Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Managing Windows Server 2012 Systems : Managing the Registry (part 2) - Registry root keys

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
12/17/2014 3:25:02 AM

Registry root keys

The registry is organized into a hierarchy of keys, subkeys, and value entries. The root keys are at the top of the hierarchy and form the primary branches, or subtrees, of registry information. There are two physical root keys: HKEY_LOCAL_MACHINE and HKEY_USERS. These physical root keys are associated with actual files stored on the disk and are divided into additional logical groupings of registry information. As shown in Table 1, the logical groupings are simply subsets of information gathered from HKEY_LOCAL_MACHINE and HKEY_USERS.

Table 1. Registry subtrees

Subtree

Description

Physical Subtree

 

HKEY_LOCAL_MACHINE (HKLM)

Stores all the settings that pertain to the hardware currently installed on the machine.

HKEY_USERS (HKU)

Stores user profile data for each user who has previously logged on to the computer locally as well as a default user profile.

Logical Subtree

 

HKEY_CLASSES_ROOT (HKCR)

Stores all file associations and object linking and embedding (OLE) class identifiers. This subtree is built from HKEY_LOCAL_MACHINE\SOFTWARE\Classes and HKEY_CURRENT_USER\SOFTWARE\Classes.

HKEY_CURRENT_CONFIG (HKCC)

Stores information about the hardware configuration with which you started the system. This subtree is built from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current, which in turn is a pointer to a numbered subkey that has the current hardware profile.

HKEY_CURRENT_USER (HKCU)

Stores information about the user currently logged on. This key has a pointer to HKEY_USERS\UserSID, where UserSID is the security identifier for the current user as well as for the default profile discussed previously.

INSIDE OUT: The registry on 64-bit Windows systems

The registry on 64-bit Windows systems is divided into 32-bit and 64-bit keys. Many keys are created in both 32-bit and 64-bit versions, and although the keys belong to different branches of the registry, they have the same name. On these systems, Registry Editor (Regedit.exe) is designed to work with both 32-bit and 64-bit keys.

Registry keys are either shared or redirected for use under WOW64. With shared keys, a physical copy of each key is mapped into each logical view of the registry and applications make calls into these logical views. With redirected keys, the registry redirector intercepts calls to the redirected keys and maps them to the actual physical location in the registry.

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE, abbreviated as HKLM, contains all the settings that pertain to the hardware currently installed on a system. It includes settings for memory, device drivers, installed hardware, and startup. Applications are supposed to store settings in HKLM only if the related data pertains to everyone who uses the computer.

As Figure 2 shows, HKLM contains the following major subkeys:

  • BCD00000000

  • HARDWARE

  • SAM

  • SECURITY

  • SOFTWARE

  • SYSTEM

These subkeys are discussed in the sections that follow.

Accessing HKEY_LOCAL_MACHINE in the registry.
Figure 2. Accessing HKEY_LOCAL_MACHINE in the registry.

HKLM\BCD00000000

The HKLM\BCD00000000 key stores information regarding the configuration and state of the computer’s Boot Configuration Data (BCD). BCD provides a firmware-independent approach for managing the boot environment for Windows systems.

The BCD architecture has three main components: stores, objects, and elements. A store is a top-level component that establishes the namespace and acts as a container for BCD objects and elements. There are three general types of BCD objects:

  • Application objects Describe boot environment objects, such as Windows Boot Manager or Windows Boot Loader.

  • Inheritable objects Act as containers for elements that are shared across multiple object instances.

  • Device objects Act as containers for elements that describe complex devices, such as a RAM disk that was created from a Windows Imaging file.

Application objects have an image type and an application type associated with them. The image type specifies how the executable for the application is loaded, such as through the firmware or by a boot application. The application type specifies what the application does and the standard application types are listed in Table 2.

Table 2. BCD application types

Application type

Description

Boot sector

A 16-bit real-mode application for BIOS-based systems, which can be used to restart the boot process and load a non-Windows operating system.

Firmware boot manager

Manages the firmware boot for EFI systems.

Ntldr

Loads versions of Windows earlier than Windows Vista on BIOS-based systems.

Windows boot loader

Loads a particular version or configuration of Windows.

Windows boot manager

Controls boot of the system. In a multi-boot system, displays a boot selection menu to the user.

Windows memory tester

An application for performing memory diagnostics.

Windows resume application

Restores Windows to its running state when a computer resumes from hibernation.

Each BCD object has a globally unique identifier or GUID. For example, the GUID of the Windows resume application is 5824ba7d-acee-11e1-ba52-cfa3fef36259. In the registry, the GUID sets the key path and each object has a description entry and associated elements entries.

HKLM\HARDWARE

HKLM\HARDWARE stores information about the hardware configuration for the computer. This key is re-created by the operating system each time you start Windows Server 2012, and it exists only in memory, not on disk. To build this key, the operating system enumerates every device it can find by scanning the system buses and by searching for specific classes of devices, such as serial ports, keyboards, and pointer devices.

Under HKLM\HARDWARE, you’ll find four standard subkeys that are dynamically created at startup and contain the information gathered by the operating system. These subkeys are as follows:

  • ACPI Contains information about the Advanced Configuration and Power Interface (ACPI), which is a part of system BIOS that supports Plug and Play and advanced power management. This subkey doesn’t exist on non-ACPI-compliant computers.

  • DESCRIPTION Contains hardware descriptions, including those for the system’s central processor, floating-point processor, and multifunction adapters. For portable computers, one of the multifunction devices lists information about the docking state. For any computer with multipurpose chip sets, one of the multifunction devices lists information about the controllers for disks, keyboards, parallel ports, serial ports, and pointer devices. There’s also a catchall category for other controllers, such as when a computer has a PC Card controller.

  • DEVICEMAP Contains information that maps devices to device drivers. You’ll find device mappings for keyboards, pointer devices, parallel ports, Small Computer System Interface (SCSI) ports, serial ports, and video devices. Of particular note is that within the VIDEO subkey is a value entry for the VGA–compatible video device installed on the computer. This device is used when the computer must start in VGA display mode.

  • RESOURCEMAP Contains mappings for the hardware abstraction layer (HAL), for the Plug and Play Manager, and for available system resources. Of particular note is the Plug and Play Manager. It uses this subkey to record information about devices it knows how to handle.

Additional nonstandard subkeys can exist under HKLM\HARDWARE. The subkeys are specific to the hardware used by the computer.

HKLM\SAM

HKLM\SAM stores the Security Accounts Manager (SAM) database. When you create local users and groups on member servers and workstations, the accounts are stored in HKLM\SAM. This key is also used to store information about built-in user and group accounts, as well as group membership and aliases for accounts.

By default, the information stored in HKLM\SAM is inaccessible through Registry Editor. This is a security feature designed to help protect the security and integrity of the system.

HKLM\SECURITY

HKLM\SECURITY stores security information for the local machine. It contains information about cached logon credentials, policy settings, service-related security settings, and default security values. It also has a copy of the HKLM\SAM. As with the HKLM\SAM subkey, this subkey is inaccessible through Registry Editor. This is a security feature designed to help protect the security and integrity of the system.

HKLM\SOFTWARE

HKLM\SOFTWARE stores machine-wide settings for every application and system component installed on the system. This includes setup information, executable paths, default configuration settings, and registration information. Because this subkey resides under HKLM, the information here is applied globally. This is different from the HKCU\SOFTWARE configuration settings, which are applied on a per-user basis.

As Figure 3 shows, you’ll find many important subkeys within HKLM\SOFTWARE, including the following:

  • Classes Contains all file associations and OLE class identifiers. This is also the key from which HKEY_CLASSES_ROOT is built.

  • Clients Stores information about protocols and shells used by every client application installed on the system. This includes the calendar, contacts, mail, media, and news clients.

  • Microsoft Contains information about every Microsoft application and component installed on the system. This includes their complete configuration settings, defaults, registration information, and much more. You’ll find most of the graphical user interface (GUI) preferences in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion. You’ll find the configuration settings for most system components, language packs, hot fixes, and more under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion.

  • ODBC Contains information about the Open Database Connectivity (ODBC) configuration on the system. It includes information about all ODBC drives and ODBC file Data Source Names (DSNs).

  • Policies Contains information about local policies for applications and components installed on the system.

Accessing HKEY_LOCAL_MACHINE\SOFTWARE in the registry.
Figure 3. Accessing HKEY_LOCAL_MACHINE\SOFTWARE in the registry.

HKLM\SYSTEM

HKLM\SYSTEM stores information about device drivers, services, startup parameters, and other machine-wide settings. You’ll find several important subkeys within HKLM\SYSTEM. One of the most important is HKLM\SYSTEM\CurrentControlSet, as shown in Figure 4.

Accessing HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet in the registry.
Figure 4. Accessing HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet in the registry.

CurrentControlSet contains information about the set of controls and services used for the last successful boot of the system. This subkey always contains information on the set of controls actually in use and represents the most recent successful boot. The operating system writes the control set as the final part of the boot process so that it updates the registry as appropriate to reflect which set of controls and services was last used for a successful boot. This is, in fact, how you can boot a system to the Last Known Good Configuration after it crashes or experiences a Stop error.

HKLM\SYSTEM also contains previously created control sets. These are saved under the subkeys named ControlSet001, ControlSet002, and so forth. Within the control sets, you’ll find four important subkeys:

  • Control Contains control information about key operating system settings, tools, and subcomponents, including the HAL, keyboard layouts, system devices, interfaces, and device classes. Under BackupRestore, you’ll find the saved settings for Backup, which include lists of Automated System Recovery (ASR) keys, files, and registry settings not to restore. Under the SafeBoot subkey, you’ll find the control sets used for minimal and network-only boots of the system.

  • Enum Contains the complete enumeration of devices found on the computer when the operating system scans the system buses and searches for specific classes of devices. This represents the complete list of devices present during startup of the operating system.

  • Hardware Profiles Contains a subkey for each hardware profile available on the system. The first hardware profile, 0000, is an empty profile. The other numbered profiles, beginning with 0001, represent profiles that are available for use on the system. The profile named Current always points to the profile being used currently by the operating system.

  • Services Contains a subkey for each service installed on the system. These subkeys store the necessary configuration information for their related services, which can include startup parameters as well as security and performance settings.

Another interesting subkey is HKLM\SYSTEM\MountedDevices. The operating system creates this key and uses it to store the list of mounted and available disk devices. Disk devices are listed according to logical volume configuration and drive-letter designator.

HKEY_USERS

HKEY_USERS, abbreviated as HKU, contains user-profile data for every user who has previously logged on to the computer locally, as well as a default user profile. Each user’s profile is owned by that user unless you change permissions or move profiles. Profile settings include the user’s desktop configuration, environment variables, folder options, menu options, printers, and network connections.

User profiles are saved in subkeys of HKEY_USERS according to their security identifiers (SIDs). There is also a SecurityID_Classes subkey that represents file associations that are specific to a particular user. For example, if a user sets Adobe Photoshop as the default program for .jpeg and .jpg files and this is different from the system default, there are entries within this subkey that show this association.

The policy settings are applied to the individual user profiles stored in this key. The default profile specifies how the machine behaves when no one is logged on and is also used as the base profile for new users who log on to the computer. For example, if you want to ensure that the computer uses a password-protected screen saver when no one is logged on, you modify the default profile accordingly. The subkey for the default user profile is easy to pick out because it is named HKEY_USERS\.DEFAULT.

Note

The profile information stored in HKU is loaded from the profile data stored on disk. The default location for profiles is %SystemDrive%\Users\UserName, where UserName is the user’s pre–Windows 2000 logon name.

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT, abbreviated as HKCR, stores all file associations that tell the computer which document file types are associated with which applications, as well as which action to take for various tasks—such as open, edit, close, or play—based on a specified document type. For example, if you double-tap or double-click a .doc file, the document typically is opened for editing in Microsoft Word. This file association is added to HKCR when you install Microsoft Office or Microsoft Word. If Microsoft Office or Microsoft Word isn’t installed, a .doc file is opened instead in WordPad because of a default file association created when the operating system is installed.

HKCR is built from HKEY_LOCAL_MACHINE\SOFTWARE\Classes and HKEY_CURRENT_USER\SOFTWARE\Classes. The former provides computer-specific class registration, and the latter provides user-specific class registration. Because the user-specific class registrations have precedence, this allows for different class registrations for each user of the machine. This is different from previous versions of the Windows operating system for which the same class registration information was provided for all users of a particular machine.

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG, abbreviated as HKCC, contains information about the hardware configuration with which you started the system, which is also referred to as the machine’s boot configuration. This key contains information about the current device assignments, device drivers, and system services that were present at boot time.

HKCC is built from HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Hardware Profiles\Current, which in turn is a pointer to a numbered subkey that contains the current hardware profile. If a system has multiple hardware profiles, the key points to a different hardware profile, depending on the boot state or the hardware profile selection made at startup.

HKEY_CURRENT_USER

HKEY_CURRENT_USER, abbreviated as HKCU, contains information about the user currently logged on. This key has a pointer to HKEY_USERS\UserSID, where UserSID is the security identifier for the current user as well as for the default profile discussed previously. Microsoft requires that applications store user-specific preferences under this key. For example, Microsoft Office settings for individual users are stored under this key. Additionally, as discussed previously, HKEY_CURRENT_USER\SOFTWARE\Classes stores the user-specific settings for file associations.

Tip

If you don’t want users to be able to set their own file associations, you could change the permissions on HKLM\SOFTWARE\Classes so that users can’t alter the global settings you want them to have.

Other -----------------
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 11)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 10)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 9)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 8)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 7)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 6)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 5)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 4)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 3)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 2)
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server