Microsoft Windows Registry Guide, Second Edition

Registry Structure

The structure of the Windows registry is very similar to the structure of the Windows file system. Figure 1-4 compares Registry Editor, the tool you use to edit the registry, and Windows Explorer. (You learn how to use Registry Editor in Chapter 2, “Using Registry Editor.”) In the editor's left pane, which is called the key pane, you see the registry's hierarchy, just as in Windows Explorer you see the file system's hierarchy in the left pane. Each folder in the key pane is a registry key. In the editor's right pane, which is called the value pane, you see a key's values, just as in Windows Explorer's right pane you see a folder's contents.

Take a look at Figure 1-4. In Windows Explorer, you see each of the computer's disks under My Computer. Likewise, in Registry Editor, you see each of the registry's root keys under My Computer. Although you see the full name of each root key in Registry Editor, the standard abbreviations that you see in Table 1-3 are easier to type and read.

Figure 1-4 If you're familiar with Windows Explorer, you probably won't have any trouble understanding the registry's structure, which is similar to that of the file system.

Keys

Keys are so similar to folders that they have the same naming rules. (Registry Editor even uses the same icon for keys that Windows Explorer uses for folders.) You can nest one or more keys within another key as long as the names are unique within each key. A key's name is limited to 512 ANSI or 256 Unicode characters, and you can use any ASCII character in the name other than a backslash (\), asterisk (*), and question mark (?). In addition, Windows reserves all names that begin with a period for its own use.

The similarities between the registry and file system continue with paths. The path C:\Windows\System32\Sol.exe refers to a file called Sol.exe on drive C in a subfolder of \Windows called System32. The path HKCU\Control Panel\Desktop\Wallpaper refers to a value called Wallpaper in the root key HKCU in a subkey of Control Panel called Desktop. This notation is a fully qualified path. I often refer to a key and all its subkeys as a branch.

NOTE

I usually use the term key, but occasionally I use subkey to indicate a parent-child relationship between one key and another. Thus, when you see, for example, text that describes the key Software and its subkey Microsoft, it indicates that Microsoft is a child key under Software.

The last thing to discuss in this section is the concept of linked keys. Windows stores hardware profiles in HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\. Each hardware profile is a subkey nnnn, where nnnn is an incremental number beginning with 0000. The subkey Current is a link to whichever key is the current hardware profile, and root key HKCC is a link to Current. It all sounds terribly convoluted until you see the relationship illustrated in Figure 1-5. To continue the file system analogy, think of links as aliases or shortcuts.

Figure 1-5 When one key is linked to another, as in this example, the same subkeys and values appear in both places.

Values

Each key contains one or more values. In my analogy with Windows Explorer, values are similar to files. A value's name is similar to a file's name. A value's type is similar to a file's extension, which indicates its type. A value's data is similar to the file's actual contents. Click a key in Registry Editor's key pane, and the program shows the key's values in the value pane. In the value pane, you see three columns, which correspond to the three parts of a value:

• Name.

  Every value has a name. The same rules for naming keys apply to values: up to 512 ANSI or 256 Unicode characters except for the backslash (\), asterisk (*), and question mark (?), with Windows reserving all names that begin with a period. Within each key, value names must be unique, but different keys can have values with the same name.

• Type.

  Each value's type determines the type of data that it contains. For example, a REG_DWORD value contains a double-word number, and a REG_SZ value contains a string. The section “Types,” later in this chapter, describes the different types of data that Windows supports in the registry.

• Data.

  Each value can be empty, or null, or it can contain data. A value's data can be a maximum of 32,767 bytes, but the practical limit is 2 kilobytes (KB). The data usually corresponds to the type, except that binary values can contain strings, double-words, or anything else.

Every key contains at least one value, and that's the default value. When you look at the registry through Registry Editor, you see the default value as (Default). The default value is almost always a string, but some programs can change it to other types. In most cases, the default value is null, and Registry Editor displays its data as (value not set). When instructions require that you change a key's default value, they usually say so explicitly: “Set the key's default value.”

NOTE

When looking at a key's fully qualified path, you have to figure out whether the path includes a value or not. Usually, the text is clear about whether the path is to a key or includes a value, but sometimes it isn't. For example, does HKCR\txtfile \EditFlags refer to a key or a value? In this case, it refers to a value, and I prefer to use explicit language, such as “the value HKCR\txtfile\EditFlags,” to make the reference clear. Sometimes, paths that don't include a value name end with a backslash (\). If there is no backslash, pay particular attention to the context to make sure you know whether the path is just a key or includes a value. Sometimes a bit of common sense is all you need.

Types

Windows supports the following types of data in the registry. As you look through this list, realize that REG_BINARY, REG_DWORD, and REG_SZ account for the vast majority of all the settings in the registry.

• REG_BINARYREG_BINARY.

  Binary data. Registry Editor displays binary data in hexadecimal notation, and you enter binary data using hexadecimal notation. An example of a REG_BINARY value is 0x02 0xFE 0xA9 0x38 0x92 0x38 0xAB 0xD9.

• REG_DWORDREG_DWORD.

  Double-word values (32 bits). Many values are REG_DWORD values used as Boolean flags (0 or 1, true or false, yes or no). You also see time stored in REG_DWORD values in milliseconds (1000 is 1 second). 32-bit unsigned numbers range from 0 to 4,294,967,295, and 32-bit signed numbers range from 2,147,483,648 to 2,147,483,647. You can view and edit these values in decimal or hexadecimal notation. Examples of REG_DWORD values are 0xFE020001 and 0x10010001.

• REG_DWORD_BIG_ENDIANREG_DWORD_BIG_ENDIAN.

  Double-word values with the most significant bytes stored first in memory. The order of the bytes is the opposite of the order in which REG_DWORD stores them. For example, the number 0x01020304 is stored in memory as 0x01 0x02 0x03 0x04. You don't see this data type much on Intel-based architectures.

• REG_DWORD_LITTLE_ENDIANREG_DWORD_LITTLE_ENDIAN.

  Double-word values with the least significant bytes stored first in memory (reverse-byte order). This type is the same as REG_DWORD, and because Intel-based architectures store numbers in memory in this format, it is the most common number format in Windows. For example, the number 0x01020304 is stored in memory as 0x04 0x03 0x02 0x01. Registry Editor doesn't offer the ability to create REG_DWORD_LITTLE_ENDIAN values, because this value type is identical to REG_DWORD in the registry.

• REG_EXPAND_SZREG_EXPAND_SZ.

  Variable-length text. A value of this type can include environment variables, and the program using the value expands those variables before using it. For example, a REG_EXPAND_SZ value that contains %USERPROFILE%\Favorites might be expanded to C:\Documents and Settings\Jerry\Favorites before the program uses it. The registry application programming interface (API) relies on the calling program to expand the environment variables in REG_EXPAND_SZ strings, so the registry value is useless if the program doesn't expand them. See Chapter 12, “Deploying User Profiles,” to learn how to use this type of value to fix some interesting problems.

• REG_FULL_RESOURCE_DESCRIPTORREG_FULL_RESOURCE_DESCRIPTOR.

  Resource lists for a device or device driver. This data type is important to Plug and Play, but it doesn't figure much in your work with the registry. Registry Editor doesn't provide a way to create this type of value, but it does allow you to display it. See HKLM\HARDWARE\DESCRIPTION \Description for examples of this data type.

• REG_LINKREG_LINK.

  A link. You can't create REG_LINK values.

• REG_MULTI_SZ.REG_MULTI_SZ.

  Binary values that contain lists of strings. Registry Editor displays one string on each line and allows you to edit these lists. In the registry, a null character (0x00) separates each string, and two null characters end the list.

• REG_NONE.REG_NONE.

  Values with no defined type.

• REG_QWORDREG_QWORD.

  Quadruple-word values (64 bits). This type is similar to REG_DWORD but contains 64 bits instead of 32 bits. The only version of Windows XP that supports this type of value is Windows XP Professional x64 Edition. You can view and edit these values in decimal or hexadecimal notation. An example of a REG_QWORD value is 0xFE02000110010001.

• REG_QWORD_BIG_ENDIANREG_QWORD_BIG_ENDIAN.

  Quadruple-word values with the most significant bytes stored first in memory. The order of the bytes is the opposite of the order in which REG_QWORD stores them. See REG_DWORD_BIG_ENDIAN for more information about this value type.

• REG_QWORD_LITTLE_ENDIANREG_QWORD_LITTLE_ENDIAN.

  Quadruple-word values with the least significant bytes stored first in memory (reverse-byte order). This type is the same as REG_QWORD. See REG_DWORD_LITTLE_ENDIAN for more information. Registry Editor doesn't offer the ability to create REG_QWORD_LITTLE_ENDIAN values, because this value type is identical to REG_QWORD in the registry.

• REG_RESOURCE_LISTREG_RESOURCE_LIST.

  List of REG_FULL_RESOURCE_DESCRIPTOR values. Registry Editor allows you to view, but not edit, this type of value.

• REG_RESOURCE_REQUIREMENTS_LISTREG_RESOURCE_REQUIREMENTS_LIST.

  List of resources that a device requires. Registry Editor allows you to view but not edit this type of value.

• REG_SZREG_SZ.

  Fixed-length text. Other than REG_DWORD values, REG_SZ values are the most common types of data in the registry. An example of a REG_SZ value is Microsoft Windows XP or Jerry Honeycutt. Each string ends with a null character. Programs don't expand environment variables in REG_SZ values.

Data in Binary Values

Of all the values in the registry, binary values are the least straightforward. When an application reads a binary value from the registry, deciphering its meaning is up to that program. This means that applications can store data in binary values using their own data structures, and those data structures mean nothing to you or any other program. Also, applications often store REG_DWORD and REG_SZ data in REG_BINARY values, which makes finding and deciphering them difficult, as you learn in Chapter 10, “Finding Registry Settings.” In fact, some programs use REG_DWORD and 4-byte REG_BINARY values interchangeably; thus, keeping in mind that Intel-based computers use little-endian architecture, the binary value 0x01 0x02 0x03 0x04 and the REG_DWORD value 0x04030201 mean exactly the same thing.

Now it gets more complicated. The registry actually stores all values as binary values. The registry API identifies each type of value by a number, which programmers refer to as a constant, and which I tend to think of as the type number. You'll notice this type number mostly when you export keys to REG files—something you learn how to do in Chapter 2. For example, when you export a REG_MULTI_SZ value to a REG file, Registry Editor writes a binary value with the type number 7. Normally, the type number associated with each value type doesn't matter because you refer to the values by their names, but there are times when the information in Table 1-4 will be useful.