The Registry T he registry is the core repository of configuration infor- mation in Windows 2000, storing information about the operating system, applications, and user environment on standalone workstations and member servers (non-domain controllers). The Purpose of the Registry Early versions of the Windows operating system family, such as Windows 3.x, stored most of their configuration informa- tion in initialization, or .ini files. These files were text files containing various sections that stored settings for a variety of properties such as device drivers, application and docu- ment associations, user environment settings, and so on. Windows applications used .ini files as well to store their configuration settings. Even today in Windows 2000 and appli- cations, .ini files are still a widely used mechanism for stor- ing user, application, and operating system settings. A quick search of your hard drive for .ini files will illustrate that fact. Although they provide a simple means of storing and retriev- ing settings, .ini files offer some disadvantages, particularly for storing important OS settings such as device drivers, con- figuration data, user environment settings, and so on. First, Windows 2000 needs a fault tolerant system for maintaining its settings to avoid the problem of an unbootable system due to a corrupt or missing .ini file. This information also needs to be secure, something .ini files can’t really provide. Finally, managing all the settings needed to keep a Windows 2000 sys- tem up and running, plus applications and user-related set- tings, would be overwhelming if .ini files were the only solution. The registry comes to the rescue. In Windows 2000, like Windows NT before it, the registry stores configuration information about the system’s hardware and software, both operating system- and application-related. The registry also stores information about users, including security settings and rights, working environment (desktop properties, folders, and so on), and much more. However, 18 18 CHAPTER ✦✦✦✦ In This Chapter The Purpose of the Registry The Registry’s Structure The Registry Editors Securing the Registry ✦✦✦✦ 4667-8 ch18.f.qc 5/15/00 2:07 PM Page 689 690 Part V ✦ Availability Management unlike Windows NT, it no longer stores domain user and computer accounts or information related to “network” objects; this job now belongs to the Active Directory, as explained in Chapter 2 and the chapters in Part III. When you promote a member server to a domain controller, all registry settings that also apply to a domain controller server, such as the desktop settings, are absorbed into Active Directory. But when you demote the server, the original reg- istry settings are not restored, and you are returned to a clean registry. (The demo- tion wizard even asks you for a new Administrator password because the original account is lost.) Keep this in mind when you demote a domain controller, because Active Directory can easily outgrow the host machine it was originally installed on. The following list explains some of the ways certain components make use of the registry: ✦ Setup: When you install Windows 2000, Setup builds the registry based on your selections (or automated selections) during installation. Setup also mod- ifies the registry when you add or remove hardware from the system. ✦ Application setup: The Setup program for an application typically will modify the registry to store the application’s settings at installation. It also will typi- cally read the registry to determine which components, if any, are already installed. ✦ Applications: Most applications that store their settings in the registry modify those settings during program startup, shutdown, or general operation to store changes made to application settings both by the application or the user. ✦ Ntdetect: The Ntdetect.com program executes at system startup to detect hardware and attached peripherals, and it stores information in the registry about those items for use in subsequent boot steps to initialize device drivers for identified devices. ✦ The kernel: The Windows 2000 kernel reads the registry at startup to deter- mine which device drivers to load and in which order, along with other driver initialization parameters. ✦ Device drivers: Most device drivers store their configuration and operating settings in the registry, reading the registry at initialization to determine how to load and function. ✦ System: The Windows 2000 operating system as a whole uses the registry to store information about services, installed applications, document and OLE (Object Linking and Embedding) associations, networking, user settings, and other properties. ✦ Administrative tools: One of the main functions of utilities such as the Control Panel, the various MMC consoles, and standalone administration utilities is typically to modify the registry. In this context, these utilities provide a user interface for registry modification. Caution 4667-8 ch18.f.qc 5/15/00 2:08 PM Page 690 691 Chapter 18 ✦ The Registry ✦ The Registry Editors: Windows 2000 provides two utilities, regedit.ex e and regedt32.exe , that enable you to view and modify the registry directly. While you’ll want to perform most modification tasks using other utilities, the Registry Editors make possible tasks such as direct modification, selected reg- istry backup, and others. The registry is in many ways the “brain” of the Windows 2000 OS. Nearly everything the OS does is affected by or affects the registry. For that reason, it’s important to not only understand the registry’s function and how to modify it, but also how to protect it from catastrophe or unauthorized access. The following sections explain the structure of the registry and how to manage it. The Registry Structure The registry forms a hierarchical (tree) database with five primary branches called subtrees. A subtree can contain keys, which function as containers within the sub- tree for subkeys and values. Subkeys are sub-branches within a key. Values are the individual settings within a key or subkey. Perhaps the best way to understand the registry structure is to view it through one of the Registry Editors, as shown in Figure 18-1. (You’ll find detailed information about the Registry Editors later in this chapter.) Figure 18-1: The Registry Editors show the structure of the registry — a hierarchical tree, with each subtree serving as a primary branch. 4667-8 ch18.f.qc 5/15/00 2:08 PM Page 691 692 Part V ✦ Availability Management There are two physical subtrees in the Windows 2000 registry: HKEY_LOCAL_ MACHINE and HKEY_USERS, the former containing system- and hardware-related settings and the latter containing user-related settings. These two physical subtrees are divided into the five logical subtrees you see in the Registry Editors. Organizing the registry into five logical subtrees makes it easier to navigate and understand the logical structure of the registry. The five logical subtrees are as follows: ✦ HKEY_LOCAL_MACHINE: This subtree, often abbreviated as HKLM, stores settings that apply to the local machine, defining hardware and operating sys- tem settings that are the same regardless of which user is logged on. The set- tings in HKLM, for example, define device drivers, memory, installed hardware, and startup properties. ✦ HKEY_CLASSES_ROOT: Abbreviated HKCR, this subtree contains file associa- tion data, such as associating a document file type with its parent application and defining the actions taken on a given document type for various tasks (open, play, edit, and so on). This subtree is built from HKLM\SOFTWARE\ Classes and HKEY_CURRENT_USER\SOFTWARE\Classes, with the value in HKCU taking precedence. HKCR provides user- and computer-specific class registration, providing different class registrations for each user. This per-user class registration is different from previous versions of Windows that pro- vided the same registration data for all users. ✦ HKEY_CURRENT_USER: This subtree (HKCU) stores the user profile for the user who is currently logged on to the system locally. Settings include desktop configuration and folders, network and printer connections, environment vari- ables, Start menu and applications, and other settings that define the user oper- ating environment and UI. This subtree is actually an alias of HKEY_USERS\ SID, where SID is the security ID of the current user. ✦ HKEY_USERS: This subtree (HKU) stores user profile data for users who log on to the computer locally, as well as the default user profile for the local computer. ✦ HKEY_CURRENT_CONFIG: This subtree (HKCC) stores hardware configura- tion data about the local computer identified at startup and includes settings relating to device assignments, device drivers, and so on. This subtree is an alias of HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current. Each of the subtrees listed previously represents a hive. Microsoft defines a hive as describing a body of keys, subkeys, and values rooted at the top of the registry hierarchy. An individual hive comprises three files: ✦ A registry file, in most cases stored in systemroot\System32\Config . This file contains the registry structure and settings for the given hive. ✦ A log file, stored in systemroot\System32\Config . This file serves as a transaction log for modifications to the hive registry file. 4667-8 ch18.f.qc 5/15/00 2:08 PM Page 692 693 Chapter 18 ✦ The Registry ✦ A repair (backup) file, located in systemroot\System32\Repair . This is a backup copy of the registry file. Table 18-1 lists the registry hives and their corresponding file names. Table 18-1 Registry Hive Files Hive Files HKEY_LOCAL_MACHINE\SAM Sam and Sam.log HKEY_LOCAL_MACHINE\SECURITY Security and Security.log HKEY_LOCAL_MACHINE\SOFTWARE Software and Software.log HKEY_LOCAL_MACHINE\SYSTEM System and System.alt HKEY_CURRENT_CONFIG System and System.log HKEY_CURRENT_USER Ntuser.dat and Ntuser.dat.log HKEY_USERS\DEFAULT Default and Default.log With the exception of Ntuser.dat and Ntuser.data.log , the hive files are stored in systemroot\System32\Config . The Ntuser.dat and Ntuser.dat.log files are stored in \Documents and Settings\user for systems with clean Windows 2000 installations or upgrades from Windows 9x. Systems upgraded from Windows NT store the Ntuser.dat and Ntuser.dat.log files in systemroot\Profiles\user . Windows 2000 uses a process know as flushing to ensure a reliable, working copy of the registry at all times, guarding against attempted registry changes not being completed. Attempted changes to the registry, when a given number of seconds has passed or the modifying application explicitly requests it, are flushed or saved to disk. The following explains how flushing occurs for all but the SYSTEM hive ( HKLM\SYSTEM ): 1. Modified data is written to the hive log file so that the data can be recon- structed if the system halts or fails before the data is written to the registry file. 2. The log file is flushed upon completion of a successful update to the log file. 3. Windows 2000 marks the first sector of the registry file to indicate that it is in the process of being modified (dirty). 4. The changes are written to the registry file. 5. Upon successful completion of the write operation, the first sector is modified to indicate successful completion (clean). 4667-8 ch18.f.qc 5/15/00 2:08 PM Page 693 694 Part V ✦ Availability Management When Windows 2000 reads the hive files to construct the registry, it checks the sta- tus of each file. If the system failed during a previous registry update operation, the registry file will still be marked as dirty. In that situation, Windows 2000 attempts to recover the registry file using the log file. The changes identified in the log file are applied to the registry file, and if successful, the file is marked as clean. The SYSTEM hive behaves a little differently from the others in terms of fault toler- ance. The systemroot\System32\Config folder includes a file named System.alt , which is a clean copy of the current System registry file. After a successful modifica- tion of the System file, it is copied to System.alt for use as a backup. If a problem occurs with the System hive file during boot, Windows 2000 switches to System.alt . Having a backup of the registry is critical to being able to recover a failed system. Although Windows 2000 provides fault-tolerant management of the registry hive files, you should employ some additional procedures to ensure a valid, working copy of the registry. See the section “Backing Up and Securing the Registry” later in this chapter for detailed information. You’ll also find coverage of backup proce- dures in Chapter 17. Registry Hive Files As we mentioned earlier, the registry is divided into five logical hives. This section looks at each hive in a bit more detail. HKEY_LOCAL_MACHINE As explained earlier, the HKEY_LOCAL_MACHINE (HKLM) root key contains hard- ware and operating system settings for the local computer. HKLM contains the fol- lowing subkeys: ✦ HARDWARE: This key stores the physical hardware configuration for the computer. Windows 2000 recreates this key each time the system boots suc- cessfully, ensuring up-to-date hardware detection/configuration. ✦ SAM: The Security Account Manager key contains security data for users and groups for the local machine. ✦ SECURITY: This key contains data that defines the local security policy. ✦ SOFTWARE: This key stores data about installed software. ✦ SYSTEM: This key stores data about startup parameters, device drivers, services, and other system-wide properties. When corresponding settings are found in the HKCU key, those settings override settings in HKLM for the current user for certain data. If no corresponding settings exist, those in HKLM are used. For certain items such as device drivers, the data in HKLM is always used regardless of whether the data also resides in HKCU. 4667-8 ch18.f.qc 5/15/00 2:08 PM Page 694 695 Chapter 18 ✦ The Registry HKEY_USERS The HKEY_USERS (HKU) key stores user profile data for users who log on to the computer locally, as well as the default user profile for the local computer. It con- tains a subkey for each user whose profile is stored on the computer, in addition to a key for the default user (.DEFAULT). It’s virtually impossible to identify a given user from the SID, but you wouldn’t want to try to modify settings in this key any- way except through the administrative tools that modify the registry. If you do need to modify settings directly, use the HKCU key instead. HKEY_CURRENT_USER As explained previously, the HKCU key is an alias for the KHC\SID key, where SID is the SID for the current local user. In other words, HKCU points to the registry key in HKU where the currently logged-on user’s registry data is stored. It contains the fol- lowing subkeys: ✦ AppEvents: This key contains data about application and event associations such as sounds associated to specific events. Use the Sounds and Multimedia object in the Control Panel to modify settings in this key. ✦ Console: This key contains data that defines the appearance and behavior of the Windows 2000 command console (command prompt) and character-mode applications. Use the application or command console’s Control menu to define settings in this key. ✦ Control Panel: This key contains data normally set through the Control Panel applets. ✦ Environment: This key contains environment variable assignments for the current user. ✦ Identities: This key contains user-specific identity information such as last user ID, last user name, and software-related identity settings for Outlook Express, the address book, and so on. ✦ Keyboard Layout: This key stores information about the user’s keyboard layout and key mapping for international settings. Use the Regional Options object in the Control Panel to modify these settings. ✦ Network: This key stores data about the user’s network connections. ✦ Printers: This key stores data about the user’s printer connections. ✦ RemoteAccess: This key stores data about the user’s Internet profile and dial-up connection settings. ✦ Software: This key stores data about the user’s installed applications. ✦ UNICODE Program Groups: This key stores data about the user’s UNICODE Program Groups and is usually empty unless the system has migrated to Windows 2000 from an original Windows 3.1 installation (unlikely in most cases). 4667-8 ch18.f.qc 5/15/00 2:08 PM Page 695 696 Part V ✦ Availability Management ✦ Volatile Environment: This key stores volatile operating environment data such as the user’s application directory (usually \Documents and Settings\ user\Application Data ) and logon server. HKEY_CLASSES_ROOT The HKCR key stores data about file associations and is built from HKLM\SOFTWARE\ Classes and HKEY_CURRENT_USER\SOFTWARE\Classes, with the value in HKCU tak- ing precedence. It contains numerous keys, one for each file/document type. Use the File Types tab of the Folder Options object in the Control Panel to modify file associa- tions. See Chapter 5 for more information about the Control Panel applets. HKEY_CURRENT_CONFIG The HKCC key is an alias of HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\ Current, and it stores hardware configuration data about the local computer relating to device assignments, device drivers, and so on. It contains two keys: Software and System. The Software key stores settings for system fonts and a handful of applica- tion settings. The System key stores a partial copy of the CurrentControlSet key in HKLM\SYSTEM\CurrentControlSet. Keys and Values As you’ve read up to this point, keys serve as containers in the registry. Keys can contain other keys (subkeys). Keys can also contain value entries, or simply, values. These are the “substance” of the registry. Values comprise three parts: the name, data type, and value. The name identifies the setting. The data type describes the item’s data format. The value is the actual data. The following list summarizes data types currently defined and used by the system: ✦ REG_BINARY: This data type stores the data in raw binary format, one value per entry. The Registry Editors display this data type using hexadecimal format. ✦ REG_DWORD: This data type stores data as a four-byte number, one value per entry. The Registry Editors can display this data type in binary, hexadeci- mal, or decimal formats. ✦ REG_EXPAND_SZ: This is a variable-length string that includes variables expanded when the data is read by a program, service, and so on. The vari- ables are represented by % signs, and an example is the use of the %system- root% variable to identify the root location of the Windows 2000 folder, such as a path entry to a file stored in systemroot\System32 . One value is allowed per entry. ✦ REG_MULTI_SZ: This data type stores multiple string values in a single entry. String values within an item are separated by spaces, commas, or other such delimiters. 4667-8 ch18.f.qc 5/15/00 2:08 PM Page 696 697 Chapter 18 ✦ The Registry ✦ REG_SZ: This data type stores a single, fixed-length string, and is the most common data type used in the registry. ✦ REG_FULL_RESOURCE_DESCRIPTOR: This data type stores a series of nested arrays such as a resource list for a device driver or hardware component. Registry Size As you install additional services, hardware devices, and applications, as well as add local user profiles, the registry grows. The registry is stored in a portion of the system’s virtual memory called the paged pool. Windows 2000 needs a mechanism to prevent the registry from growing to fill the paged pool with registry data. The default minimum size for the registry is 16MB, or a third of the size of the default paged pool (48MB). You can increase the registry maximum size in situations where the registry needs to grow larger than the minimum size of 16MB. Increasing the maximum size of the registry doesn’t actually allocate that much disk space to the registry, but simply sets the maximum size the registry can reach. The maximum size also has no bearing on whether the disk space is available to contain the reg- istry. Windows 2000 doesn’t check the registry size against the maximum size until after the system boots. This ensures that the system can boot even when the maxi- mum size is reached. You can set the maximum size of the registry by modifying the registry directly. However, you should preferably use the System object in the Control Panel to mod- ify the maximum registry size. See Chapters 1 and 6 for detailed information on using the System object to configure virtual memory settings. The Registry Editors Windows 2000 provides two Registry Editors, regedit.ex e and regedt32.exe , for viewing and modifying the registry. Both enable you to connect to, view, and modify a registry on a remote computer. Before you go tromping through the registry, how- ever, keep two things in mind: 1) you need to have a good backup copy of the reg- istry, and 2) you need to be careful with changes you make, as you could introduce changes that might potentially prevent the system from booting. That’s why a backup copy is so important. Make sure you read the section, “Backing Up the Registry,” in Chapter 17. Also, before you start playing with the Registry Editors, keep in mind that most changes, whether for the system, user, service, application, or other object, should be made with the administration tools for that object. You should only use the Registry Editors to make changes not available through other administration tools. Cross- Reference 4667-8 ch18.f.qc 5/15/00 2:08 PM Page 697 698 Part V ✦ Availability Management Both Registry Editors provide much the same capabilities for viewing and editing the registry. Each has a few features that make it more useful in a given situation. The following sections explain each of the editors and explore the situations in which one is preferable to the other. Regedit.exe The first of the Registry Editors is Regedit.exe , which Setup places by default in the systemroot folder. Regedit displays the registry in a single, two-pane window. The registry tree appears in the left pane, and the results pane on the right shows the object currently selected in the tree (Figure 18-2). To view a particular key or setting, expand the tree and select the object you want to view. Click Start ➪ Run, type regedit in the Run dialog box, and click OK to start Regedit. Figure 18-2: Regedit displays the registry as a hierarchical tree in a single window. The following list summarizes the features unique to Regedit and situations in which you might use those features: ✦ Search: You can choose Edit ➪ Find to search through the registry for a given value. The registry is a big place, and having the ability to search for a key or value name helps you quickly locate the data you need to view or modify. Regedt32 only provides the ability to search for a key, not a value. ✦ Single tree display: Regedit displays the registry as a single hierarchical tree, bringing all the keys together in one structure. This eliminates the need to switch between different windows to work with different keys. Note 4667-8 ch18.f.qc 5/15/00 2:08 PM Page 698 [...]... different computer but don’t want to go through the whole installation process Instead, you’d rather just copy the files over to the other computer In this case, you can export the application’s portion of the registry to a text-based registry file After you copy the application’s files to the other system, you can import the registry file into the other computer’s registry A similar example would be installing... branch or the entire registry to a text file Tip You can use any text editor to view and, if necessary, modify the registry file Importing a registry script adds the contents of the file to the registry, creating or replacing keys and values with the imported values Using the program installation example described previously, you’d import the registry values for the program you want to add to the computer... Editing a Remote Registry You can edit the registry of a remote computer subject to your permissions and rights on the remote computer, as well as how the remote system is configured To open the registry from another computer in Regedit, click Registry ➪ Connect Network Registry and specify the computer name or browse for it The registry for the remote computer appears as a separate branch in the tree pane... replacing the existing key of the same name (you specify the name for the new hive) You can modify the settings in the key, then unload the hive and copy it to the target system, if necessary To load a hive, open Regedt32 and choose Registry ➪ Load Hive Regedg32 prompts you for the location and name of the previously saved hive Select the file and click Open Specify a name for the key under which the hive... without running the program’s Setup program You have two ways to import a registry file: Use one of the Registry Editors or simply double-click a registry script To import a key in Regedt32, choose Registry ➪ Restore and select a binary registry file To import a registry key in Regedit, choose Registry ➪ Import Registry File Locate and select the text file, then click Open Regedit loads the registry file... either tool, changes take effect immediately In addition, double-clicking a registry script file causes Windows 2000 to incorporate into the registry the settings stored in the file (after prompting you to confirm) 4667-8 ch18.f.qc 5/15/00 2:08 PM Page 703 Chapter 18 ✦ The Registry Note You also can choose Start ➪ Run and enter the name of the registry file to import the file’s settings into the registry. .. access If you’ve removed the Registry Editors from a system and need to modify its registry, you can do so remotely from another computer that does contain a Registry Editor See the section, “Securing Remote Registry Access,” later in this chapter if you want to prevent remote editing of the registry Applying Permissions to Registry Keys Another way to protect the registry or portions thereof is to apply... can access the registry subject to the permissions assigned to individual keys If the key exists, Windows 2000 checks the permissions on the key to determine whether or not the remote user can gain access to the registry (and levels of access) Individual keys then determine what these remote users can do with a given key So, winreg is the first line of defense, and individual key ACLs are the second... in the registry to prevent unauthorized access that could potentially give a remote user or hacker the ability to change settings that would grant him or her access or cause damage You also can prevent remote administration of a registry and protect the registry in other ways This section of the chapter explains your options Preventing Access to the Registry Perhaps the best way to protect the registry. .. of the registry you want to export Choose Registry ➪ Export Registry File Regedit displays the Export Registry File dialog box shown in Figure 18-5 Specify a file name for the registry file and select either All or Selected 701 4667-8 ch18.f.qc 702 5/15/00 2:08 PM Page 702 Part V ✦ Availability Management branch, depending on how much of the registry you want to export Then click Save to create the . 18 CHAPTER ✦✦✦✦ In This Chapter The Purpose of the Registry The Registry s Structure The Registry Editors Securing the Registry ✦✦✦✦ 4667-8 ch18.f.qc 5/15/00. of the reg- istry to a text-based registry file. After you copy the application’s files to the other system, you can import the registry file into the other