Windows Registry

The Windows Registry is a hierarchical database that stores low-level settings for the operating system and for applications that opt to use the Registry. It contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows. When a user makes changes to Control Panel settings, file associations, system policies, or installed software, the changes are stored in the Registry.

Before the Registry, Windows used .ini files (initialization files) to store configuration data. These files were scattered across the system, making management difficult and prone to corruption. The Registry centralizes configuration data into a single, structured database, providing: - Centralization: All system and application settings in one place. - Hierarchy: A tree-like structure for easy navigation. - Security: Access control lists (ACLs) on keys to restrict modifications. - Performance: Faster access compared to parsing multiple .ini files.

The Registry is organized into a tree structure with five root keys (also called hives) at the top. Each root key contains subkeys and values. The five root keys are: - HKEY_CLASSES_ROOT (HKCR): Stores file association information and COM class registration. It is a merged view of HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes. - HKEY_CURRENT_USER (HKCU): Stores settings for the currently logged-in user, such as desktop wallpaper, environment variables, and application preferences. - HKEY_LOCAL_MACHINE (HKLM): Stores settings that apply to the entire computer, including hardware configuration, software settings, and security data. - HKEY_USERS (HKU): Contains subkeys for each user profile on the system. The subkey for the currently logged-in user is also referenced by HKCU. - HKEY_CURRENT_CONFIG (HKCC): Stores information about the current hardware profile, such as display settings. It is a pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current.

The Registry is stored on disk in several files called hives. Each hive has a corresponding file and a .log file for transaction logging. The primary hive files are: - SAM: Security Account Manager (HKLM\SAM) – stores user passwords and group memberships. - SECURITY: (HKLM\SECURITY) – stores security policies and user rights. - SOFTWARE: (HKLM\SOFTWARE) – stores software and Windows settings. - SYSTEM: (HKLM\SYSTEM) – stores system-wide configuration, including device drivers and startup settings. - DEFAULT: (HKU\.DEFAULT) – stores default user profile settings. - NTUSER.DAT: (HKCU) – stores settings for each user, located in C:\Users\<username>\NTUSER.DAT. - UsrClass.dat: (HKCU\Software\Classes) – stores per-user file associations and COM settings.

Each Registry key can contain multiple values. Values have a name, a data type, and a value. Common data types include: - REG_SZ: A fixed-length string (e.g., a file path). - REG_EXPAND_SZ: An expandable string containing environment variables (e.g., %SystemRoot%). - REG_BINARY: Binary data (e.g., hardware settings). - REG_DWORD: A 32-bit integer (e.g., a flag to enable/disable a feature). - REG_QWORD: A 64-bit integer. - REG_MULTI_SZ: A multi-string value (e.g., a list of IP addresses).

- Registry Editor (regedit.exe): The primary GUI tool for viewing and modifying the Registry. It is included with all versions of Windows. To open, press Win+R, type regedit, and press Enter. Changes take effect immediately; there is no undo. - Command-line tools: - reg.exe: A command-line utility for querying, adding, deleting, copying, and modifying Registry keys and values. Example: reg query HKLM\Software\Microsoft\Windows\CurrentVersion. - regedit.exe can also be used from the command line with switches like /s to import a .reg file silently. - PowerShell: Cmdlets such as Get-ItemProperty, Set-ItemProperty, New-Item, and Remove-Item allow scripted Registry manipulation. Example: Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion'.

Registry keys have security descriptors that control who can read or modify them. Permissions are set via the Registry Editor (right-click a key → Permissions) or using tools like subinacl or PowerShell. By default, standard users have read-only access to most keys; administrative privileges are required to write to many system keys. The exam emphasizes that modifying the Registry without proper permissions can lead to system instability.

The Registry controls what programs run at startup. Keys under: - HKLM\Software\Microsoft\Windows\CurrentVersion\Run – runs for all users. - HKCU\Software\Microsoft\Windows\CurrentVersion\Run – runs for the current user. - HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce – runs once for all users, then deleted. - HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce – runs once for the current user.

Malware often adds entries to these keys. The exam tests knowledge of using msconfig (System Configuration) or Task Manager to disable startup programs, but the underlying Registry keys are the source.

File associations are stored under HKCR\.<extension> and HKCR\<progid>. For example, .txt files are associated with txtfile. Changing the associated program modifies these keys. The exam may ask how to reset file associations to default using the Registry or the Settings app.

Device drivers store configuration in HKLM\SYSTEM\CurrentControlSet\Services and HKLM\SYSTEM\CurrentControlSet\Control. The Enum subkey contains a list of all detected hardware. The CurrentControlSet is a pointer to one of the control sets (e.g., ControlSet001, ControlSet002) used during boot. The exam covers using Device Manager to update drivers, but the Registry is the underlying store.

Each user's registry hive (NTUSER.DAT) is loaded when the user logs in. Corrupt user profiles can be fixed by renaming the NTUSER.DAT file, which forces Windows to create a new default profile. The exam tests this troubleshooting step.

Group Policy settings are stored in the Registry under HKLM\Software\Policies and HKCU\Software\Policies. Administrative Templates (.adm files) define Registry-based policy settings. The exam covers using gpedit.msc to configure policies, which modify these Registry keys.

Registry corruption can cause boot failures, application errors, or blue screens. Symptoms include: - Stop errors (BSOD): e.g., 0x00000051 (REGISTRY_ERROR). - Missing DLL errors: Often due to missing or incorrect registry entries. - Application crashes: Especially after installing/uninstalling software.

Repair options: - Last Known Good Configuration: Boots using the last control set that worked (HKLM\SYSTEM\Select\LastKnownGood). - System Restore: Restores Registry hives from a restore point. - Registry Backup: Use regedit to export and import. - Recovery Console: In older Windows versions, regsvr32 or regedit could be run from the recovery environment. - Windows Recovery Environment (WinRE): Access Command Prompt and use regedit to load a hive from a backup.

In a large enterprise with thousands of Windows workstations, IT administrators use Group Policy to enforce Registry-based settings. For example, they might configure a policy to disable the lock screen, set a specific wallpaper, or restrict access to Control Panel. These policies modify Registry keys under HKLM\Software\Policies and HKCU\Software\Policies. The Group Policy Management Console (GPMC) is used to create and link policies to Organizational Units (OUs) in Active Directory. When a user logs in, the policy is applied, and the Registry is updated. Common issues include policy conflicts (e.g., two policies setting the same key) and slow logon due to large policies. Administrators must test policies in a pilot group before broad deployment. Performance considerations include the number of policies and the complexity of Registry writes. Misconfiguration can lead to locked-out users or broken application functionality.

Many line-of-business applications store configuration in the Registry. For example, a custom accounting application might store database connection strings in HKLM\Software\MyApp. When deploying the application to hundreds of users, IT can pre-configure the Registry using a .reg file or a script. They might use reg add commands in a login script or deploy Registry preferences via Group Policy. Common scale considerations include ensuring the Registry paths are consistent across different Windows versions (e.g., 32-bit vs 64-bit applications store keys under Wow6432Node). Performance issues arise if the application reads the Registry frequently. Misconfiguration, such as incorrect permissions on the key, can cause the application to crash. IT must also handle user-specific settings stored in HKCU, which require per-user deployment strategies.

Security teams harden Windows systems by modifying Registry keys to disable unnecessary services, restrict USB storage, or enforce password policies. For example, to disable USB mass storage, they set the DWORD value 'Start' to 4 under HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR. They deploy these changes via Group Policy or scripts. Common issues include breaking hardware functionality (e.g., disabling USB also disables keyboards) and user complaints. They must balance security with usability. Performance is not usually a concern, but auditing Registry changes using Advanced Audit Policy can generate large security logs. Misconfiguration can lead to system instability or security vulnerabilities. For example, setting incorrect permissions on the SAM hive could expose password hashes.