个位置时,它会产生冲突。因此在HKEY_CURRENT_USER\Software\Classes中找到的数据用于HKEY_CLASSES_ROOT。可以通过打开屏幕左侧的HKEY_CLASSES键来访问它。(HKEY_CLASSES)
ii. HKEY_LOCAL_MACHINE
这是存储特定于本地计算机的所有设置的几个注册表配置单元之一。这是一个全局密钥,其中存储的信息不能被任何用户或程序编辑。由于(Due)这个子键的全局性,存储在这个存储中的所有信息都是以虚拟容器的形式在RAM上连续运行的。HKEY_LOCAL_MACHINE中已经安装了软件用户的大部分配置信息,而Windows操作系统本身则被占用。当前检测到的所有硬件都存储在HKEY_LOCAL_MACHINE配置单元中。
还知道如何:(Also know how to:) 通过注册表搜索时修复 Regedit.exe 崩溃(Fix Regedit.exe Crashes when searching through Registry)
此注册表项进一步分为 7 个子项:(This registry key is further divided into 7 sub-keys:)
1. SAM(安全帐户管理器(Security Accounts Manager))——它是一个注册表项文件,以安全格式(LM 哈希和NTLM哈希)存储用户的密码。哈希函数是一种用于保护用户帐户信息的加密形式。
它是一个锁定的文件,位于系统中的 C:WINDOWSsystem32config,在操作系统运行时无法移动或复制。
Windows使用Security Accounts Manager注册表项文件在用户登录Windows帐户时对其进行身份验证。每当用户登录时,Windows都会使用一系列哈希算法来计算已输入密码的哈希值。如果输入的密码哈希值等于SAM 注册表文件(SAM registry file)中的密码哈希值,则允许用户访问他们的帐户。这也是大多数黑客在执行攻击时所针对的文件。
2. 安全(2. Security)性(只有管理员才能访问)——此注册表项对于登录到当前系统的管理用户的帐户是本地的。如果系统由任何组织管理,则用户无法访问此文件,除非已明确授予用户管理访问权限。如果我们在没有管理权限的情况下打开这个文件,它将是空白的。现在,如果我们的系统连接到管理网络,则此密钥将默认为由组织建立并积极管理的本地系统安全配置文件。此密钥与SAM相关联,因此在成功验证后,根据用户的权限级别,将应用各种本地和组策略(group policies)。
3. 系统(3. System)(关键启动过程和其他内核功能)——这个子键包含与整个系统相关的重要信息,例如计算机名称、当前安装的硬件设备、文件系统以及在某个事件中可以采取什么样的自动化操作,比如那里是由于CPU过热而导致(CPU)蓝屏死机(Blue screen of death),计算机将自动开始处理此类事件的逻辑程序。此文件只能由具有足够管理权限的用户访问。当系统启动时,这是所有日志动态保存和读取的地方。各种系统参数,例如称为控制集的替代配置。
4. 软件(4. Software )所有第三方(Third-party)软件配置,如即插即用驱动程序都存储在这里。此子项包含链接到预先存在的硬件配置文件的软件和Windows设置,可以由各种应用程序和系统安装程序更改。软件(Software)开发人员可以限制或允许用户在使用他们的软件时访问哪些信息,这可以使用“策略”子键进行设置,该子键对应用程序和系统服务执行一般使用策略,包括使用的系统证书验证、授权或禁止某些系统或服务。
5.硬件(5. Hardware)是系统启动过程中动态创建的子项
6. 组件(6. Components )系统范围的设备特定组件配置信息可以在这里找到
7. BCD.dat(在系统分区的oot文件夹中)这是一个关键文件,系统在系统启动过程中通过将注册表加载到RAM中读取并开始执行。
iii. HKEY_CURRENT_CONFIG
存在此子项的主要原因是存储视频以及网络设置。这可能是与视频卡有关的所有信息,例如分辨率、刷新率、纵横比等以及网络
它也是一个注册表配置单元,是Windows 注册表(Windows Registry)的一部分,用于存储有关当前正在使用的硬件配置文件的信息。HKEY_CURRENT_CONFIG实际上是指向HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\HardwareProfiles\Currentregistry注册表项的指针,这只是指向 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetHardwareProfiles 项下列出的当前活动硬件配置文件的HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\HardwareProfiles。
因此HKEY_CURRENT_CONFIG帮助我们查看和修改当前用户的硬件配置文件的配置,我们可以作为管理员在上面列出的三个位置中的任何一个位置进行操作,因为它们都是相同的。
iv. HKEY_CURRENT_USER
注册表配置单元的一部分,其中包含特定于当前登录用户的Windows和软件的存储设置以及配置信息。例如,注册表项中的各种注册表值位于HKEY_CURRENT_USER配置单元控制用户级设置,例如键盘布局、安装的打印机、桌面壁纸、显示设置、映射的网络驱动器等。
您在控制面板(Control Panel)的各种小程序中配置的许多设置都存储在 HKEY_CURRENT_USER注册表配置单元中。因为HKEY_CURRENT_USER配置单元是特定于用户的,所以在同一台计算机上,其中包含的键和值将因用户而异。这与大多数其他全局注册表配置单元不同,这意味着它们在Windows中的所有用户之间保留相同的信息。
单击注册表编辑器屏幕的左侧将使我们能够访问HKEY_CURRENT_USER。作为一种安全措施,存储在HKEY_CURRENT_USER上的信息只是指向位于HKEY_USERS配置单元下的密钥的指针,作为我们的安全标识符。对任一区域所做的更改将立即生效。
v. HKEY_USERS
这包含与每个用户配置文件的HKEY_CURRENT_USER键对应的子键。这也是我们在Windows 注册表(Windows Registry)中拥有的众多注册表配置单元之一。
所有用户特定的配置数据都记录在这里,对于积极使用设备的每个人来说,类型信息都存储在HKEY_USERS下。存储在系统上与特定用户对应的所有用户特定信息都存储在HKEY_USERS配置单元下,我们可以使用安全标识符或记录用户所做的所有配置更改的 SID来唯一标识用户。(security identifier or the SID)
所有这些在HKEY_USERS(HKEY_USERS)配置单元中存在帐户的活动用户,根据系统管理员授予的权限,将能够访问共享资源,例如打印机、本地网络、本地存储驱动器、桌面背景等。他们的帐户具有一定的注册表存储在当前用户的SID下的键和相应的注册表值。
在取证信息方面,每个SID都会存储有关每个用户的大量数据,因为它会记录在用户帐户下进行的每个事件和操作。这包括用户名(Name)、用户登录计算机的次数、上次登录的日期和时间、上次更改密码的日期和时间、登录失败的次数等等。此外,它还包含有关Windows何时加载并位于登录提示符处的注册表信息。
推荐:(Recommended:) 修复注册表编辑器已停止工作(Fix The Registry editor has stopped working)
默认用户的注册表项存储在配置文件中的文件 ntuser.dat 中,我们必须使用 regedit 将其加载为配置单元以添加默认用户的设置。
我们可以在 Windows 注册表中找到的数据类型(Types of data we can expect to find in the Windows Registry)
上面讨论的所有键和子键都将具有保存在以下任何数据类型中的配置、值和属性,通常,它是构成我们整个 Windows 注册表的以下数据类型的组合。
- 字符串值,例如Unicode,它(Unicode which)是一种计算行业标准,用于对世界上大多数书写系统中表达的文本进行一致的编码、表示和处理。
- 二进制数据
- 无符号整数
- 符号链接
- 多字符串值
- 资源(Resource)列表(即插即用(Plug)硬件(Play))
- 资源(Resource)描述符(即插即用(Plug)硬件(Play))
- 64 位整数
结论(Conclusion)
Windows 注册表(Windows Registry)不亚于一场革命,它不仅最大限度地减少了使用文本文件作为文件扩展名来保存系统和应用程序配置所带来的安全风险,而且还减少了应用程序开发人员的配置或 .ini 文件的数量必须与他们的软件产品一起发布。拥有一个集中存储库来存储系统以及系统上运行的软件经常访问的数据的好处是非常明显的。
易用性以及在一个中心位置访问各种自定义和设置也使 windows 成为各种软件开发人员桌面应用程序的首选平台。如果您将 Windows 的可用桌面软件应用程序的数量与 Apple 的 macOS 进行比较,这一点非常明显。总而言之,我们讨论了Windows 注册表(Windows Registry)的工作原理及其文件结构以及各种注册表项配置的意义以及如何使用注册表编辑器来实现完整的效果。
What is the Windows Registry & How it Works?
Windows Registry is a collеction of confіgurаtіons, values, and properties of windows applications as well as the windows operating sуstem which is organіzed аnd stored in a hierarchical manner іn a singulаr repository.
Whenever a new program gets installed in the Windows system, an entry is made in the Windows Registry with its attributes such as size, version, location in the storage, etc.
Because, this information has been stored in the database, not only the operating system is aware of the resources utilized, other applications can also benefit from this information since they are aware of any conflicts that may arise if certain resources or files were to co-exist.
What is the Windows Registry & How it Works?
The Windows Registry is really the heart of the way Windows works. It is the only operating system that uses this approach of a central registry. If we were to visualize, every part of the operating system has to interact with the Windows Registry right from the booting sequence to something as simple as renaming the file’s name.
Simply put, it is just a database similar to that of a library card catalog, where the entries in the registry are like a stack of cards stored in the card catalog. A registry key would be a card and a registry value would be the important information written on that card. The Windows operating system uses the registry to store a bunch of information that’s used to control and manage our system and software. This can be anything from PC hardware information to user preferences and file types. Almost any form of configuration that we do to a Windows system involves editing the registry.
History of Windows Registry
In the initial versions of Windows, application developers had to include in a separate .ini file extension along with the executable file. This .ini file contained all the settings, properties and configuration required for the given executable program to function properly. However, this proved very inefficient due to the redundancy of certain information and it also posed a security threat to the executable program. As a result, a new implementation of standardized, centralized as well as secure technology was an apparent necessity.
With the advent of Windows 3.1, a bare-bones version of this demand was met with a central database common to all the applications and system called the Windows Registry.
This tool, however, was very limited, since the applications could only store certain configuration information of an executable. Over the years, Windows 95 and Windows NT further developed on this foundation, introduced centralization as the core feature in the newer version of Windows Registry.
That said, storing information in Windows Registry is an option for software developers. So, if a software application developer were to create a portable application, he is not required to add information to the registry, local storage with the configuration, properties, and values can be created and successfully shipped.
The relevance of Windows Registry with respect to other operating systems
Windows is the only operating system that uses this approach of a central registry. If we were to visualize, every part of the operating system has to interact with the Windows Registry right from the booting sequence to the renaming of a file name.
All other operating systems such as iOS, Mac OS, Android, and Linux continue to use text files as a way of configuring the operating system and modifying the operating system behavior.
In most of the Linux variants, the configuration files are saved in the .txt format, this becomes an issue when we have to work with the text files since all the .txt files are considered as critical system files. So if we try to open the text files in these operating systems, we wouldn’t be able to view it. These operating systems try to hide it as a security measure since all the system files such as configurations of the network card, firewall, operating system, graphical user interface, video cards interface, etc. are saved in the ASCII format.
To circumvent this issue both macOS, as well as iOS, deployed a completely different approach to the text file extension by implementing .plist extension, which contains all of the system as well as application configuration information but still the benefits of having a singular registry far outweigh the simple change of file extension.
What are the benefits of the Windows Registry?
Because Every part of the operating system continuously communicates with the Windows Registry, it must be stored in very fast storage. Hence, this database was designed for extremely fast reads and writes as well as efficient storage.
If we were to open and check the size of the registry database, it would typically hover between 15 – 20 megabytes which make it small enough to be always loaded into the RAM (Random Access Memory) that co-incidentally is the fastest storage available for the operating system.
Since the registry needs to be loaded in memory at all times, if the size of the registry is large it won’t leave enough room for all other applications to run smoothly or run at all. This would be detrimental to the performance of the operating system, hence the Windows Registry is designed with a core objective of being highly efficient.
If there are multiple users interacting with the same device and there are a number of applications that they use are common, the reinstallation of the same applications twice or multiple times would be a waste of rather expensive storage. Windows registry excels in these scenarios where the application configuration is shared among various users.
This not only reduces the total storage used but also gives its users access to make changes to the application’s configuration from one single interaction port. This also saves time since the user doesn’t have to manually go to every local storage .ini file.
Multi-User scenarios are very common in enterprise setups, here, there is a strong need for user privilege access. Since not all the information or resources can be shared with everyone, the need for privacy-based user access was easily implemented through the centralized windows registry. Here the network administrator reserves the right to withhold or allow based on the work undertaken. This made the singular database versatile as well made it robust since the updates can be undertaken simultaneously with remote access to all of the registries of multiple devices in the network.
How does Windows Registry Works?
Let’s explore the basics elements of the Windows Registry before we start getting our hands dirty.
The Windows Registry is made up of two basic elements called the Registry Key which is a container object or simply put they are like a folder that has various types of files stored in them and Registry Values which are non-container objects that are like files that could be of any format.
You should also know: How to Take Full Control or Ownership of Windows Registry Keys
How to access the Windows Registry?
We can access and configure the Windows Registry using a Registry Editor tool, Microsoft includes a free registry editing utility along with every version of its Windows Operating System.
This Registry Editor can be accessed by typing “Regedit” in the Command Prompt or by simply typing “Regedit” in the search or run box from the Start menu. This editor is the portal to access the Windows registry, and it helps us to explore and make changes to the registry. The registry is the umbrella term used by various database files located within the directory of the Windows installation.
Is it Safe to edit Registry Editor?
If you don’t know what you’re doing then it is dangerous to play around Registry configuration. Whenever you edit the Registry, make sure you follow the correct instructions and only change what you’re instructed to change.
If you knowingly or accidentally delete something in the Windows Registry then it could alter your system’s configuration which could either lead to Blue Screen of Death or Windows won’t boot.
So it is generally recommended to backup Windows Registry before making any changes to it. You can also create a system restore point (which automatically backup the Registry) that can be used if you ever need to alter the Registry settings back to normal. But if you only what you’re told then it shouldn’t be any problem. In case you need to know how to restore Windows Registry then this tutorial explains how to do so easily.
Let’s explore the structure of the Windows Registry
There is a user in an inaccessible storage location that exists for only the operating system’s access.
These Keys are loaded on to the RAM during the system boot stage and are constantly being communicated within a certain interval of time or when a certain system-level event or events take place.
A certain portion of these registry keys gets stored in the hard disk. These keys that are stored in the hard disk are called hives. This section of the registry contains registry keys, registry subkeys, and registry values. Depending on the level of the privilege a user has been granted, he would be to access certain parts of these keys.
The keys that are at the peak of the hierarchy in the registry that begins with HKEY are considered to be hives.
In the Editor, the hives are located on the left side of the screen when all the keys are viewed without expanding. These are the registry keys that appear as folders.
Let’s explore the structure of the windows registry key and its subkeys:
Example of a key name – “HKEY_LOCAL_MACHINE\SYSTEM\Input\Break\loc_0804”
Here the “loc_0804” refers to the subkey “Break” refers to the subkey “Input” which refers to the subkey “SYSTEM” of the HKEY_LOCAL_MACHINE root key.
Common Root Keys in Windows Registry
Each of the following keys is its own individual hive, which comprises more keys within the top-level key.
i. HKEY_CLASSES_ROOT
This is the registry hive of the Windows Registry which consists of file extension association information, programmatic identifier (ProgID), Interface ID (IID) data, and Class ID (CLSID).
This registry hive HKEY_CLASSES_ROOT is the gateway for any action or event to take place in the Windows operating system. Suppose we want to access some mp3 files in the Downloads folder. The operating system runs its query through this to take the required actions.
The moment you access the HKEY_CLASSES_ROOT hive, it is really easy to get overwhelmed looking at such a massive list of extension files. However, these are the very registry keys that make windows function fluidly
Following are some of the examples of HKEY_CLASSES_ROOT hive registry keys,
HKEY_CLASSES_ROOT\.otf
HKEY_CLASSES_ROOT\.htc
HKEY_CLASSES_ROOT\.img
HKEY_CLASSES_ROOT\.mhtml
HKEY_CLASSES_ROOT\.png
HKEY_CLASSES_ROOT\.dll
Whenever we double-click and open a file lets say a photo, the system sends the query through the HKEY_CLASSES_ROOT where the instructions on what to do when such a file is requested are clearly given. So the system ends up opening a photo viewer displaying the requested image.
In the above example, the registry makes a call to the keys stored in the HKEY_CLASSES_ROOT\.jpg key. The HKEY_CLASSES_ROOT hive is a collective data found in both the HKEY_LOCAL_MACHINE hive (HKEY_LOCAL_MACHINE\Software\Classes) as well as the HKEY_CURRENT_USER hive (HKEY_CURRENT_USER\Software\Classes). So when the registry key exists in two locations it creates conflicts. So the data found in HKEY_CURRENT_USER\Software\Classes is used in HKEY_ CLASSES_ ROOT. It can be accessed by opening the HKEY_CLASSES key on the left side of the screen.
ii. HKEY_LOCAL_MACHINE
This is one of the several registry hives that stores all the settings that are specific to the local computer. This is a global key where the information stored cannot be edited by any user or program. Due to the global nature of this subkey, all the information stored in this storage is in the form of a virtual container running on the RAM continuously. The majority of the configuration information for the software users have installed and the Windows operating system itself is occupied in HKEY_LOCAL_MACHINE. All of the currently detected hardware is stored in the HKEY_LOCAL_MACHINE hive.
Also know how to: Fix Regedit.exe Crashes when searching through Registry
This registry key is further divided into 7 sub-keys:
1. SAM (Security Accounts Manager) – It is a registry key file that stores users’ passwords in a secured format (in LM hash and NTLM hash). A hash function is a form of encryption used to protect the users’ account information.
It is a locked file that is located in the system at C:\WINDOWS\system32\config, which cannot be moved or copied when the operating system is running.
Windows uses the Security Accounts Manager registry key file to authenticate users while they log into their Windows accounts. Whenever a user logs in, Windows uses a series of hash algorithms to calculate a hash for the password that has been entered. If the entered password’s hash is equal to the password hash inside the SAM registry file, users will be allowed to access their account. This also a file that most of the hackers target while performing an attack.
2. Security (not accessible except by administrator) – This registry key is local to the account of the administrative user who is logged in to the current system. If the system is managed by any organization the users cannot access this file unless administrative access has been explicitly given to a user. If we were to open this file without administrative privilege it would be blank. Now, if our system is connected to an administrative network, this key will default to the local system security profile established and actively managed by the organization. This key is linked to the SAM, so upon successful authentication, depending on the privilege level of the user, a variety of local and group policies are applied.
3. System (critical boot process and other kernel functions) – This subkey contains important information related to the entire system such as computer name, currently mounted hardware devices, filesystem and what kind of automated actions can be taken in a certain event, say there is Blue screen of death due to CPU overheating, there is a logical procedure that the computer will automatically start taking in such an event. This file is only accessible by users with sufficient administrative privileges. When the system boots this is where all the logs get dynamically get saved and read upon. Various system parameters such as alternative configurations which are known as control sets.
4. Software All the Third-party software configurations such as plug and play drivers are stored here. This subkey contains software and Windows settings linked to the preexisting hardware profile that can be changed by various applications and system installers. Software developers get to limit or allow what information gets accessed by the users when their software is being used, this can be set using the “Policies” subkey that enforces the general usage policies on applications and system services that include the system certificates that is used to authenticate, authorize or disallow certain systems or services.
5. Hardware which is a subkey that is created dynamically during the system boot
6. Components system-wide device-specific component configuration information can be found here
7. BCD.dat (in the \boot folder in the system partition) which is a critical file that the system reads and starts executing during the system boot sequence by loading the registry to the RAM.
iii. HKEY_CURRENT_CONFIG
The main reason for the existence of this subkey is to store video as well as network settings. That could be all the information pertaining to the video card such as the resolution, refresh rate, aspect ratio, etc. as well as the network
It is also a registry hive, part of the Windows Registry, and which stores information about the hardware profile currently being used. HKEY_CURRENT_CONFIG is actually a pointer to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\HardwareProfiles\Currentregistry key, This is simply a pointer to the currently active hardware profile listed under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\HardwareProfiles key.
So HKEY_ CURRENT_CONFIG helps us to view and modify the configuration of the current user’s hardware profile, which we can do as an administrator in any of the three locations as listed above since they are all the same.
iv. HKEY_CURRENT_USER
Part of the registry hives that contains store settings as well as configuration information for Windows and software that are specific to the currently logged-in user. For example, a variety of registry values in the registry keys are located in the HKEY_CURRENT_USER hive control user-level settings such as the keyboard layout, printers installed, desktop wallpaper, display settings, mapped network drives, and more.
Many of the settings you configure within various applets in the Control Panel are stored in the HKEY_CURRENT_USER registry hive. Because the HKEY_CURRENT_USER hive is user-specific, on the same computer, the keys and values contained in it will differ from user to user. This is unlike most other registry hives that are global, meaning they retain the same information across all users in Windows.
Clicking on the left side of the screen on the registry editor will give us access to HKEY_CURRENT_USER. As a security measure, the information stored on HKEY_CURRENT_USER is just a pointer to key positioned under the HKEY_USERS hive as our security identifier. Changes made to either of the areas will take effect immediately.
v. HKEY_USERS
This contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user profile. This is also one of many registry hives that we have in the Windows Registry.
All the user-specific configuration data is logged here, for everyone who is actively using the device that kind information is stored under HKEY_USERS. All the user-specific information stored on the system that corresponds to a particular user is stored under the HKEY_USERS hive, we can uniquely identify the users utilizing the security identifier or the SID that logs all the configuration changes made by the user.
All of these active users whose account exist in the HKEY_USERS hive depending on the privilege granted by the system administrator would be able to access the shared resources such as printers, local network, local storage drives, desktop background, etc. Their account has certain registry keys and corresponding registry values stored under the current user’s SID.
In terms of forensic information each SID stores a huge amount of data on every user as it makes a log of every event and action get undertaken under the user’s account. This includes the User’s Name, the number of times the user logged onto the computer, the date and time of the last login, the date and time the last password was changed, number of failed logins, and so on. Additionally, it also contains the registry information for when Windows loads and sits at the login prompt.
Recommended: Fix The Registry editor has stopped working
The registry keys for the default user are stored in the file ntuser.dat within the profile, that we would have to load this as a hive using regedit to add settings for the default user.
Types of data we can expect to find in the Windows Registry
All of the above-discussed keys and subkeys will have the configurations, values, and properties saved in any of the following data types, usually, it is a combination of the following data types that makes up our entire windows registry.
- String values such as Unicode which is a computing industry standard for the consistent encoding, representation, and handling of text expressed in most of the world’s writing systems.
- Binary data
- Unsigned integers
- Symbolic links
- Multi-string values
- Resource list (Plug and Play hardware)
- Resource descriptor (Plug and Play hardware)
- 64-bit integers
Conclusion
Windows Registry has been nothing less of a revolution, which not only minimized the security risk that came by using text files as a file extension to save the system and application configuration but it also reduced the number of configuration or .ini files that the application developers had to ship with their software product. The benefits of having a centralized repository to store frequently accessed data by both the system as well as the software that runs on the system are very evident.
The ease of use as well as the access to various customizations and settings in one central place has also made windows the preferred platform for desktop applications by various software developers. This is very evident if you compare the sheer volume of available desktop software applications of windows to Apple’s macOS. To summarize, we discussed how the Windows Registry works and its file structure and the significance of various registry key configurations as well as to use the registry editor to the complete effect.
