Microsoft Windows Registry Guide, Second Edition
SYSTEM
The subkeys in HKLM\SYSTEM are ControlSetN, where N is a number beginning with 001. These are control sets, and they describe the computer's configuration. Of all the configuration data stored in the registry, this is by far the most important. Windows maintains at least two control sets to make sure that the operating system can always start. If the first fails, you can start with the second by choosing Last Known Good Configuration from the boot options menu.
The subkey CurrentControlSet is a link to the current control set ControlSetN. Windows identifies the current control set using the key HKLM\SYSTEM\Select. The REG_DWORD value Current contains the number of the current control set. The REG_DWORD value LastKnownGood contains the number of the last control set that worked properly. This is the control set that Windows loads when users choose Last Known Good Configuration.
All the control sets have a similar organization and similar contents. The sections following this one describe the contents of CurrentControlSet, which is a link to one of the numbered control sets.
NOTE
The following sections provide an overview of the contents of control sets. The Windows Resource Kit Registry Reference, available at http://go.microsoft.com/fwlink/?linkid=4543, provides detailed descriptions of the many settings contained in them.
CurrentControlSet\Control
The subkey CurrentControlSet\Control contains values that control how Windows starts. It defines the components to load and their configurations. The following list describes many of the interesting subkeys of Control:
- BackupRestore.
This subkey contains subkeys that specify the files and registry keys that Windows won't back up or restore. You learn about this subkey in Chapter 3, “Backing Up the Registry.”
- Class.
This subkey stores configuration data for classes of hardware devices.
- CrashControl.
This subkey contains values that specify what happens when Windows locks, fails, or terminates abnormally.
- CriticalDeviceDatabase.
This subkey contains the critical device database, which you learn about in Chapter 15, “Cloning Disks with Sysprep.” It contains configuration data for new devices that Windows must install and start before the components that the operating system normally installs are started.
- FileSystem.
This subkey contains file system configurations.
- GraphicsDrivers.
This subkey contains DirectX and graphics drivers settings.
- GroupOrderList.
This subkey contains the order in which Windows loads services in a service group when the operating system starts.
- hivelist.
This subkey defines the locations of hive files that are loaded in the registry. You learned about this subkey in Chapter 1, “Learning the Basics.”
- IDConfigDB.
This subkey contains settings that identify the current hardware configuration for Windows.
- Lsa.
This subkey contains configuration data for the Local Security Authority (LSA).
- Network.
This subkey contains network settings.
- NetworkProvider.
This subkey contains network provider settings.
- Print.
This subkey contains printer settings that apply to all users.
- PriorityControl.
This subkey specifies the relative priority of foreground applications to background applications.
- SafeBoot.
This subkey contains data about the computer's safe-mode settings. See Chapter 3, “Backing Up the Registry,” to learn about boot options.
- SecurePipeServers.
This subkey contains the winreg subkey, which controls remote access to the registry. See Chapter 8, “Configuring Windows Security,” to learn how to use this subkey to secure remote access to the registry.
- ServiceGroupOrder.
This subkey contains a list of all service groups in the order in which Windows loaded them.
- ServiceProvider.
This subkey contains data about the installed service providers.
- Session Manager.
This subkey contains Session Manager data.
- Update.
This subkey contains configuration data for System Policy. Chapter 7, “Using Registry-Based Policy,” describes how to use this subkey.
- VirtualDeviceDrivers.
This subkey contains data for virtual device drivers.
- Windows.
This subkey contains data for the Win32 subsystem.
- WOW.
This subkey contains settings that control MS-DOS-based applications and applications created for 16-bit versions of Windows.
CurrentControlSet\Enum
The subkey CurrentControlSet\Enum is a database of all the computer's devices that Windows recognized. This database stores configuration data for hardware devices separately from the device drivers they use. This database is an important part of Plug and Play in Windows.
TIP
The most common reason to hack CurrentControlSet\Enum is to remove devices that don't appear in Device Manager. Windows provides a better, safer alternative. In Device Manager, click View, Show Hidden Devices; and then remove the devices you want to remove from the Enum subkey.
CurrentControlSet\Hardware Profiles
The subkey CurrentControlSet\Hardware Profiles stores hardware profiles, which are usually created for laptop computers that have configurations for their docked and undocked states. A hardware profile contains changes to the original hardware profile configured in HKLM\SOFTWARE and HKLM\SYSTEM keys. Windows doesn't change the original value, so it can change hardware profiles easily. You use the Hardware Profiles dialog box to create and choose hardware profiles. Also, Windows automatically creates hardware profiles when it finds scenarios that require them.
Each hardware profile is in the subkey Hardware Profiles\N, where N is an incremental number beginning with 0000. These subkeys look like stripped-down versions of HKLM\SOFTWARE and HKLM\SYSTEM keys. They contain only those values that the hardware profile changes, though. In other words, when Windows uses a hardware profile, the settings in the profile overwrite the settings in SOFTWARE and SYSTEM. They represent a powerful way to customize the operating system for different hardware scenarios, which is particularly important to laptop users.
The subkey HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current is a link to the current hardware profile. HKCC is also a link to the current hardware profile (which explains why you don't find a separate section for HKCC in this appendix). Changing a value in any of these three locations changes the same value in the remaining two locations.
Windows maintains information about all its hardware profiles in the key HKLM \SYSTEM\CurrentControlSet\Control\IDConfigDB. This key contains the REG_DWORD value CurrentConfig, which indicates the number of the current hardware profile. The subkey Hardware Profiles in IDConfigDB defines each hardware profile in further detail. For example, each subkey in Hardware Profiles defines the friendly name of the hardware profile.
CurrentControlSet\Services
The subkey CurrentControlSet\Services defines services, such as device drivers, file system drivers, and Win32 services. The settings differ for each service. Each subkey in the Services key has the name of the service that uses it. This is frequently the name of the file from which Windows loads the service. Some of the subkeys in Services represent devices and services that are actually installed and running on the computer. Others aren't installed or aren't enabled. While different services might have unique values and subkeys, they all have the following values and subkeys in common:
- DependOnGroup.
This REG_MULTI_SZ value specifies the service groups that Windows must load before loading this service. This value ensures that all of a service's prerequisites are met.
- DependOnService.
This REG_MULTI_SZ value specifies the services that Windows must load before loading this service. This value ensures that all of a service's prerequisites are met.
- Enum.
You see this subkey in services that store values for device drivers and other services that control devices. It stores information about the hardware associated with this service.
- ErrorControl.
This REG_DWORD value specifies how to continue if the device driver fails to load or initialize properly. The following values are possible:
0x00 (Ignore). Ignore the error and continue starting Windows.
0x01 (Normal). Display a warning and continue starting Windows.
0x02 (Severe). Restart using the last known good configuration, and if that fails, continue starting Windows.
0x03 (Critical). Restart using the last known good configuration, and if that fails, do not continue starting Windows.
- Group.
This REG_DWORD value specifies the service group to which the service belongs. If this value doesn't exist, the service doesn't belong to a group, and the service loads after all service groups load.
- ImagePath.
This REG_EXPAND_SZ value specifies the path and name of the service's executable file. Network adapters don't use this value.
- Linkage.
This subkey contains data for binding network components. They associate network services with protocols and devices that support them.
- NetworkProvider.
This subkey contains the name of the device, the provider, and the provider order for a network service.
- ObjectName.
This REG_SZ value specifies the name of a driver object that the I/O Manager uses to load the device driver. This value exists in services that are kernel-mode or file system drivers.
- Parameters.
This subkey contains entries specific to each service.
- Performance.
This subkey contains data for the service's performance counter.
- Security.
This subkey contains information about a driver's or service's permissions.
- Start.
This REG_DWORD value specifies how Windows loads or starts the service. The following values are possible:
0x00 (Boot). The kernel loader loads the driver when Windows boots.
0x01 (System). The I/O Subsystem loads the driver during kernel initialization.
0x02 (Automatic). The Session Control Manager starts the service automatically.
0x03 (Manual). The service must be started manually.
0x04 (Disabled). The service is never started.
- Tag.
This REG_DWORD value specifies the services tag number, which is a unique number within the service group.
- Type.
This REG_DWORD value indicates the service's type. The following values are possible:
0x01. Kernel-mode device drivers
0x02. File system drivers
0x04. Arguments for an adapter
0x08. File system driver services
0x10. Win32 programs that run their own processes
0x20. Win32 programs that share processes
0x110. Win32 programs that run in processes by themselves
0x120. Win32 programs that share processes and interact with users