The Windows Registry

The Windows NT Registry Database

Windows NT stores all its configuration information in a hierarchical database called the Registry. The Registry contains user, application, hardware, and operating system information, and replaces the .INI files from Windows 3.x. It also provides configuration security and multiuser support in a more extensible and adaptable framework than is provided in Windows 3.x.

The first and most important thing you must know about the Registry is that making invalid changes to the Registry can result in system instability or complete failure of the operating system to boot.

There is no reason that an average user should need to make changes. However, as a system administrator, you will need to edit the Registry occasionally to keep your system working properly.

When Microsoft programmers designed Windows NT, they recognized the need for a better way to manage configuration information than the simple .INI files used in Windows 3.x. In particular, they needed a means of providing certain functionality that could not be provided by the .INI files, including the following:

The Structure of the Registry

The Registry database uses a hierarchical format with five main branches. Before going any further, let's look at some of the vocabulary used when dealing with the Registry:

Another important term relating to the registry is a Hive: which is discussed in detail later.

Root Keys in the Registry

As mentioned previously, the Registry is made up of five root keys, each represented as a subtree of the Registry itself. Each root key contains subkeys and value entries that contain all the configuration information for the NT system and its users. The five root keys are listed below:

Root Key Description
HKEY_LOCAL_MACHINE This is the root key that contains the most interesting information. It contains information on the hardware such as processor type, bus architecture, video, and disk I/O hardware. It also contains software information for the operating system, including information on device drivers, services, security, and installed software.
HKEY_CLASSES_ROOT This key is similar to the functionally limited Registry included with Windows 3.x. It contains information on files associations (matching a file extension to an application), as well as acts as the repository for OLE classes. This root key points to data stored in the HKEY_LOCAL_MACHINE\SOFTWARE\Classes subkey.
HKEY_CURRENT_USER This key contains the profile information for the user currently logged onto the console. It contains user-level preferences for the operating system, as well as for applications installed on the computer. This key is a pointer to one of the subkeys stored in HKEY_USERS.
HKEY_USERS This key contains a pointer to the hive for the user currently logged on at the console , as well as a pointer to the hive for the default user. In neither case does HKEY_USERS contain profiles for users who log on remotely.
HKEY_CURRENT_CONFIG This is a new root key in Windows NT 4.0. It contains the current hardware configuration information, as specified by the current hardware profile. It actually points to the same contents as the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current subkey.

Data Types and Values

Each value entry has a data type and value. If a value entry already exists, you can use Registry Editor to see its data type. However, if you need to create a new value entry, you must know the correct data type. For instance, the data type for RegistrySizeLimit is REG_DWORD, and the value can be between 4MB and 102MB.

The information for setting a value entry is often written in the format

name:data type:value

Windows NT recognizes five data types for Registry entry values. These values are shown below.

Data Type Name Description
REG_BINARY Binary. A value entry of this data type contains machine-readable information. You should never have to edit this type by hand. Many of the value entries of type REG_BINARY have to do with hardware configuration on the system and appear under the HKEY_LOCAL_MACHINE\HARDWARE subkey. An example is HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\Component Information:
Component Informa tion:REG_BINARY:00 00 00 00 ...
REG_DWORD Double word. The double word data type represents a number up to 4 bytes long (traditionally one word is 2 bytes). By default, this data type is displayed in hexadecimal format, although you can also display it in binary or decimal format. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\RegistrySizeLimit uses the REG_DWORD data type:
REG_SZ Readable text. Values entries of type REG_SZ contain human-readable text and often involve a description or identification. This is a common data type. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner is an example of a value entry that uses a REG_SZ data type:
RegisteredOwner:REG_SZ:Jason Garms
REG_EXPAND_SZ Expandable data string. An expandable data string is similar to a standard REG_SZ, except that it contains a system variable that will be replaced when it is accessed by an application. For instance, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath is defined as type REG_EXPAND_SZ:
When a program accesses this key, however , it will not get the string "%SystemRoot%\Media" but rather "C:\WINNT\Media"— you installed Windows NT in the C:\WINNT directory.
REG_MULTI_SZ Multiple string. A value entry of this type contains a list of values, separated by NULL characters. For example, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Sources is of type
REG_MULTI_SZ:Sources:REG_MULTI_SZ:WinsCtrs Winlogon Userenv ...

There is a sixth data type you might see in use in the Registry, REG_FULL_RESOURCE_DESCRIPTOR. It is not listed in above because you cannot create value entries or edit existing values of this type. Most value keys of this type appear in the HKEY_LOCAL_MACHINE\HARDWARE subkey.


The maximum size for any single Registry value entry is 1MB.

Using the RegistryEditor

The Registry Editor is the primary tool used to directly manipulate the Registry database. By default, when you install Windows NT, no icon is created for the Registry Editor. In fact, to make things a little more complicated, Microsoft included two different Registry Editors with Windows NT 4.0, REGEDT32.EXE and REGEDIT.EXE. For many common functions, you can use either of these tools; however, REGEDT32.EXE is the correct tool for use with Windows NT.

The two major advantages of the Windows 95 REGEDIT.EXE follow:

The main limitations of the REGEDIT.EXE tool when used with Windows NT 4.0 follow:

Whenever you need to make a modification to the Registry, you will need the path to the value entry, just as you would need to know the path to locate a disk resource. The Registry path for locating a resource contains the following:

For example, the current maximum size the Registry can grow to:


Registry Hives

A hive is a discrete set of keys, subkeys, and value entries contained in the Registry. Each hive is stored in a single file in the %SystemRoot%\system32\config directory, along with an associated .LOG file.

There is a Registry value entry that is used to point to the location of all the Registry hives: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist. It should not be modified.

The Registry hives and their associated files are shown below

Registry Hive Associated Files
HKEY_LOCAL_MACHINE\SAM%SystemRoot%\System32\config\SAM %SystemRoot%\System32\config\SAM.LOG
HKEY_LOCAL_MACHINE\SECURITY %SystemRoot%\System32\config\SECURITY%SystemRoot%\System32\config\SECURITY.LOG
HKEY_LOCAL_MACHINE\SOFTWARE %SystemRoot%\System32\config\SOFTWARE%SystemRoot%\System32\config\SOFTWARE.LOG
HKEY_LOCAL_MACHINE\SYSTEM %SystemRoot%\System32\config\SYSTEM%SystemRoot%\System32\config\SYSTEM.LOG
HKEY_USERS\.DEFAULT %SystemRoot%\System32\config\DEFAULT%SystemRoot%\System32\config\DEFAULT.LOG
HKEY_CURRENT_USER %SytemRoot%\Profiles\%UserName%\NTUSER.DAT


The HKEY_LOCAL_MACHINE\HARDWARE key is a dynamic subkey that is generated every time Windows NT is booted by the NT hardware recognizer (NTDETECT.COM) and the NT kernel. Although HKEY_LOCAL_MACHINE\HARDWARE is technically a Registry hive, it is stored as an internal structure in the system's memory rather than on disk. In the event of system failure, no valuable data is lost because it is reconstructed from scratch during each system boot.

Each Registry hive has a corresponding log file. The log files are provided to ensure the stability of the Registry database, even in the event of a system failure during a Registry update.

When an update is made to the Registry, NT records the beginning of it in the appropriate hive's log. It then proceeds through the update by recording what change is being made, as well as how to roll back the change to the original state. This information is recorded in the log for each Registry property being updated. When all properties are updated, the change is committed and recorded in the log. At this point— only at this point— the transaction complete. If there is a power outage or system failure before the transaction is marked as being complete, when the NT reboots or the system failure is repaired, the NT uses the information in the hive's log file to roll back the transaction to a stable state.

The HKEY_LOCAL_MACHINE\SYSTEM hive is an important part of the NT boot process, so it cannot be left in an unstable state when the system is booted. To protect against this possibility, NT keeps an alternate copy of the HKEY_LOCAL_MACHINE\SYSTEM hive in a file called %SystemRoot%\System32\config\SYSTEM.ALT.

When you make changes to the Registry that affect the HKEY_LOCAL_MACHINE\SYSTEM hive, the changes are first applied to the actual system hive, then to the alternate hive. If there is a system failure during the updates to the alternate hive, there is no problem, and after the system boots, NT updates the alternate hive to again be an exact copy of the actual system hive. However, if there is a failure during an update to the actual system hive, when NT reboots it detects that the system hive is dirty, so instead it boots using the alternate hive, which is in an older but stable state. It then rolls back changes to the original system hive.

Recovering the Registry Using the Last Known Good Configuration

Much of the information necessary for Windows NT to start up is stored in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet subkey. If you— a program on your system— invalid changes to one of the value entries in this subkey, your system could fail to boot. Or, if it does boot, it could prevent you from logging on.

To help protect against these kinds of accidental problems, NT keeps copies of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002.

If your NT system fails during startup and you suspect it has something to do with a Registry change you just made or a device you just installed, you can tell NT to use the backup version of the control set by pressing the SPACE BAR during the boot process when NT displays the message Press spacebar NOW to invoke Last Known Good Menu.

When you invoke this option, you lose any changes made to the Registry since the last time a user successfully logged on to the system.


It is only after a user successfully logs on to the console of an NT system that the NT boot process is determined to be a success and the last known good configuration information is updated.

The Emergency Repair Disk

The Emergency Repair Disk contains a copy of the Registry information that is needed to recover the NT system if critical system files are damaged. The emergency repair disk is initially created during the installation process. You can manually updated the information by using the rdisk utility. You must include the "s" switch inorder to get the current information. For example, go to start, Run and type rdisk -s and press OK.