Microsoft Windows Registry Guide, Second Edition

SOFTWARE

The key HKLM\SOFTWARE is second in interest only to HKCU\Software. It contains per-computer software settings, including many Windows settings. Because Windows and most applications store settings as per-user settings, this branch is a bit slimmer than HKCU\Software, but it still contains numerous settings that are useful for customization. The types of settings you find in HKLM\SOFTWARE are typically those that an administrator defines. Because HKLM\SOFTWARE contains per-computer settings, any changes you make here affect all users who log on to the computer. Also, restricted users don't have permission to change settings in HKLM.

The key HKLM\SOFTWARE is organized similarly to the way HKCU\Software is organized. Applications store settings in HKLM\SOFTWARE\Vendor \Program\Version\. Vendor is the name of the program's publisher, Program is the name of the program, and Version is the program's version number. Often, Version is CurrentVersion. This branch also contains a handful of subkeys that don't follow this organization. For example, HKLM\SOFTWARE\Policies contains per-computer policies. The sections following this one describe the most interesting and useful parts of HKLM\SOFTWARE.

Classes

The key HKLM\CLASSES contains per-computer file associations. This key contains the vast majority of file associations, as opposed to HKCU\Classes, which contains per-user file associations. Windows merges both subkeys to form HKCR. Appendix A, “File Associations,” describes HKCR in detail.

Clients

The key HKLM\SOFTWARE\Clients defines the client programs that Internet Explorer associates with different Internet services. You configure these clients on the Programs tab of the Internet Properties dialog box, shown in Figure D-2. For example, you can choose the mail client that Internet Explorer uses when you click a mailto link, or you can choose the news client to use when you click a news link. These choices also determine the programs that Internet Explorer launches when you choose one of the tools on the Tools menu.

Figure D-2 You associate client programs with Internet services by using the Programs tab.

The Clients key contains six subkeys by default: Contacts, Internet Call, Mail, Media, News, and StartMenuInternet. The default value of each subkey specifies the name of the application that is the default tool for that category. For example, if the default value of HKLM\SOFTWARE\Clients\Mail is Outlook Express, then Outlook Express is the default mail client that Internet Explorer starts when you click a mailto link.

Drill down a bit further and you find one subkey for each client program. For example, Clients\Mail contains the Hotmail, MSN Explorer, and Outlook Express subkeys. The organization of these subkeys is almost the same as the organization of the subkeys in HKCR. Typically, you find the subkeys Protocols and shell under each client program's subkey. The subkey Protocols defines the protocols associated with the application. For example, the key HKLM\SOFTWARE\Clients\Mail\Outlook Express\Protocols describes the command to run when users click a mailto link on a Web page. The subkey shell defines the command to run when users choose an option on Internet Explorer's Tools menu. The subkey HKLM\SOFTWARE\Clients \Mail\Outlook Express\shell describes the command to run when users click Tools, Mail And News, Read Mail in Internet Explorer.

Microsoft\Active Setup

A variety of Windows components, notably Internet Explorer components, still use Active Setup. The key HKLM\SOFTWARE\Microsoft\Active Setup contains these components' registrations. The subkey FeatureComponentID is sometimes useful for mapping a GUID to a component. Look for the GUID in this subkey; then look at the REG_SZ value to determine the component's name.

The key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components is each component's registration. Each subkey is a component. For example, the subkey {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} is for NetShow. Within each subkey, you see several values, some more interesting than others. First the REG_BINARY value IsInstalled indicates whether the component is installed or not. The value is 0x0001 if the component is installed; if not, the value is 0x0000. The REG_SZ value Version contains the component's version.

The most interesting value is the REG_EXPAND_SZ value StubPath. If this value exists, Windows executes the command it contains after the operating system creates a new user profile. If you don't see this value, nothing happens. To keep Windows from running the command, remove the value StubPath from that component's subkey in Installed Components.

Microsoft\Command Processor

The command-prompt window supports file and folder name completion, as well as a few other features. You can configure these features using Tweak UI, as described in Chapter 5, “Mapping Tweak UI,” or you can hack them directly in the registry. This key is similar to HKCU\Software\Microsoft\Command Processor. The difference is that this key applies to all users, whereas the key in HKCU applies only to the current console user. The following list describes the settings in the subkey Command Processor, which configure the command-prompt window:

• AutoRun.

  This REG_SZ value, which has no default, contains a list of commands that run automatically when you start a command-prompt window.

• CompletionChar.

  This is a REG_DWORD value. It specifies the ASCII character code of the key to use for file name completion. You can set this value to 0x00, 0x01 through 0x1F, 0x20, or 0x40. The Tab key is 0x09 and is the default.

• DefaultColor.

  This REG_DWORD value defaults to 0. Valid values range from 0x00 through 0xFE. It specifies the default background and foreground color of a command-prompt window. The first hexadecimal digit specifies the background color, and the second digit specifies the foreground color. The digits correspond to the colors shown in Table D-1.

• DelayedExpansion.

  This is a REG_DWORD value with a default of 0x00. It specifies whether the command prompt delays environment variable expansion. If the value is 0x01, the command prompt interprets the exclamation point (!) as an environment variable that expands only when used.

• EnableExtensions.

  This REG_DWORD value has a default value of 0x01. It determines whether command-processor extensions are enabled or not. Setting this value to 0x00 disables extensions. You need to disable extensions only when they interfere with a script language with which they aren't compatible.

• PathCompletionChar.

  This is a REG_DWORD value that specifies the ASCII character code of the key to use for path completion. Set this value to 0x00, 0x01 through 0x1F, 0x20, or 0x40. The Tab key is 0x09. You can use the same key that you use for file name completion, which expands both.

Microsoft\Driver Signing

The key HKLM\SOFTWARE\Microsoft\Driver Signing contains values that configure the Windows driver-signing feature. Microsoft digitally signs driver files so that Windows can verify that Microsoft tested the driver file and that the file hasn't changed since Microsoft tested it. This key's only value, Policy, controls how Windows handles driver files that aren't signed. Here are the possible values:

• 0x00.

  Windows installs unsigned device drivers (Ignore).

• 0x01.

  Windows warns the user that the device driver is unsigned and enables the user to choose whether or not to install it (Warn).

• 0x02.

  Windows does not install unsigned device drivers (Block).

This setting comes from the Driver Signing Options dialog box, shown in Figure D-3. It applies to all users, unless you clear the Make This Action The System Default check box. The figure shows the values associated with each option.

Figure D-3 In an enterprise environment, blocking unsigned device drivers is the safest option.

Microsoft\DrWatson

The DrWatson subkey stores configuration settings for Dr. Watson for Windows (Drwtsn32.exe), the application error debugger. These entries specify how Dr. Watson for Windows notifies the user of an application error, and how its log file and crash dump file are configured. Dr. Watson adds these entries the first time it starts:

• AppendToLogFile.

  Specifies whether Dr. Watson for Windows overwrites the existing log file with new data or appends new data to the end of the existing log file. By default, the log file is named Drwtsn32.log and is stored in the system root directory. If this REG_DWORD value is 0x00, Dr. Watson overwrites the file; if it's 0x01, it appends the new error information to the file.

• CrashDumpFile.

  Specifies the location of the crash dump file for Dr. Watson for Windows. The crash dump file is a binary file that is created when a program stops abnormally. The crash dump file can be interpreted by the Windows Debugger. All users must have permission to read and write to the crash dump file. By default, the crash dump file is named user.dmp and resides in the root of the system directory. Set this REG_SZ value to the path and file name of the crash dump file.

• CreateCrashDump.

  Specifies whether Dr. Watson for Windows creates a binary crash dump file when a program stops abnormally. The crash dump file can be interpreted by the Windows Debugger. If the value of this REG_DWORD value is 0x01, the location of the crash dump file must appear in the value of the CrashDumpFile entry. By default, the crash dump file is named user.dmp and is in the system root directory.

• DumpAllThreads.

  Specifies which application threads are included in the log file that Dr. Watson for Windows creates when an application error occurs. By default, the log file is named Drwtsn32.log and is in the system root directory. If this REG_DWORD value is 0x01, Dr. Watson includes all threads.

• DumpSymbols.

  Specifies whether Dr. Watson for Windows includes the symbol table for each application module in its log file. The symbol table consists of the name and memory address of each symbol. By default, because it can be very large, the symbol table is not included in the log file. If this REG_DWORD value is 0x01, Dr. Watson includes the debug symbols.

• Instructions.

  This REG_DWORD value specifies how many instructions preceding and following the faulty instruction are included in the instruction disassembly portion of Drwtsn32.log, the log file for Dr. Watson for Windows. The default value is 10.

• LogFilePath.

  This REG_SZ value specifies the location of Drwtsn32.log, the log file for Dr. Watson for Windows. The log file contains diagnostic data about application errors that occur. All users must have permission to read and write to the log file.

• MaximumCrashes.

  This REG_DWORD value specifies how many errors Dr. Watson for Windows maintains at any given time in its application error viewer and in the Event Viewer application log. When the number of recorded errors reaches the value of this entry, Dr. Watson operates normally and adds new errors to its log and crash dump file, but it does not add any new errors to its application log viewer or to the Event Viewer application log until it is reset. The user is not notified that the number of crashes has reached the maximum. To reset Dr. Watson for Windows, run Drwtsn32.exe. You can either click Clear or increase the value in the Number Of Errors To Save box. When you click Clear, you delete all errors from the application error viewer in Dr. Watson for Windows, and you delete all events from the Event Viewer application log, even those not generated by Dr. Watson for Windows. However, records of the application errors remain in the Drwtsn32.log and in the crash dump file, user.dmp, if one has been selected. The default value is 10.

• NumberOfCrashes.

  This REG_DWORD value counts the number of application errors Dr. Watson for Windows is maintaining in its application error viewer and in the Event Viewer application log. When this value reaches the value of MaximumCrashes, Dr. Watson for Windows operates normally and adds new errors to its log and crash dump file, but it does not add any new errors to its application log viewer or to the Event Viewer application log until it is reset. The user is not notified that the number of crashes has reached the maximum. To reset Dr. Watson for Windows, run Drwtsn32.exe. You can either click Clear or increase the value in the Number Of Errors To Save box. When you click Clear, you delete all errors from the application error viewer in Dr. Watson for Windows, and you delete all events from the Event Viewer application log, even those not generated by Dr. Watson for Windows. However, records of the application errors remain in the Drwtsn32.log and in the crash dump file, user.dmp, if one has been selected.

• SoundNotification.

  This REG_DWORD value specifies whether Dr. Watson for Windows generates a sound when it detects an application error. If the value of this entry is 0x01, you can enter the name of a wave file (.wav) in the value of the WaveFile entry. Otherwise, Dr. Watson generates two standard beeps.

• VisualNotification.

  This REG_DWORD value specifies whether Dr. Watson for Windows displays a message box when it detects an application error. While the message box is displayed, no new messages or windows can be displayed, but background processes are not affected. If the buttons on the message box are not clicked within five minutes, the message box is removed.

• WaveFile.

  This REG_SZ value specifies the file containing the sound that Dr. Watson for Windows plays when it detects an application error. This entry is used only when the computer has a sound card and the value of the SoundNotification entry is 0x01.

Microsoft\Internet Explorer

The key HKLM\SOFTWARE\Microsoft\Internet Explorer contains Internet Explorer settings that apply to every user who logs on to the computer. For example, the subkey AboutURLs contains the URLs of Web pages that Internet Explorer displays in special scenarios. The subkey AdvancedOptions defines templates for the options on the Internet Options dialog box's Advanced tab.

Microsoft\Sysprep

You won't see HKLM\SOFTWARE\Microsoft\Sysprep on your computer unless you installed Windows from a disk image that you prepared with Sysprep. Chapter 15, “Cloning Disks with Sysprep,” describes how to use this tool. The values in this subkey are useful for understanding what Sysprep has done:

• CriticalDevicesInstalled.

  This value is 0x01 if Sysprep installed the critical devices. See Chapter 15 for more information.

• SidsGenerated.

  This value is 0x01 if Sysprep regenerated the computer's SID.

Microsoft\Windows NT\CurrentVersion

The key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion contains useful subkeys for learning more about Windows but not customizing it. The values in this subkey describe the current version of Windows, the registered owner, and the path in which you installed the operating system. For IT professionals, the three most useful subkeys are in the following list:

• HotFix.

  This key contains one subkey for each hotfix installed on the computer. The value Installed is 0x01 if the hotfix is installed; it's 0x00 otherwise. The HotFix key fills up quickly when you use Windows Update or Automatic Updates to download and install hotfixes. IT professionals can inventory the hotfixes installed on different computers by writing scripts that extract the contents of this key and dump them to text files on the network.

• ProfileList.

  This key contains one subkey for each user profile you see in the User Profiles dialog box.

• Winlogon.

  This key contains values that define the logon process, as well as the last user who logged on to the computer. There are two interesting customizations in this key, both of which you learn in Chapter 18, “Fixing Common IT Problems.” The first is that you can display a legal notice when users log on to the operating system. The second is that you can use this key to automatically log on to the computer using a specific account. You can do that a specific number of times. For example, you can configure this key to automatically log on as Administrator, install an application, and then log off of the operating system. See Chapter 18 for more information about this useful IT trick.

Microsoft\Windows NT\CurrentVersion\Winlogon

The Winlogon subkey stores configuration data for the Winlogon service. Winlogon provides support for interactive logon to Windows. This subkey stores data that applies to all users of the computer. The Winlogon subkey in HKCU stores data that applies to a specific user. The following list describes settings in the Winlogon key:

• AutoRestartShell.

  Specifies whether the Windows user interface (typically, Explorer.exe) restarts automatically if it stops unexpectedly. Set this REG_DWORD value to 0x01 (the default value) to restart the user interface.

• DCacheMinInterval.

  This REG_SZ value specifies how often the list of domains in the Unlock Workstation dialog box is updated. The list of domains is updated before it is displayed to the user if its age exceeds the value of this entry. A memory cache on the local computer stores the domain list. When the value of this entry is set to the default of two minutes and a user unlocks a workstation or server, the system retrieves domain data and updates the list. The short update interval ensures that the domain list is current. However, refreshing the list can cause a noticeable delay. You can use this entry to increase the time between domain list updates, eliminating some of the delay. However, if the domain list changes between updates, users still will not see the most current list of domains. This value doesn't exist in the registry by default. Add it if required.

• DCacheUpdate.

  This REG_BINARY value stores domain names in binary form for internal Winlogon programming code to use.

• DefaultDomainName.

  This REG_SZ value stores the name of the domain to which the user most recently logged on successfully. The value of this entry appears in the Log On To Windows dialog box the next time the dialog box is displayed.

• DefaultUserName.

  This REG_SZ value stores the last user name entered in the Log On To Windows dialog box. The value of this entry appears in the Log On To Windows dialog box the next time the dialog box is displayed. It is also used in automated logons and unattended setup.

• DontDisplayLastUserName.

  This REG_DWORD value specifies whether a user name appears in the Log On To Windows dialog box. By default, Windows displays the user name of the last user who logged on successfully (as stored in the value of DefaultUserName) in the Log On To Windows dialog box. If the value of this entry is 0x01, the User Name box in the Log On To Windows dialog box is blank.

• KeepRasConnection.

  This REG_DWORD value specifies whether Windows closes all open dial-up (Routing and Remote Access) connections when a user logs off.

• LogonPrompt.

  This REG_SZ value specifies a message for the Log On To Windows dialog box. By default, there is no logon prompt message. This value doesn't exist by default. Add it if required.

• ProfileDlgTimeOut.

  This REG_DWORD value defines the starting time for the User Environment Countdown Timer. (The default is 30 seconds.) This timer determines how long the system waits for a user response before it uses a default value. The value of this entry is used when either of the following events occur:

  • The system detects a slow link between the client and the server that stores the client's profile.

  • The system cannot access or update a server-based profile when the user logs on or off.

• RasForce.

  This REG_SZ value specifies whether the Log On Using Dial-Up Connection check box is selected by default when the system starts. This check box appears on the Log On To Windows dialog box that is displayed when the user logs on to Windows. The system uses the value of this entry only when you have created a dial-up connection by using Network and Dial-up Connections and the computer is a member of a domain.

• RemoteBootOk.

  This REG_SZ value specifies whether Winlogon declares startup to be successful. If you change the value of this entry to 0, you must use another program (such as Bootok.exe or Bootvrfy.exe) to declare the startup successful.

• RemoteControllerMissing.

  Stores the computer setting for the domain controller message. (The user setting is stored in the value of the ReportDC entry.) This entry determines, in part, whether the system displays the following message when it cannot contact the domain controller that stores a user's roaming user profile:

  “A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes made to your profile since you last logged on might not be available.”

  When the value of this entry is equal to TRUE, the system displays the message. When the value is any other string and when this value is absent from the registry, the system does not display the message. Two entries manage the display of the domain controller message: ReportDC and ReportControllerMissing. The system displays this message only when both entries are set to the display setting–that is, when ReportDC is either set to 1 or does not appear in the registry, and when ReportDomainController appears in the registry with a value of TRUE. By default, the message does not display.

• RunLogonScriptSync.

  This REG_DWORD value specifies whether the system waits for the logon script to finish running before it starts Windows Explorer and creates the desktop. If this value is 0x01, Windows Explorer does not start until the logon script is finished.

• ScreenSaverGracePeriod.

  This REG_DWORD value specifies when password protection of a screen saver becomes effective. This entry specifies the delay between the appearance of a password-protected screen saver and the enforcement of the password requirement. Password protection of a screen saver is not effective immediately. By default, a brief period elapses within which the user can use the mouse or the keyboard to stop the screen saver without entering the password. This delay is designed to minimize the disruption that results when the screen saver starts while the user is working. You can add this entry to the registry to adjust the length of the delay. To make password protection effective immediately, set the value of this entry to 0x0. The default value is 0x05.

• SFCDIICacheDir.

  This REG_EXPAND_SZ value specifies an alternate location for the Windows File Protection cache.

• SfcScan.

  Specifies when Windows File Protection scans protected files for changes. By default, it scans protected files only during setup. The possible settings are as follows:

  • 0. Windows File Protection scans files only during setup.

  • 1. Windows File Protection scans files at setup and each time you start Windows. This setting delays each startup.

  • 2. Windows File Protection scans files the next time you start the system.

• SfcShowProgress.

  This REG_DWORD value hides the file scan progress window. This window provides status information that might be helpful to advanced users, but it might confuse novices. If this value is 0x01, users see the file scan progress window.

• Shell.

  This REG_SZ value specifies the programs that provide the user interface to the operating system. By default, Winlogon starts the programs specified in the value of Userinit, including Userinit.exe. Userinit.exe starts the user interface program. However, if Winlogon cannot start the programs specified in the value of Userinit, Winlogon directly runs the programs specified in the value of this entry.

• ShowLogonOptions.

  This REG_DWORD value specifies whether logon options are displayed in the Log On To Windows dialog box when the dialog box opens. The Log On To Windows dialog box has an Options button that alternately hides and displays the Domain box and the Log On Using Dial-Up Connection options. If this value is 0x01, the options are displayed; otherwise, they are hidden.

• SlowLinkProfileDefault.

  This REG_DWORD value directs the system to wait for the remote copy of the roaming user profile to load, even if the profile is loading slowly. Also, the system waits for the remote copy when the user is notified about a slow connection but does not respond in the time allowed.

• SlowLinkTimeOut.

  Defines which connections Winlogon considers to be slow. If the server storing a user's profile does not respond before the time specified in the value of this entry, Winlogon considers the link to the server to be slow, and it offers the user the option of using a profile stored on the local computer instead of waiting for the server. This entry is used only when the value of SlowLinkDetectEnabled is 1. You can increase the value of SlowLinkTimeOut to favor the server-based profile. This is particularly useful for clients using addresses assigned by Dynamic Host Configuration Protocol (DHCP), or for computers accessing server-based profiles over slow wide area network (WAN) connections, such as dial-up connections.

• Welcome.

  This REG_SZ value specifies the text that appears in the caption bar beside the title of the Log On To Windows, Windows Security, Computer Locked, and Unlock Computer dialog boxes. This value doesn't exist by default. Add it to customize the caption of the previous dialog boxes.

Policies

Windows stores per-computer policies in the key HKLM\SOFTWARE\Policies, the preferred branch for registry-based policies. Restricted users don't have permission to change the Policies subkey, which prevents them from circumventing policies by editing the registry. Windows supports hundreds of policies that enable IT professionals to control the computer's configuration. Chapter 7, “Using Registry-Based Policy,” shows you how to customize policies by building custom administrative templates.

Very often, using policies is the best and most interesting way to customize Windows. For example, many of the customizations you learn about in Chapter 4, “Hacking the Registry,” rely on policy settings in the registry to change behaviors. Some policies enable you to change behavior that annoys you. In this regard, the per-user policies in HKCU\Software\Policies offer more customization possibilities that the policies that you find in HKLM\SOFTWARE\Policies.

Although editing the registry directly is certainly one way to customize policies, there are better ways. The first is to use Group Policy Editor to edit the local Group Policy Object (GPO). This provides a user interface for the policies, limiting your settings to valid choices. Chapter 7, “Using Registry-Based Policy,” describes how to edit the local GPO. In short, type gpedit.msc in the Run dialog box, and then edit the policies under Computer Configuration and User Configuration in Administrative Templates. The second way is to write scripts that change policies. I use scripts when I need to repeat the same setting many times, such as when I'm configuring multiple computers or when I reinstall Windows on computers often. Chapter 11, “Scripting Registry Changes,” shows you how to write scripts to edit the registry.