The HKEY_LOCAL_MACHINE Key HKEY_LOCAL_MACHINE is one of the most important and most interesting root keys of the registry. It contains configuration data for local computer. Information stored in this registry key is used by applications and device drivers and by the operating system itself for obtaining information on the local computer's configuration. Moreover, the information doesn't depend on the user who's logged in to the system. The HKEY_LOCAL_MACHINE root key contains five subkeys, briefly described in Table 7.1 . The rest of this section describes the subkeys in greater detail. Table 7.1: Subkeys Contained within the HKEY_LOCAL_MACHINE Root Key Subkey Contents HARDWARE This subkey contains a database describing all the hardware devices installed on the computer, the method of interaction between device drivers and hardware devices, and the data that connects kernel-mode device drivers with user-mode code. All the data contained within this subkey are volatile. The system re-creates these data each time it starts. The Description subkey describes all the hardware physically present on the computer. The hardware recognizer collects this information at system startup and the kernel stores this information under the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION registry key. The DeviceMap subkey contains various data in formats defined by certain device driver classes. As device drivers are loading, they pass their information to the system so that it can associate specific hardware devices and their drivers. HARDWARE The ResourceMap subkey contains information on the system resources allocated to each device (including ports, DMA addresses, IRQs). Notice that all Windows NT-based operating systems, including Windows 2000, Windows XP and Windows Server 2003 provide a much more convenient way to view the contents of this subkey. To view (and possibly change) this data, it is recommended that you use various administrative tools. For example, if you're using Windows NT 4.0, you can view the information using the Windows NT Diagnostics utility (Winmsdp.exe). In Windows 2000/XP and Windows Server 2003, you can use the MMC console or Device Manager for the same purpose. SAM This subkey contains the directory services database, which stores information on user and group accounts and security subsystems (SAM stands for the Security Account Manager). By default, you can't view this Table 7.1: Subkeys Contained within the HKEY_LOCAL_MACHINE Root Key Subkey Contents key using registry editors even if you're logged in as an Administrator. The data contained within the HKLM\SAM registry key isn't documented, and user passwords are encrypted. Note that for Windows NT domains the SAM database also stores a domain directory services database. In native-mode Windows 2000 or Windows Server 2003 domains, the directory services database is stored in the Ntds.dit file on domain controllers. However, the SAM database remains important, since it stores local accounts (required to log on locally). If your computer that is running Windows XP or Windows Server 2003 does not participate in a domain, SAM database is the main storage of the user and group accounts information. SECURITY This database contains the local security policy, including user rights and permissions. The key is only used by the security subsystem. For example, it contains information that defines whether or not an individual user can reboot the computer, start or stop device drivers, backup/recover files, or access the computer through the network. Information contained within this key is also encrypted. The HKLM\SAM key is the link to the HKLM\SECURITY\SAM key. SOFTWARE This database contains information on the software products installed on the local computer, along with various configuration data. SYSTEM This database contains information on controlling the system startup, the loading order of device drivers and system services, and on operating system behavior. Note You can read the information contained in any of these subkeys, but it only makes sense to edit the contents of the Software and System keys. If the HKEY_CURRENT_USER registry key contains data similar to that contained under HKEY_LOCAL_MACHINE, then by default the HKEY_CURRENT_USER data takes priority. Note If you read the previous chapter carefully, you'll recall that the Policy setting under HKEY_LOCAL_MACHINE is given priority over the individual settings specified for each user. This is only true if you logged in to the system as an Administrator and specified the default value for the power policy, as described in Chapter 5 . However, the settings under this key may also extend the data under HKEY_LOCAL_MACHINE rather than replace them. Furthermore, there are certain settings (for example, those that manage the device driver loading order) that have no meaning outside the HKEY_LOCAL_MACHINE root key. The HKEY_LOCAL_MACHINE\HARDWARE Key The HKEY_LOCAL_MACHINE\HARDWARE registry key contains hardware data recreated during each system startup. This data includes information about the devices on the motherboard and the data on the IRQs used by individual device drivers. The HARDWARE key contains important data sets subdivided between the following three subkeys: DESCRIPTION, DEVICEMAP, and RESOURCEMAP. All the information contained under HKEY_LOCAL_MACHINE\HARDWARE is volatile. This means that the settings are computed and recreated each time the system starts up, and are lost when you shut the system down. All drivers and applications use this subtree for obtaining information on system components and for storing the data directly under the DEVICEMAP subkey and indirectly under the RESOURCEMAP subkey (Fig. 7.1 ). Figure 7.1: The HKEY_LOCAL_MACHINE\HARDWARE registry key Note As was explained in Chapter 5, integrated support for Plug and Play and power management in Windows 2000, Windows XP, and Windows Server 2003 is only available on computers that have an Advanced Configuration and Power Interface (ACPI) BIOS. At boot time, the operating system loader checks whether such a BIOS is loaded. If so, ACPI is enabled in the operating system. If such a BIOS is not loaded, ACPI is disabled and the less reliable Advanced Power Management (APM) model is used instead. Microsoft supplies the ACPI driver as part of the operating system. On systems that have an ACPI BIOS, the HAL causes the ACPI driver to be loaded during system start-up at the base of the device tree, where it acts as the interface between the operating system and the BIOS. The ACPI driver is transparent to other drivers. If your system has ACPI BIOS, the HKEY_LOCAL_MACHINE\HARDWARE registry tree will contain the nested ACPI subkey (Fig. 7.1 ). Don't try to edit the data under HKEY_LOCAL_MACHINE\HARDWARE directly. This information is usually stored in binary format and is difficult to understand if you can't interpret binary data. Tip If you want to view this information in user-friendly format, select Programs | Administrative Tools | Computer Management from the Start menu and expand the MMC console tree (Windows 2000) or click Start | All Programs | Accessories | System Tools | System Information (Windows XP and Windows Server 2003) to open the System Information window (Fig. 7.2 ). Figure 7.2: The System Information utility allows you to view hardware information in user-friendly format The DESCRIPTION Subkey The DESCRIPTION subkey under HKEY_LOCAL_MACHINE\HARDWARE displays information from the hardware database. For x86 computers, this information contains data on the devices detected by Ntdetect.com and Ntoskrnl.exe. Ntdetect.com is the standard DOS-style program that uses BIOS calls for selecting hardware information and configuring hardware devices. This includes date and time information stored in the CMOS chip; bus types (for example, ISA, PCI, EISA) and identifiers of the devices on these buses; data on the number, type, and capacity of the hard drives installed in the system; and the number and types of parallel ports. Based on this information, the system creates internal data structures that Ntoskrnl.exe stores under HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION during system startup. A specific feature of the Ntdetect.com version included with Windows 2000, Windows XP, and Windows Server 2003 is that PnP detection functions are delegated to PnP drivers. In contrast, the Windows NT 4.0 version of Ntdetect.com detects all installed hardware (due to limited PnP support in Windows NT 4.0). Ntdetect.com detects the following hardware:  Type of bus\adapter  Keyboard  SCSI adapters  COM-ports  Machine ID  Video adapter  Arithmetic coprocessor  Mouse  Floppy drives  Parallel ports Note Network adapters aren't detected at this phase. The system detects network adapters either during OS installation, or when you install a new network adapter. More detailed information on this topic will be provided in Chapters 8 . There are more subkeys, each of them corresponding to a certain bus controller type. These subkeys are located under HKEY_LOCAL_MACHINE\Hardware\Description\System\MultifunctionAdapter. Each of these keys describes a specific controller class (including hard disk controllers, display controllers, parallel port controllers, and SCSI controllers). The path to the subkey describes the component type. All physical devices are numbered, beginning from 0. Each detected hardware component has Component Information and Configuration Data settings, which contain binary data on the version of a specific component and its configuration (Fig. 7.3 ). The Identifier setting contains the component name (if specified). Figure 7.3: The HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdap ter registry key The DEVICEMAP Subkey The HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP registry key contains a set of sub-keys equipped with one or more settings that specify the path to the drivers required by each device. Let's consider using this information for searching for device drivers. For example, how does the registry store information on the video drivers? Fig. 7.4 shows an example illustrating the contents of the VIDEO subkey under the DEVICEMAP key (the information you'll see when you open the registry key will differ from what's shown in this figure). However, the information will show you what you'll see in general. The HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\VIDEO registry key contains settings that are actually links to currently active devices. These registry items use an ordinal-naming scheme (for example, in Fig. 7.4 it's \Device\VideoN, where N is an ordinal number (0, 1, 2…)). The values of each of these registry settings are REG_SZ strings that reference particular device drivers. Figure 7.4: The HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\VIDEO registry key Note Notice that these strings have a specific data format. For example, the Device\Video0 setting represented in Fig. 7.4 is set to \Registry\Machine\System\CurrentControlSet\Control\Video\{56652C39-3E1C- 4A83-AD68-1CF58F0EDEE9}\0000 value. This format is different from the one that's normally used (for example, HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER). What does this mean? All Windows NT-based operating systems, including Windows 2000, Windows XP, and Windows Server 2003, are object-oriented, which means that they manipulate several object types, including devices, ports, events, directories, and symbolic links. Registry keys are objects of special types. The registry root key is the object of the Key type named REGISTRY. In the DDK (Device Driver Kit) documentation, the names of all the registry keys begin with the \REGISTRY string (for example, \REGISTRY\Machine\CurrentControlSet\Services). Thus, the HKEY_LOCAL_MACHINE handle is the key named \REGISTRY\Machine, and the HKEY_USERS handle is the key named \REGISTRY\User. Now let's expand the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{56652C39- 3E1C-4A83-AD68-1CF58F0EDEE9}\0000 registry key (Fig. 7.5 ). Figure 7.5: The contents of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{56652C39- 3E1C-4A83-AD68-1CF58F0EDEE9}\0000 registry key This key contains quite a lot of entries, mainly in binary format, among which is the Device Description value (data type REG_SZ) that contains the device description (NVIDIA RIVA TNT, in our example). Besides, it also possesses another value, InstalledDisplayDrivers, which references the driver for this device (nv4_disp in our example). The nested Video key contains the Service value entry referencing the nv service (Fig. 7.6 ). Information on this service can be found in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry key (Fig. 7.7). It must exist for the device to function properly, and you'll certainly find it. Figure 7.6: The contents of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{56652C39- 3E1C-4A83-AD68-1CF58F0EDEE9}\Video registry key Figure 7.7: The contents of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nv registry key Tip Use Regedit.exe searching capabilities to find the key, since in our case this is the easiest way to locate the required key. The key that you are locating contains standard settings that specify the start mode for the driver: Start, Tag, Type, ErrorControl, and Group. Depending on the driver type, its key may contain several other settings, such as the ImagePath setting that specifies an actual path to the directory where the driver resides (system32\DRIVERS\nv4_mini.sys, in our example). Note Notice how the image path has been specified. The loading order for the driver is specified by the Start setting (as we saw in the previous chapter). Sometimes the system doesn't assign drive mappings at the time the driver's loaded. Because of this, an error may result if you specify, for example, "C:\WINNT\System32\DRIVERS\<YourDriver>" as a value for ImagePath. The HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services\<Driver> key may contain an optional REG_SZ setting named DisplayName. The value assigned to this parameter is a text string displayed by administrative utilities. If the DisplayName setting is omitted, then the actual name of the service or driver will be displayed in the list. In addition to the settings listed above, the video driver key under HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services contains several subkeys. One of the most important subkeys within this key is DeviceN-in our example, this is the Device0 subkey (Fig. 7.8 ). . have no meaning outside the HKEY_ LOCAL_ MACHINE root key. The HKEY_ LOCAL_ MACHINE HARDWARE Key The HKEY_ LOCAL_ MACHINE HARDWARE registry key contains hardware. REGISTRY Machine CurrentControlSetServices). Thus, the HKEY_ LOCAL_ MACHINE handle is the key named REGISTRY Machine, and the HKEY_ USERS handle is the key