Windows Registry
Last updated
Last updated
The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and services that run on Windows. The data is structured in a tree format. Each node in the tree is called a key. Each key can contain both subkeys and data entries called values. Sometimes, the presence of a key is all the data that an application requires; other times, an application opens a key and uses the values associated with the key. A key can have any number of values, and the values can be in any form. For more information, see Registry Value Types and Registry Element Size Limits.
Each key has a name consisting of one or more printable characters. Key names are not case sensitive. Key names cannot include the backslash character (\), but any other printable character can be used. Value names and data can include the backslash character.
The name of each subkey is unique with respect to the key that is immediately above it in the hierarchy. Key names are not localized into other languages, although values may be.
It's not necessary for all Windows applications to use the Windows Registry. Some programs store their configurations in XML or other types of files instead of the registry, and others are entirely portable and store their data in an executable file.
The following illustration is an example registry key structure as displayed by the Registry Editor.
Each of the trees under My Computer is a key. The HKEY_LOCAL_MACHINE key has the following subkeys: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM. Each of these keys in turn has subkeys. For example, the HARDWARE key has the subkeys DESCRIPTION, DEVICEMAP, and RESOURCEMAP; the DEVICEMAP key has several subkeys including VIDEO
Each value consists of a value name and its associated data, if any. MaxObjectNumber and VgaCompatible are values that contain data under the VIDEO subkey.
Much of the registry consists of nested containers known as subtrees, keys, and subkeys, which are like folders. The actual data is stored in the registry entries, the lowest level element in the registry. The entries are like files. The series of nested containers make up a path to each entry. Because entry names are unique only within a path, entries are referenced by their full registry path and name.
Subtrees are the root, or primary divisions, of the registry. The Windows Server 2003 registry is divided into five subtrees. Subtrees themselves do not contain configuration data; they contain the keys, subkeys, and entries in which the data is stored. Click the name of a subtree to see its description:
HKEY_USERS
Keys are the next level down from subtree, which contain at least one subkey (for example, Hardware Key). Some subtrees do not have keys.
Subkeys are the next level down from keys or subtrees (if the subtree has no keys). Subkeys store entries and other subkeys.
Entries are the lowest-level element in the registry. They appear in the right pane of the registry editor window. Each entry consists of the entry name, its Data Types in the Registry (which defines the length and format of data that the entry can store), and a field known as the value of the registry entry. Data is stored in the value. Entries are referenced by their registry path and name.
Entries store the actual configuration data for the operating system and the programs that run on the system. As such, they are different from subtrees, keys, and subkeys, which are merely containers.
The permanent parts of the registry are stored as a set of files called the hive files. You can find a list of locations for these files in the hivelist subkey in HKLM\SYSTEM\CurrentControlSet\Control. These files are saved in systemroot\System32\Config and updated with each login. They consist of the following files, which store four of the five keys in HKEY_LOCAL_MACHINE and one key in HKEY_USERS:
SAM Contains information stored in the key HKLM\SAM about the Security Accounts Manager (SAM) service.
SECURITY Contains the security information stored in the key HKLM\SECURITY.
SOFTWARE Contains information stored in the key HKLM\SOFTWARE about the computer's software configuration.
SYSTEM Contains information stored in the HKLM\SYSTEM about the computer's system configuration.
DEFAULT Contains the default system information that is stored in the key HKEY_USERS\.DEFAULT.
Here is a list of common Types and what they represent:
REG_BINARY – The value will be in Binary format. Usually used for hardware component entries.
REG_DWORD – These values are commonly a “0” for a disabled option or a “1” for an enabled option.
REG_SZ – These values are stored in a human readable format.
The valid access rights for registry keys include the DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Registry keys do not support the SYNCHRONIZE standard access right.
The following table lists the specific access rights for registry key objects.
Value | Meaning |
---|---|
KEY_ALL_ACCESS (0xF003F) | Combines the STANDARD_RIGHTS_REQUIRED, KEY_QUERY_VALUE, KEY_SET_VALUE, KEY_CREATE_SUB_KEY, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, and KEY_CREATE_LINK access rights. |
KEY_CREATE_LINK (0x0020) | Reserved for system use. |
KEY_CREATE_SUB_KEY (0x0004) | Required to create a subkey of a registry key. |
KEY_ENUMERATE_SUB_KEYS (0x0008) | Required to enumerate the subkeys of a registry key. |
KEY_EXECUTE (0x20019) | Equivalent to KEY_READ. |
KEY_NOTIFY (0x0010) | Required to request change notifications for a registry key or for subkeys of a registry key. |
KEY_QUERY_VALUE (0x0001) | Required to query the values of a registry key. |
KEY_READ (0x20019) | Combines the STANDARD_RIGHTS_READ, KEY_QUERY_VALUE, KEY_ENUMERATE_SUB_KEYS, and KEY_NOTIFY values. |
KEY_SET_VALUE (0x0002) | Required to create, delete, or set a registry value. |
KEY_WOW64_32KEY (0x0200) | Indicates that an application on 64-bit Windows should operate on the 32-bit registry view. This flag is ignored by 32-bit Windows. For more information, see Accessing an Alternate Registry View. This flag must be combined using the OR operator with the other flags in this table that either query or access registry values. Windows 2000: This flag is not supported. |
KEY_WOW64_64KEY (0x0100) | Indicates that an application on 64-bit Windows should operate on the 64-bit registry view. This flag is ignored by 32-bit Windows. For more information, see Accessing an Alternate Registry View. This flag must be combined using the OR operator with the other flags in this table that either query or access registry values. Windows 2000: This flag is not supported. |
KEY_WRITE (0x20006) | Combines the STANDARD_RIGHTS_WRITE, KEY_SET_VALUE, and KEY_CREATE_SUB_KEY access rights. |
To run reg.exe, you first need to start Command Prompt as an administrator with the following steps:
Open Start.
Search for Command Prompt.
Right-click the result and select Run as administrator.
To run the tool, type the following command and press Enter:
This command will display all the operation types you can use, including:
You'll get the return codes: 0 meaning that the operation completed successfully, and 1 indicating that the operation failed. However, you won't get any return codes using the Compare switch.
If you’re only interested in looking up a key, you will not need the name of a value. When you look up a key, you basically look up what values and keys exist under it.
example:
The output of this command can be rather long since a key can have lots of sub-keys. This command will only return a list of keys under the one you’ve specified.
If you’d like to look up both the keys and the values under a specific key, and also include all the values under the sub-keys, add the /s switch. Be prepared for an even larger output.
Look up value
KeyName: Defines the path to the subkey or entry. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to edit the registry on a remote computer, you can only use these shortcuts: HKLM and HKU.
/v ValueName: Specifies the name for the registry key to be added or deleted.
/ve: Defines if you're adding or deleting an entry that has a null value.
/t Type: Specifies the type of registry entries. Here's the list of valid types:
REG_SZ
REG_MULTI_SZ
REG_DWORD_BIG_ENDIAN
REG_DWORD
REG_BINARY
REG_DWORD_LITTLE_ENDIAN
REG_LINK
REG_FULL_RESOURCE_DESCRIPTOR
REG_EXPAND_SZ
/f: Adds or deletes registry content without prompting for confirmation.
/s Separator: Defines the character you use to separate multiple instances of data when the REG_MULTI_SZ data type is specified and you need to add more than one entry. The default separator is \0 if it is not specified.
/d Data: Specifies the data for the new entry in the registry.
example:
To add a subkey named MySubkey under HKEY_LOCAL_MACHINE\Software, use the following example:
To add a new DWORD (32-bit) value entry named AppInfo with the value of 1, use the following example:
To add a new DWORD (32-bit) value entry named AppInfo with value of 1 on a remote computer, use the following example:
To add a new Binary Value entry named Data with data of fe340ead, use the following example:
To add a registry entry with multiple values to MySubkey with a value name of MRU of type REG_MULTI_SZ and data of fax\0mail\2\1, use the following example:
To add an expanded registry entry to MySubkey with a value name of Path of type REG_EXPAND_SZ and data of %systemroot%, use the following example:
To delete the subkey named MySubkey, use the following example:
KeyName1: Defines the path to the subkey you want to copy. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to copy the registry on a remote computer, you can only use these shortcuts: HKLM and HKU.
KeyName2: Defines the path to the subkey destination. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to copy the registry on a remote computer, you can only use these shortcuts: HKLM and HKU.
/s: Copies all subkeys and entries of a particular subkey.
/f: Executes the copy command without prompting for confirmation.
example:
To copy all values under the subkey MySubkey1 from a remote computer to the subkey MySubkey2 on the a new computer, use the following example:
KeyName: Defines the path to the subkey or entry. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC.
FileName: Specifies the name and path of the .reg file to be exported or imported.
/y: Overwrites the registry content without prompting for confirmation.
To export all the content within the subkey MySubkey, use the following example:
To export and overwrite any existing file, use the following example:
To import all the content, including subkeys, entries, and values within the subkey named MySubkey, use the following example:
KeyName: Defines the path to the subkey or entry. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to edit the registry on a remote computer, you can only use these shortcuts: HKLM and HKU.
FileName: Specifies the name and path of the .hiv file to be saved or restored.
/y: Overwrites the registry content without prompting for confirmation.
To save a copy of subkeys, entries, and values within the subkey named MySubkey, use the following example:
To restore all the content, including subkeys, entries, and values within the subkey named MySubkey, use the following example: