Microsoft Windows Registry Guide, Second Edition

Registry Hive Files

In Registry Editor, you see the registry's logical structure. This is how Windows presents the registry to you and to the programs that use it, regardless of how the operating system actually organizes it on disk, which is much more complicated.

Physically, Windows organizes the registry in hives (registry branches stored in unique files), each of which is in a binary file called a hive file. For each hive file, Windows creates additional supporting files that contain backup copies of each hive's data. These backups allow the operating system to repair the hive during the installation and boot processes if something goes terribly wrong. You find hives in only two root keys: HKLM and HKU. (All other root keys are links to keys within those two.) The hive and supporting files for all hives other than those in HKU are in %SystemRoot% \System32\config. Hive files for HKU are in users' profile folders. Hive files don't have a file name extension, but their supporting files do, as described in Table 1-5.

Table 1-5 Hive File Name Extensions

Extension

Description

None

Hive file.

.alt

Not used in Windows XP or Windows Server 2003. In Windows 2000, System.alt is a backup copy of the System hive file.

.log

Transaction log of changes to a hive.

.sav

Copy of a hive file made at the end of the text-mode phase of the Windows setup program.

NOTE

The Windows setup program has two phases: text-mode and graphics-mode. The setup program copies each hive file to a SAV (.sav) file at the end of the text-mode phase so that it can recover the Windows setup process if the graphics-mode phase fails. If the graphics-mode phase does fail, the setup program repeats that phase after restoring the hive file from the SAV file.

Hives in HKLM

Table 1-6 shows the relationship between each registry hive and its hive file. Notice that the name of each hive is capitalized in the registry, which is sometimes a useful reminder while you're editing. Notice in this table that each hive in the first column comes from the files in the second column. Thus, Windows loads the hive HKLM\SOFTWARE from the hive file Software, which is in %SystemRoot%\System32\config. It loads the hive HKLM\SYSTEM from the hive file System, which is in the same location. To see the hive files that Windows has loaded, see HKLM\SYSTEM\CurrentControlSet\Control\hivelist\.

Table 1-6 Hive Files

Hive

Hive, Supporting Files

HKLM\SAM

SAM, SAM.LOG

HKLM\SECURITY

SECURITY, SECURITY.LOG

HKLM\SOFTWARE

Software, Software.log, Software.sav

HKLM\SYSTEM

System, System.log, System.sav

Did you notice that you don't find a hive file for HKLM\HARDWARE in Table 1-6? That's because this hive is dynamic. Windows builds it each time the operating system boots, and it doesn't save the hive as a hive file when it shuts down.

NOTE

Other files in %SystemRoot%\System32\config seem conspicuously out of place. AppEvent.Evt, SecEvent.Evt, and SysEvent.Evt are the Windows event logs—Application, Security, and System, respectively. You can see in the registry where Windows stores each event log by looking at the subkeys of HKLM\SYSTEM\CurrentControlSet \Services\Eventlog. Userdiff is a file that Windows uses to convert user profiles from earlier versions of Windows (notably versions of Microsoft Windows NT) so that Windows can use them. Finally, the file Netlogon.ftl contains the names of available domains in the drop-down list box in the Welcome to Windows dialog box.

Hives in HKU

Each subkey in HKU is also a hive. For example, HKU\.DEFAULT is a hive, and its hive file is %SystemRoot%\System32\config\default. The remaining subkeys come from two different sources, though. The hive HKU\SID is in the hive file %UserProfile% \NTUSER.DAT, while the hive HKU\ SID_Classes is in the hive file %UserProfile% \Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.

Each time a new user logs on to Windows, the operating system uses the default user profile to create a new profile for that user. The profile contains a new NTUSER.DAT hive file, which is the user profile hive. You learn much more about user profiles and how to deploy them in Chapter 12, “Deploying User Profiles.”

To see which profiles Windows has loaded and the hive file that corresponds to each hive, see the key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. This key contains one subkey for each profile that the operating system has ever loaded, past and present. The subkey's name is the name of the hive in HKU, and the value ProfileImagePath contains the path to the hive file, which is always NTUSER.DAT. ProfileList does not mention the SID_Classes hives, however; it contains only user profile hives.

NOTE

Windows 2000 limited the size of the registry, but Windows XP and Windows Server 2003 do not. This means that the operating system no longer limits the amount of space that the registry hives consume in memory or on the hard disk. Microsoft made an architectural change to the way Windows maps the registry into memory, eliminating the need for the size limit you might have struggled with in Windows 2000.

Категории