The Registry (part 1) - The Registry Editor & The Structure of the Registry

1. The Registry Editor

Most of the changes to the Registry are performed behind the scenes by the applications that you run, as well as by Windows—settings and other information are read from and written to the Registry constantly. But the primary means of editing Registry keys and values directly is the Registry Editor (open the Start menu, type regedit, and then press Enter), included with all editions of Windows Vista.

Although the Registry is stored in multiple files on your hard disk, it is represented by a single logical hierarchical structure, similar to the folders on your hard disk. When you open the Registry Editor, you'll see a window divided into two panes (as shown in Figure 1). The left side shows a tree with folders, and the right side shows the contents of the currently selected folder. Now, these aren't really folders—this is just a convenient and familiar method of organizing and displaying the information stored in your Registry.

Each folder-like object is called a key. Each key can contain other keys, as well as values. Values contain the actual information stored in the Registry, while keys are used only to organize the values. Keys are shown only in the left pane; values are shown only in the right pane (unlike Windows Explorer, where folders are shown in both panes).

To display the contents of a key (folder), just click the desired key name on the left, and the values contained therein will be listed in alphabetical order on the right side. To expand a certain branch to show its subkeys, click the tiny arrow to the left of any folder (or double-click the folder name).

Editing the Registry generally involves navigating down through branches to a particular key and then modifying an existing value or creating a new key or value. For instance, this following Registry path:

HKEY_CURRENT_USER\Software\Microsoft\Windows

points to the location of the Windows key, which you can get to by expanding the HKEY_CURRENT_USER branch, then Software, then Microsoft, and then finally clicking Windows to show its contents on the right.

You can also rename any key or value just like you'd rename a file in Windows Explorer: click twice slowly, right-click and select Rename, or highlight and press F2. Likewise, you can delete a key or value by highlighting it and pressing the Del key or by right-clicking it and selecting Delete. (Note that deleting a key will also delete all the values and subkeys it contains.)

To add a new key or value, select New from the Edit menu, select what type of object you want to add (Figure 2), type a name, and press Enter.

2. The Structure of the Registry

There are five primary, or "root," branches, each containing a specific portion of the information stored in the Registry. These root keys can't be deleted, renamed, or moved, because they are the basis for the organization of the Registry. They are:

HKEY_CLASSES_ROOT

This branch contains the information that comprises your file type associations and the registered software components (called classes) used by Windows and many of your applications.

This entire branch is a symbolic link,^[1] or "mirror," of HKEY_LOCAL_MACHINE\SOFTWARE\Classes, but is displayed separately here for convenience and, of course, to confuse you.

^{[1] *} A symbolic link is different from a Windows shortcut you'd find on your hard disk. Information in a linked branch appears twice and can be accessed at two different locations, even though it's stored only once. This means that Find may stop in both places if they contain something you're looking for and, as you might expect, changes in one place will be immediately reflected in the mirrored location.

HKEY_CURRENT_USER

This branch simply points to a portion of the HKEY_USERS root key (later in this section) representing the currently logged-in user. This way, any application can read and write settings for the current user without having to know which user is currently logged in.

In each user's branch are the settings for that user, such as Control Panel settings and Explorer preferences. Most applications store user-specific information here as well, such as toolbars, high scores for games, and other personal settings.

The settings for the current user are divided into several categories, such as AppEvents, Control Panel, Identities, Software, and System. The most useful of these branches, Software, contains a branch for almost every application installed on your computer, arranged by manufacturer. Here and in HKEY_LOCAL_MACHINE\SOFTWARE (discussed later) can be found all of your application settings. As though Windows was just another application on your system, you'll find most user-specific Windows settings in HKEY_CURRENT_USER\Software\Microsoft\Windows.

HKEY_LOCAL_MACHINE

This branch contains information about all of the hardware and software installed on your computer that isn't specific to the currently logged-in user. The settings in this branch are the same for all users on your system.

The sub-branch of most interest here is the SOFTWARE branch, which contains all of the information specific to the applications installed on your computer. Both this branch and the aforementioned HKEY_CURRENT_USER\Software branch are used to store application-specific information. Those settings that are specific to each user (even if your computer has only one user), such as toolbar configurations, are stored in the aforementioned HKEY_CURRENT_USER branch; those settings that are not user-dependent, such as installation folders and lists of installed components, are stored in the HKEY_LOCAL_MACHINE branch. You'll want to look in both places if you're trying to find a particular application setting, because most manufacturers (even Microsoft) aren't especially careful about which branch is used for any given setting.

HKEY_USERS

This branch contains a sub-branch for the currently logged-in user, the name of which is a long string of numbers that looks something like this:

S-1-5-21-1727987266-1036259444-725315541-500

This number is the SID (security identifier), a unique ID for each user on your system (yours will be different than this one).

While it may sound like a good idea to edit the contents of this branch, you should instead use the HKEY_CURRENT_USER branch described earlier, which is a symbolic link (mirror) of this branch:

HKEY_USERS\S-1-5-21-1727987266-1036259444-725315541-500

No matter which user is logged in, HKEY_CURRENT_USER will point to the appropriate portion of HKEY_USERS.

Because Windows only loads the profile (this portion of the Registry) of the currently logged-in user, only one user branch will ever be shown here. However, there will be a few other branches here, such as .default (used when nobody is logged in), and a few other branches that are of little interest to most users.

HKEY_CURRENT_CONFIG

This branch typically contains a small amount of information, most of which is simply symbolic links (mirrors) of other keys in the Registry. There's usually little reason to mess with this branch.

You'll eventually find that everything you'll want to do with the Registry can be done in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE.

2.1. The Meat of the Registry: Values

Values are where Registry data is actually stored (while keys are simply used to organize values). The Registry uses several types of values—eight in all—each appropriate to the type of data it is meant to hold. Each type is known by at least two different names, the common name and the symbolic name (shown in parentheses in Table 1).

Table 1. Value types visible in the Registry Editor

Value type	Icon used in RegEdit	Can be created in RegEdit?
String (REG_SZ)		Yes
Multistring/string array (REG_MULTI_SZ)		Yes
Expandable string (REG_EXPAND_SZ)		Yes
Binary (REG_BINARY)		Yes
DWORD 32-Bit (REG_DWORD)		Yes
DWORD 64-Bit (REG_QWORD)		Yes
DWORD (REG_DWORD_BIGENDIAN)		No
Resource List (REG_RESOURCE_LIST, REG_RESOURCE_REQUIREMENTS_LIST, or FULL_RESOURCE_DESCRIPTOR)		No

Although the Registry Editor allows you to view and edit all eight types of values, it is only capable of creating the six most common (and not surprisingly, most useful) types. In practice, you'll typically only create string, binary, and DWORD values.

String values

String values contain strings of characters, more commonly known as plain text. Most values of interest to you will end up being string values; they're the easiest to edit and are usually in plain English. To edit a string value, just double-click, type a string of text into the text field (Figure 3), and click OK when you're done.

Figure 3. Edit a string value by typing text into this box

In addition to standard strings, there are two far less common string variants, used for special purposes:

• Multistring/string array values contain several strings, concatenated (glued) together and separated by null characters. Although the Registry Editor lets you create multistring values, it's impossible to type null characters (character #0 in the ASCII character set) from the keyboard. The only way to place a null character into a Registry value is either through a programming environment or via cut-and-paste from another application.

• Expandable string values contain special variables, into which Windows substitutes information before delivering to the owning application. For example, an expandable string value intended to point to a sound file may contain %SystemRoot%\Media\doh.wav. When Windows reads this value from the Registry, it substitutes the full Windows path for the variable, %SystemRoot%; the resulting data then becomes (depending on where Windows is installed) c:\Windows\Media\doh.wav. This way, the value data is correct regardless of the location of the Windows folder.

If you were to type data intended for an expandable string value into an ordinary string value, the variables wouldn't necessarily be expanded when read by an application.

Binary values

Similar to string values, binary values hold strings of characters. The difference is the way the data is viewed and edited. Instead of a standard text box, binary data is entered with hexadecimal codes in an interface commonly known as a hex editor. Each individual character is specified by a two-digit number in base-16 (e.g., 6E is 110 in good-ol' base 10), which allows characters not found on the keyboard to be entered. See Figure 4 for an example.

You can type hex codes on the left side or normal ASCII characters on the right, depending on where you click with the mouse.

The purpose of binary values is to hold data that couldn't be easily represented by ordinary string values. As such, binary values are much less likely to contain readable text (despite the example value in Figure 4), but rather simply raw data. Of course, the format and purpose of the data in any given binary value depends entirely on the application that created it.

Figure 4. Binary values are entered differently from the common string values, but the contents are sometimes nearly as readable

DWORD values

Essentially, a DWORD is a number. Often, the contents of a DWORD value are easy to understand, such as 0 for no and 1 for yes, or 161 for the number of seconds it took you to solve your best game of Sudoku. A DWORD value is used where only numerical digits are allowed, whereas a string or binary value can contain anything.

In the DWORD value editor (Figure 5), you can change the base of the number displayed (think back to your grade-school math). For instance, the number 64 in hexadecimal (also known as base 16) is equal to 100 in decimal (base 10).

In most cases, you'll want to select Decimal (even though Microsoft didn't bother to make it the default), since decimal notation is what most humans use for ordinary counting numbers. Note that if there's already a number in the Value data field, switching the Base converts the number in real time, which incidentally is a good way to illustrate the difference between the two settings.

The application that creates each value in the Registry solely determines the particular type and purpose of the value. In other words, no strict rules limit which types are used in which circumstances or how values are named. A programmer may choose to store, say, the high scores for some game in a binary value called High Scores or in a string value called Lard Lad Donuts. All you have to do in your role as Registry hacker is provide the values in the format expected by a given application.

An important thing to notice at this point is the string value named (default) that appears at the top of every key.^[2] The default value cannot be removed or renamed, although its contents can be changed; an empty default value is signified by value not set. The (default) value doesn't necessarily have any special meaning that would differentiate it from any other value, apart from what might have been assigned by the programmer of the particular application that uses the key.

^{[2] *} In the more simplistic Registry found in Windows 3.1 and Windows NT 3.x, each key had only one value. Starting in Windows 95, a key could contain any number of values; the default value simply took the place of the lone value from previous versions, allowing compatibility with older applications that were written before the change took effect. In fact, many things you'll find in the Registry are designed with such "legacy" support in mind.