From Wikipedia, the free encyclopedia
In computing, the Windows registry is a database which
stores settings and options for the operating system for
Microsoft Windows 32-bit versions, 64-bit versions and
Windows Mobile. It contains information and settings for all
the hardware, operating system
software, most non-operating system software, users, and
preferences of the
PC and so on. Whenever a user makes changes to "Control
Panel" settings, or
file associations, system policies, or
installed software, the changes are reflected and stored in
Windows XP Registry Editor
The Windows Registry was introduced to tidy up the profusion
INI files that had previously been used to store
configuration settings for Windows programs. These files tended
to be scattered all over the system, which made them difficult
The Registry is split into a number of logical sections, or
"keys". These are generally known by the names of the
definitions used to access them in the Windows
API, which all begin "HKEY" (an abbreviation for "Handle to
Key"); often, they are abbreviated to a three- or four-letter
short name starting with "HK" (e.g. HKCU and HKLM).
Each of these keys is divided into subkeys, which may contain
further subkeys, and so on. Any key may contain entries with
various types of values. The values of these entries can be:
- String Value
- Binary Value (any arbitrary data)
DWORD Value, a 32 bit
integer (numbers between 0 and 4,294,967,295 [232
- Multi-String Value
- Expandable String Value
Registry keys are specified with a syntax similar to Windows'
path names, using backslashes to indicate levels of hierarchy.
E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows refers to the
subkey "Windows" of the subkey "Microsoft" of the subkey
"Software" of the HKEY_LOCAL_MACHINE key. Values are not
referenced via this syntax. Value names can contain backslashes
which would lead to ambiguities were they referred to this way.
The win32 functions that query and manipulate registry values
take value names separately from the key path and/or handle that
identifies the parent key.
The HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER nodes have a
similar structure to each other; applications typically look up
their settings by first checking for them in
name\Version\Setting name", and if the setting is not found
looking instead in the same location under the
HKEY_LOCAL_MACHINE key. When writing settings back, the reverse
approach is used — HKEY_LOCAL_MACHINE is written first, but if
that cannot be written to (which is usually the case if the
logged in user is not an administrator), the setting is stored
in HKEY_CURRENT_USER instead.
Abbreviated HKCR, HKEY_CLASSES_ROOT stores information about
registered applications, including associations from file
OLE object class ids to the applications used to handle
these items. On Windows 2000 and above, HKCR is a compilation of
HKCU\Software\Classes and HKLM\Software\Classes. If a given
value exists in both of the subkeys above, the one in
HKCU\Software\Classes is used.
Abbreviated HKCU, HKEY_CURRENT_USER stores settings that are
specific to the currently logged in user. HKCU mirrors the
current user's subkey of HKEY_USERS.
Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are
general to all users on the computer. This key is found within
the file %SystemRoot%\System32\Config\system on NT-based
versions of Windows. Information about system hardware is
located under the SYSTEM key.
Abbreviated HKU, HKEY_USERS contains subkeys corresponding to
the HKEY_CURRENT_USER keys for each user registered on the
Abbreviated HKCC, HKEY_CURRENT_CONFIG contains information
gathered at runtime; information stored in this key is not
permanently stored on disk, but rather regenerated at boot time.
Editing the Registry
The registry can be edited manually in Microsoft Windows by
running regedit.exe or regedt32.exe in the Windows directory.
However, careless registry editing can cause irreversible
damage. Thus, performing back-up for registry is needed. Many
optimization and "hacking"
tools are available to modify this portion of the Windows
operating system. It is preferable to use one of the many
registry tools available, unless you have a knowledge of
registry workings or wish to learn more about the registry, in
which case it is recommended that you back up your hard drive
before changing the registry.
Windows 3.11 Registry Editor
A simple implementation of the current registry tool appeared
Windows 3.x, called the "Registration Info Editor" or
"Registration Editor". This was basically just a
database of applications used to edit embedded
OLE objects in documents.
Windows NT introduced permissions for Registry editing.
Windows NT 4 and
Windows 2000 were distributed with both the Windows 9x
REGEDIT.EXE program and Windows NT 3.x's REGEDT32.EXE program.
There are several differences between the two editors on these
- REGEDIT.EXE had a left-side tree view that began at "My
Computer" and listed all loaded hives. REGEDT32.EXE had a
left-side tree view, but each hive had its own window, so
the tree displayed only keys.
- REGEDIT.EXE represented the three components of a value
(its name, type, and data) as separate columns of a table.
REGEDT32.EXE represented them as a list of strings.
- REGEDIT.EXE supported right-clicking of entries in a
tree view to adjust properties and other settings.
REGEDT32.EXE required all actions to be performed from the
top menu bar.
- Because REGEDIT.EXE was directly ported from
Windows 95, it did not support permission editing
(permissions do not exist on Windows 9x). Therefore, the
only way to access the full functionality of an NT registry
was with REGEDT32.EXE.
- REGEDIT.EXE only supported string (REG_SZ), binary
(REG_BINARY), and DWORD (REG_DWORD) values. REGEDT32.EXE
supports those, plus expandable string (REG_EXPAND_SZ) and
multi-string (REG_MULTI_SZ). Attempting to edit unsupported
key types with REGEDIT.EXE on Windows 2000 or Windows NT 4
will result in conversion to a supported type that cannot be
Windows XP was the first system to integrate these two
programs into one, adopting the old REGEDIT.EXE interface and
adding the REGEDT32.EXE functionality. The differences listed
above are not applicable on Windows XP and newer systems;
REGEDIT.EXE is the improved editor, and REGEDT32.EXE is simply a
stub that invokes REGEDIT.EXE.
Command line editing
On NT-based and Win98SE systems the registry can be
manipulated from the
command line with the reg.exe utility. It is included in
Windows XP and can be downloaded separately for previous
versions. An alternative location are the Resource Kit CD's or
the original Installation CD of Windows that shipped with your
reg.exe Operation [Parameter List]
Also, a .reg file (a text-based human-readable file format
for storing portions of the registry) can be imported from the
command line with the following command:
regedit.exe /s file
The /s means the file will be silent merged to the
Registry. If the /s parameter is omitted the user will be asked
to confirm the operation. In Windows 98 and Windows 95 the /s
switch also caused regedit.exe to ignore the setting in the
registry that allows administrators to disable it. When using
the /s switch Regedit does not return an appropriate return code
if the operation fails, unlike reg.exe which does. This makes it
hard to script, however a possible workaround is to add the
following lines into your
regedit /s file.reg
regedit /e test.reg "key"
if not exist test.reg goto REGERROR
The default association for .reg files in many versions of
Microsoft Windows, starting with
Windows 98 does require the user to confirm the merging to
avoid user mistake.
Registry permissions can be manipulated through the command
line using the subinacl.exe
tool. To display the permissions on the
subinacl /keyreg HKEY_LOCAL_MACHINE\software /display
To set the owner of the key HKEY_LOCAL_MACHINE\software and
all of its subkeys to Administrator:
subinacl /keyreg HKEY_LOCAL_MACHINE\software /setowner=Administrator
subinacl /subkeyreg HKEY_LOCAL_MACHINE\software /setowner=Administrator
To grant full access rights to the
HKEY_LOCAL_MACHINE\software key to Administrator:
subinacl /keyreg HKEY_LOCAL_MACHINE\software /grant=Administrator=F
Editing by programs or scripts
You can edit the registry through the APIs of the Advanced
Windows 32 Base API Library (advapi32.dll)
This is a list of the Registry API Functions:
Some programming languages, like
Visual Basic, offer built-in runtime library functions that
enable programs to store settings in the registry.
Another way is to use the
Windows Support Tool Reg.exe by executing it from your code
Many scripting languages such as
VBScript also enable registry editing from scripts.
The Registry is stored in several files; depending upon the
version of Windows, there will be different files and different
locations for these files, but they are all on the local
machine, except for the Ntuser.dat file, which may be
placed on another computer to allow for
roaming profiles and the policy file, which is usually
stored on a server in the local network.
Windows NT, 2000, XP, and Server 2003
The following Registry files are stored in
- Sam – HKEY_LOCAL_MACHINE\SAM
- Security – HKEY_LOCAL_MACHINE\SECURITY
- Software – HKEY_LOCAL_MACHINE\SOFTWARE
- System – HKEY_LOCAL_MACHINE\SYSTEM
- Default – HKEY_USERS\.DEFAULT
The following files are stored in each user's profile folder:
- %UserProfile%\Ntuser.dat – HKEY_USERS\<User
- %UserProfile%\Local Settings\Application
Data\Microsoft\Windows\Usrclass.dat (path is localized)
– HKEY_USERS\<User SID>_Classes
Windows 95, 98, and Me
The registry files are named User.dat and
System.dat and are stored in the C:\WINDOWS\
directory. In Windows ME Classes.dat was added.
The registry file is called Reg.dat and is stored in
the C:\WINDOWS\ directory.
Since Windows 95, administrators can use a special file to be
merged into the registry, a policy file. The policy file allows
administrators to prevent non-administrator users from changing
registry settings like, for instance, the security level of IE
and the desktop background wallpaper. The policy file is
primarily used in a business with a large number of computers
where the business needs to be protected from the users and the
users need to be protected from themselves.
The default extension for the policy file is .pol.
The policy file filters the settings it enforces by user and by
group (a "group" is a defined set of users). To do that the
policy file merges into the registry, preventing users from
circumventing it by simply changing back the settings. The
policy file is usually distributed through a LAN, but can be
placed on the local computer.
Policy file editor
The policy file is created by a free tool by Microsoft that
goes by the filename poledit.exe for Windows 95/Windows
98 and with a computer management module for NT-based systems.
The module will not work in Windows XP Home Edition, but it does
work in the Professional edition. The editor requires
administrative permissions to be run on systems that uses
permissions. The editor can also directly change the current
registry settings of the local computer and if the remote
registry service is installed and started on another computer it
can also change the registry on that computer. The policy editor
loads the settings it can change from .adm files, of
which one is included, that contains the settings the Windows
shell provides. The .adm file is plain text and
supports easy localisation by allowing all the strings to be
stored in one place. The policy editor has been renamed to Group
Policies in newer versions of Windows.
Useful Registry keys
The following registry keys may be of interest to users
attempting to customize their Windows systems.
Creating this (as a DWORD) and setting it to 1 will prevent
Windows (NT, 2000 or XP) from tracking the last access time
of files, which speeds up a lot of operations (especially
opening folders of items with previews).
Specifies the size of buffers used for storing requests to
the file/print server. Increasing this from the default of
4356 bytes can improve network performance: a figure of
14596 is frequently recommended.
(and the HKCU equivalent) specifies applications to
run whenever a user logs in. These can include desirable
programs, such as printer monitoring programs or
frequently-used tools, but a lot of
malware uses this registry key to ensure it is
automatically run. This key is a common place to start
looking for evidence of malware if a computer has been
The following registry tweaks are available from
Windows Registry Hacks at PCWorld.com, and are for Windows
XP Home/Professional unless noted:
- HKCU\Control Panel\Desktop (note: the last word
may appear as desktop). Double-click the
MenuShowDelay icon on the right, and change 'Value data'
from its default of 400 (milliseconds) to something
speedier, like 0, or slower, to 4000 (4 seconds). This
determines how long to delay before showing a
clicked/selected menu, such as File, or the
Start Menu after being clicked.
- HKCU\Control Panel\Desktop. Double-click the
AutoEndTasks icon in the right pane, change 'Value data' to
1. This is defaulted to 0. Setting it to 1 allows Windows to
automatically end processes that are unresponsive or frozen.
This is particularly useful when shutting down or resetting.
- HKCU\Control Panel\Desktop. HungAppTimeout icon
is located in the right pane. Select 'Value data' to change
it from the default (5000 milliseconds, or 5 seconds), to
something quicker, like 2500 (2.5 seconds). This is similar
to AutoEndTasks, only this focuses on currently running
Programs, instead of processes.
- HKCU\Control Panel\Desktop. WaitToKillAppTimeout
determines how long to wait before shutting down any
program that is unresponsive during the shut-down/reset
sequence. The default is 20000 (20 seconds), but 10000 (10
seconds) should suffice. Simply alter it to how long (or
short) you wish to wait, in milliseconds.
Double-click the WaitToKillServiceTimeout icon in the right
pane. This is for Windows' system processes that have become
unresponsive/frozen, particularly during shutting down or
resetting. Adjust its 'Value data' (also 20000 milliseconds,
or 20 seconds, by default) to the wait time of your choice,
and press <Enter>. Note: Your new value may not stick, since
some services automatically increase this number to build in
more time to clean up their act or shut down properly.
- HKCU\Control Panel\desktop. Double-click the
WallpaperOriginX icon in the right pane. (If you don't see
this icon, right-click in this pane, choose New, String
Value, type WallpaperOriginX to name the value, and press
<Enter>.) Type a number (in pixels) for the starting
horizontal position of your wallpaper's left edge, and press
<Enter>. Now double-click the WallpaperOriginY icon (create
it if necessary as explained above) and enter a number for
the starting vertical position of the image's top edge. If
your wallpaper image is larger than the screen, type a
negative number (for example, -200) to push the picture's
top or left edge off the screen. This is useful for users
that have upgraded to widescreen monitors, or who simply
want custom resolutions or ratios for their desktop
Double-click the FilterFilesWithUnknownExtensions icon in
the right pane, change the 0 in the 'Value data' box to 1,
and press <Enter>. This is very useful in coaxing the
Windows Search utility to find *every* file, instead of only
those with known file extensions, such as .exe, .zip, .rtf,
Search for the DWORD value named "Administrator", and
double-click the Administrator icon in the right pane. (If
you don't see this icon, right-click in the pane, choose
New, DWORD Value, name it Administrator, and press <Enter>.)
Type 1 in the 'Value data' box, and press <Enter>. From now
on, when you open the User Accounts window via the Control
Panel (choose Start, Run, type Control userpasswords, and
press <Enter>), you'll see the Administrator account. This
is extremely useful for recovering from hardware
issues and system failures, and for those who simply want to
show the Administrator at Windows Logon.
- HKCU\Software\Microsoft\Internet Explorer\Main.
In the Registry Editor, double-click the Window Title icon
in the right pane. (If you don't see this icon, right-click
in the pane, choose New, String Value, type Window Title,
and press <Enter>.) Type what you want to see on IE's title
bar, or type nothing to show only the site name. Note that
the hyphen that normally separates the site name from the
page title will remain. The changes will be shown upon
closing all Internet Explorer windows, and re-launching the
Advantages of the Registry concept
Changing from having one or more
INI files per program to one centralised registry has its
- The registry keeps machine configuration separate from
user configuration. When a user logs into a Windows
NT/2000/XP/Server 2003 computer, his or her user-based
registry settings are loaded from a different path than the
system wide settings. This allows programs to more easily
keep per-user configuration, as they can just work with the
"current user" key, whereas in the past they tended to just
keep system-wide per-program settings.
Group Policy allows administrators on a Windows-based
computer network to centrally manage program and policy
settings. Part of this involves being able to set what an
entry in the registry will be for all the computers on the
network, and affect nearly any installed program — something
almost impossible with per-program configuration files each
with custom layouts, stored in dispersed locations.
- Because the registry is accessed through a special API
it is available to scripts and remote management using WMI.
Each script does not have to be customised for every
application's unique configuration file layouts and
- The registry can be accessed as one item over a network
connection for remote management/support, including from
scripts, using the standard API.
- It can be backed up more easily, in that it is just a
small number of files in specific locations.
- Portions of settings like any subset of an application
configuration can be saved in a text-based .REG file, which
can be edited with any text editor later. .REG files can
easily be merged back into the registry both by unattended
batch file or by the user using just a double-click on the
file without harming any setting that is not explicitly
stated in the .REG file. This is very useful for
administrators and support personnel who want to preset or
preconfigure only a few options like approving the
- Since accessing the registry does not require parsing it
can be read from and written to more quickly than a text
file can be.
- Registry changes and readings can be tracked via a tool
RegMon on value level. This is a big advantage for
generating scripts in networks as well as debugging
- Registry keys are independent of the Windows language,
the Windows installation drive and path and even the Windows
versions as such. So support personnel can easily give out
one set of instructions, without having to handle these
things, unlike for example files in the user profile which
can be on different paths on each installation.
Criticisms of the Registry concept
However, the centralized Registry introduces some problems as
- The HKEY_LOCAL_MACHINE part is a
single point of failure — damage to the Registry can
render a Windows system unbootable, in extreme cases to a
point that cannot be fixed, and requires a full reinstall of
Windows. There is an automated backup mechanism, and these
secondary/backup files will be loaded, if the primary files
fail to load.
- The registry does not document itself in the same way a
configuration file can.
- Restoring parts of the registry is hard because the user
cannot easily extract data from backed up registry files.
Offline reading and manipulation of the registry (for
example from a parallel installed Windows or a boot CD) is
not trivial (but not impossible).
- Any application that doesn't uninstall properly, or
doesn't have an uninstaller, can leave entries in the
registry. In most cases this leads to performance or even
stability problems, but only if the application registers
itself as a class in HKEY_CLASSES_ROOT. (Note that user
settings usually remain in the registry, which is done by
design for two reasons: first, the user might be on a
Windows domain with server-based profiles, where the
settings move with the user to other computers. Uninstalling
the application on one computer does not mean the user does
not want to use the program on some other computer on the
domain. Second, the uninstall process would only be able to
modify the current user's settings anyway. In any case,
unused keys in HKCU have negligible impact on system
- Since at least 1998
, pages on Microsoft's support
website relating to editing the registry include the
disclaimer "Use Registry Editor at your own risk." (see, for
) so any inexperienced user who requires registry
editing but fails has to pay for support.
- Applications that make use of the registry to store and
retrieve their settings are not conducive for use on
portable devices used to carry applications from one system
to another. Since the settings are in the registry, and the
registry is not on the portable device along with the
application, any setting changes are lost and must be
re-entered for each new system.
Registry alternatives in other
Other systems preserve the concept of separate configuration
files for separate application subsystems, but group them
together in a single filesystem directory for ease of
management, such as /etc/ and hidden directories
(directories that start with a period) within the home directory
Applications running on
Mac OS X operating system typically store settings in
property list files which are usually stored in each user's
Library folder. An advantage of this is that corruption to one
of these files will normally only affect a single application,
whereas corruption of one of the Registry hives can have
wide-reaching effects. However, Mac OS X also has a system
NetInfo that stores system-wide settings such as user
account details and network configuration.
RISC OS also allows applications to be copied into
directories easily without the need to install the application
as one would in Windows, if one wishes to remove the
application, simply delete the folder belonging to the
. This is possible because RISC OS does not support
multi-user environments with different settings for each user.
IBM AIX (a Unix derivant) uses a registry component called
Object Data Manager (ODM). The ODM is used to store information
about system and device configuration. An extensive set of tools
and utilities provides users with means of extending, checking,
correcting the ODM database. The ODM stores its information in
several files, default location is /etc/objrepos.
Problems with Windows 9x OS
On Windows 9x computers, an older installation can have a
very large registry that slows down the computer's startup and
can make the computer unstable. This has led to frequent
criticisms that the registry leads to instability. However,
these problems occur far less often on the Windows NT family of
systems, including Windows XP.
Elektra Initiative: A Windows Registry-like back-end for
configuration of the GNU/Linux operating system.
GNOME settings database.
Windows 2000 Security Hardening Guide version 1.3,
2003, says "It is highly recommended to use regedt32.exe
(a.k.a. the Windows NT registry editor) and not regedit.exe
(a.k.a. the Windows 95 registry editor) to modify registry
settings. Both editors ship with Windows 2000 and
regedit.exe is generally perceived as easier to use.
However, regedit.exe does not support all the registry data
types and will convert certain types it does not understand.
Certain values will not be read properly if they are
converted and this can cause serious problems with the
system, including failure to boot."
Russinovich, Mark E.; Solomon, David A. (2005).
Microsoft Windows Internals, Fourth Edition, Washington,
USA: Microsoft Press, 183-236.
Microsoft Knowledge Base article : "Description of the
Microsoft Windows registry"
MSDN Win32 Registry Reference
Win32 Registry Activity Monitor (Utility and Source code)
Information on the Windows registry
Low-level Registry and SAM Information.
Reading and Writing Registry Values with Visual Basic.
System Rescue CD free
Linux recovery CD including open-source registry tools
as well as many other recovery tools (see
Hivetools Offline GPL registry manipulation tools and
REGLN - Create symbolic links in Windows Registry.
Regmon - This monitoring tool lets you see all Registry
activity in real-time.
ERUNT & NTREGOPT ERUNT makes complete backups of the
registry and has the option to fully restore if needed,
NTREGOPT can optimize registry.
PC-CLEANER PC-CLEANER is registry cleaner also allowing
the user to backup and restore their registry in folder of
Microsoft subinacl.exe - Windows Commandline permissions
Articles with unsourced statements since February 2007
All articles with unsourced statements |
Windows components |