harjotmann
 
  Home
  Contact
  MBA I
  MBA II
  Tutorial
  MBA III
  Downloads
  Assesment
  BCA V
 
BCA V
Where are the Windows Registry files? The Registry is a database used to store settings and options for the 32 bit versions of Microsoft Windows including Windows 95, 98, ME and NT/2000. It contains information and settings for all the hardware, software, users, and preferences of the PC. Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry. The physical files that make up the registry are stored differently depending on your version of Windows; under Windows 95 & 98 it is contained in two hidden files in your Windows directory, called USER.DAT and SYSTEM.DAT, for Windows Me there is an additional CLASSES.DAT file. The Structure of The Registry The Registry has a hierarchal structure, although it looks complicated the structure is similar to the directory structure on your hard disk, with Regedit being similar to Windows Explorer. Each main branch (denoted by a folder icon in the Registry Editor, see left) is called a Hive, and Hives contains Keys. Each key can contain other keys (sometimes referred to as sub-keys), as well as Values. The values contain the actual information stored in the Registry. There are three types of values; String, Binary, and DWORD - the use of these depends upon the context. There are six main branches, each containing a specific portion of the information stored in the Registry. They are as follows: * HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface. * HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings. * HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer. * HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch. * HKEY_CURRENT_CONFIG - This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration. If you have Windows 9x or ME, known as the 9x Platform, the Registry files are stored in the Windows folder. They are named System.dat and User.dat. However, Windows ME also has Classes.dat. These files all have Hidden attributes so unless you are view hidden files you will not find them. If you have Windows NT, 2000, 2003, Xp or Vista, known as the NT Platform, the Registry files are stored in their own folder; WindowsSystem32Config. You will not be able to copy these files to make backups, as the operating system is protecting them for security reasons. HKEY_CURRENT_USER: Contains the information for the currently logged-on user, such as settings and software information. Setting changed in this Hive will only affect the current user. This Hive is part of the HKEY_USERS hive. 1) AppEvents Key: contains the settings for which sounds to play for system sound events 2) Control Panel Key: Control Panel settings are stored here, similar to system.ini and win.ini in Win 3.x. 3) InstallLocationsMRU: contains folder paths and drives 4) Keyboard layout: specifies current keyboard layout 5) Network: Network connection information 6) RemoteAccess: Contains information about the current log-on location using Dial-Up Networking 7) Software: Software configuration settings for the currently logged-on user. You may find other Keys here placed by other software, that is probably should have been placed in one of the above Sub-Keys. The entire Hive is also found at the HKEY_USERS.Default or if more then one profile HKEY_USERS(Profile name). If you change and setting in either of these two locations it is also changed in the other. HKEY_LOCAL_MACHINE: Contains information about the hardware and software settings that are used for all users of this computer. 1) Config: Configuration information . Same as the Hive HKEY_CURRENT_CONFIG on Windows 9x 2) Enum: Hardware information (found under System in NT) 3) Hardware: Information passed to Windows from the BIOS (found under System in NT) 4) Network: information about networks installed to the machine. 5) Security: network security settings. 6) Software: Software-specific information and settings 7) System: System startup and device driver information, and operating system settings. HKEY_USERS: Information about for each user that logs onto this computer is stored here. Each user will have a Sub-Key under this heading. On Windows 9x, if there is only one user, the SubKey will be ".default". When a user logs on, one of the Sub-Keys will be loaded to the HKEY_CURRENT_USER key. HKEY_CURRENT_CONFIG : Contains info about the current hardware configuration, pointing to HKEY_LOCAL_MACHINEConfig. This hive is dynamic, meaning it is built on the fly. HKEY_DYN_DATA: This key contains dynamic information about plug-n-play devices. The data here changes constantly. This key is rewritten every time you boot up, it is a virtual Hive. This Hive is dynamic, meaning it is built on the fly and is not used on the NT Platform. Data types used for Registry: REG_BINARY - This type stores the value as raw binary data. Most hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format. REG_DWORD - This type represents the data by a four byte number and is commonly used for boolean values, such as "0" is disabled and "1" is enabled. Additionally many parameters for device driver and services are this type, and can be displayed in REGEDT32 in binary, hexadecimal and decimal format, or in REGEDIT in hexadecimal and decimal format. REG_EXPAND_SZ - This type is an expandable data string that is string containing a variable to be replaced when called by an application. For example, for the following value, the string "%SystemRoot%" will replaced by the actual location of the directory containing the Windows NT system files. (This type is only available using an advanced registry editor such as REGEDT32) REG_MULTI_SZ - This type is a multiple string used to represent values that contain lists or multiple values, each entry is separated by a NULL character. (This type is only available using an advanced registry editor such as REGEDT32) How Windows uses the Registry For reference: HKCU=HKEY_CURRENT_USER HKLM=HKEY_LOCAL_MACHINE First you need to understand that the Shell of Windows is the Windows Explorer. Without the Explorer there is no Windows, No desktop and so on. With Windows loaded and you are logged on, Windows now can use the information in the Registry that each Hive contains. Here is a sample of how the Registry is used. So let's click on the Start button, which is controlled be the Explorer.exe. Now Windows reads the Key HKCU Microsoft Windows CurrentVersion Policies Keys to determine what the current user is allowed to do. What the user is allowed to access. Now scroll up to the Programs label and the Key HKCU Microsoft Windows CurrentVersion Explorer is read to determine how Windows will react. Now you open the Start menu and it opens, then you click on a program you wish to open. This is a shortcut that you are clicking on. A shortcut is a file with the extension ".lnk" so Windows now looks at the HKLMSoftwareClasses Key for the extension ".lnk" which reads "lnkfile". So Windows now looks for HKLMSoftwareClasseslnkfile which read "ShortCut" and it sees "NeverShowEx" = "" which means do not display file extension for this type of file extension. Windows then looks to see what SubKeys are there and it finds a CLSID SubKey which points to "{00021401- 0000- 0000- C000- 000000000046}". Since the SubKey was "CLSID" Windows knows to look at HKLMSoftwareClassesCLSID Key and finds the matching SubKey. This Key also read "ShortCut" and Windows now looks for what SubKeys are available. It find the "ProgID" Key which points back to the "lnkfile" Key. and it find the server file at the "InProcServer32" file. So Windows now knows to serve this file to Shell32.dll. If the Explorer did not find the CLSID key listed it would have to search the CLSID Keys for a matching ProgID Key that pointed to the "lnkfile" Key. Shell32.dll now takes over, the Explorer makes an API call to the Shell32.dll and tells it to Shell (run, start) the file that the that you clicked on. Now the Shell32 knows that this is a ShortCut so it reads the file and determines that you wish to activate the program QikFix. So it starts QikFix now needs an starts loading the other DLLs it needs to run. QikFix searches its' own directory and if not found there looks to the Windows Folder then the System folder. It finds the DLLs it knows it need to run, and then now sees that it needs an interface. So as with all Visual Basic programs it need the Msvbvm50.Dll or Msvbvm60.Dll to do the work for it. So then Msvbvm50.dll draws the plain window and then starts adding the text boxes and the tabs. To do this is may need help form another dll as with the case of the tabs. It knows it needs tabclt32.ocx because when I selected to use the tabs I need to include the DLL name in my source code, which in this case is an Active X control (ocx). Now it needs to draw Tabs but the Msvbvm50.dll has no idea what a tab is. If there where TypeLib Keys under the CLSID Key then the Explorer would also got read the matching HKLMSoftwareClassesTypeLib Key. The TypeLib Key may point to an Interface Key (HKLMSoftwareClassesInterface) and this Key will tell the Explorer what version is available and so on. To understand more you need to read the next section about SubKeys. Explanation of SubKeys You will find a vast amount of different SubKeys, some are user (read) only by the software program, while most of the SubKeys are read by Windows. So for this example let's use the * Key. If you open RegEdit and go to the HKEY_CLASSES_ROOT Hive the first Key down will be the *. This Key is a wildcard Key for File extensions, all files. You will find a SubKey Shellex which should have no value set.The Shellex Key tells the Explorer what to do when you right click on a file. The context menu should be displayed when you right click a file, the Explorer will use the ContextMenuHandlers SubKey. You will also find a PropertySheetHandlers SubKey there also.This SubKey tells the Explorer what to display when you right click a file and select Properties. My ContextMenuHandlers SubKey has three SubKeys, Open With, Quick View, and WinZip. I added the Open With SubKey so that I always have the option of the Open With when I right click a file. If you have the WinZip installed you'll have the WinZip SubKey, so let's follow the WinZip SubKey. It points to a CLSID Key, HKEY_CLASSES_ROOT CLSID {E0D79304- 84BE- 11CE- 9641- 444553540000} Key, and this Key has the SubKey InProcServer32 which points to WZSHLSTB.DLL. So Windows now knows what DLL to load if you click on WinZip in the context menu. Now let's open RegEdit (so you can follow) and go to HKEY_CLASSES_ROOT.gif, then right click on a file we all have, C:WindowsCloud.gif, this is a a standard Windows file. The .gif Key does have a Shellex SubKey, but not a ContextMenuHandler SubKey, so only the default context menu will be displayed. It does have the SubKey {BB2E617C- 0920- 11d1- 9A0B- 00C04FC2D6C1} which points to the CLSID{3F30C968- 480A- 4C6C- 862D- EFC0897BB84B} Key which is now telling the Explorer if Thumb nails are use what to do, what file will handle this operation. Now right click the Cloud.gif file and select Open. You will notice that the (Default) value of the .gif Key points to giffile. Windows will now go to HKEY_CLASSES_ROOTgiffile to see what it must do. The (Default) value of this Key is GIF Image, this is what is displayed in the Explorer under the "Type" column if you view files in Detail. The giffile Key has 3 SubKeys, CLSID, DefaultIcon, and Shell. The DefaultIcon SubKey tells the Explorer what Icon should be displayed for a .gif file. The Shell SubKey should have 3 SubKeys, Open, Print, and Printto. Since we select Open on the Context Menu which would be the same as double clicking on the file, Windows will use the ShellOpen subkey. The ShellOpen Key has one or two SubKeys Command, and maybe a ddeexec SubKey. If you have just the Command Key, Windows stops there and shells (starts - run)the file listed at the (Default) value of the ShellOpenCommand SubKey with the parameter (command line) C:WindowsCloud.gif . This will tell the program, possibly Fast View to display the file Cloud.gif. If there is no ddeexec SubKey the (Default) value would look something like this. "C:Easy Desk UtilitiesFast ViewFastview.exe" %1. The %1 means to pass the file path and name only on to Fast View. This would be the same as typing in the Run box at the Start menu C:EasyDe~1FastVi~1Fastview.exe C:WindowsCloud.gif. The Run box needs to have 8.3 format. Now Fast View is displaying the Cloud.gif file. If you have a ddeexec SubKey the (Default) value might be : "rundll32.exe C:WINDOWS SYSTEM SHIMGVW.DLL ,ImageView_Fullscreen " and ddeexec SubKey value is "[open(%1)]", In the Run box you would type: rundll32.exe C:WINDOWS SYSTEM SHIMGVW.DLL, ImageView_Fullscreen C:WindowsCloud.gif The Heart of Windows The Registry works the same on both the Windows 9x platform, and the NT Platform. However it is laid out a little differently, especially when it comes to the hardware. The real heart of the Windows Registry is found at the Key HKEY_LOCAL_MACHINESoftwareMicrosoftWindows, controlling the software. The System Drivers are controlled at HKEY_LOCAL_MACHINESystem. The hardware is controlled at HKEY_LOCAL_MACHINEEnum in Windows 9x and ME And HKEY_LOCAL_MACHINESystemCurrentControlSetEnum in the NT Platform. The full guide along with all pictures is here, click me. Opening the registry editor This is step number one, just opening the editor to view the registry. This is easy, just click on the start button and then on run. Once run is open, type in regedit and click OK. Navigating the registry Once you have regedit open, it is fairly easy to get where you want to. Now you see the "folders" HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, and HKEY_CURRENT_CONFIG First lets get some basic terminology down. These five main "folders" are calles hives, and their subfolders are called keys. Click on the + next to HKEY_CURRENT_USER to expand the hive. Now if you wanted to open HKEY_CURRENT_USERSoftwareMicrosoft, click the + next to Software, then the + next to Microsoft. This is how you can get to any place within the registry. Exporting registry keys This should be done to any and all registry keys before changing them. It will give you an easy way of changing back any changes that you make editing the registry. Right click the key that you want to export, and select Export. Then give it a name so you remember what it is. I use the name of the key as an example. Importing registry files Now that you have exported keys to change back your changes, you need to know how to import them into the registry. Usually a double-click on a registry file will merge it for you unless you have changed the default action, then you have to right-click the file and select Merge. Changing existing values You now know how to navigate to different keys in the registry and how to back up these keys before you make changes to them. Logically next you need to know how to make these changes. There are three main types of registry values that you will deal with: STRINGS, DWORDS, and BINARY values. There are others, but these are 99% of what you will deal with doing normal editing. To change an existing STRING value, just double click it and enter in the new value data. To change an existing DWORD value you have two options, hexadecimal and decimal. Be sure you know what type the value should be, 200 hexadecimal is 256 decimal, c8 is hexadecimal for 200 decimal, for example. To change binary values it is a little more complicated because they are written in hex. The applicable values are entered in 2's and have the format 00 01 02 - 0F - FF and each have a different value associated with them. Having to change a binary value from something other than 01 to 00 or 00 to 01 is pretty rare. Adding new values Adding values is very similar to changing them with the exception that you have to name the value. Right click in the left-hand-side of the registry editor and select New > String (or whatever value type you want to add) and then name it what you need. Then you change its value by doing the same method as if it was an existing value. Adding new keys Along with adding values, this is most helpful if you are trying to add group policy values through the registry. Most of the keys that are needed for them are not there by default. So, you need to add a key under HKEY_CURRENT_USERSoftwarePoliciesMicrosoft, how? Easily, just right-click on HKEY_CURRENT_USERSoftwarePoliciesMicrosoft in the folder tree, and then New > Key Now you need to change the name of the key to the desired name. Deleting keys and values The first thing that must be realized when deleting keys or values is that there is no 'Recycle Bin' for the registry, once its gone its gone. To delete keys or values, just right-click them and select delete. Also keep in mind that deleting a key also deletes all subkeys of that key. Writing registry files Now you can automate the manual entry and deletion of registry values and keys with .reg files. Use notepad or wordpad to write registry files, you just save them with a .reg extension. The first line in the registry file for XP or 2000 has to be: Windows Registry Editor Version 5.00 NOTE: For windows 98, ME, NT 4.0, [also works with XP and 2k] replace with: REGEDIT4 Put a line in between Windows Registry Editor 5.00 and the next entry. Now you have to declare the key that you want to change values in by writing it in brackets. This will also create the key if the one declared doesn't exist: [HKEY_CURRENT_USERKeySubkey] Now the next line will either create the string "String 1" equal to "Value 1" if "String 1" doesn't exist, or change the value of the string "String 1" to "Value 1" if it does: "String 1"="Value 1" The (default) value is a string and you use the "at" symbol for this. @="Default 1" To change or create dword values, you must know the value in hexadecimal, for that is how they are written. The next line will create the dword "Dword 1" equal to a decimal 20, by setting it equal to dword:00000014, or if "Dword 1" already exists, it will change it's value to a decimal 20. Just remember dword:00000010 is actually decimal 16, dword:0000000a is decimal 10 "Dword 1"=dword:00000014 Now binary values. This line will create or change a binary value "Binary 1" equal to 01 AA 05 55. "Binary 1"=hex:01,AA,05,55 So this is the reg file to add a string, default, dword, and binary value to HKEY_CURRENT_USERKeySubkey: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERKeySubkey] "String 1"="Value 1" @="Default 1" "Dword 1"=dword:00000014 "Binary 1"=hex:01,AA,05,55 Now how to delete values or keys with regfiles. If you want to delete a key just put a minus sign in front of it in the file: [red[-HKEY_CURRENT_USERKeySubkey] If you want to delete a value, it doesn't matter what kind, set the value equal to a minus. "String 1"=- @=- "Dword 1"=- "Binary 1"=- So if you wanted to add a dword "Dword 1" that equals 1, and delete the value "String 1" in HKEY_CURRENT_USERKeySubkey1 and delete the HKEY_CURRENT_USERKeySubkey2, the file would look like: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERKeySubkey1] "Dword 1"=dword:00000001 "String 1"=- [-HKEY_CURRENT_USERKeySubkey2] The final thing to learn is how to comment the files, add a semiclon in front of any line and it will be ignored: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERKeySubkey1] ;This changes the dword to equal 1 "Dword 1"=dword:00000001 ;This deletes the string value "String 1"=- ;This deletes the key Subkey2 [-HKEY_CURRENT_USERKeySubkey2] This should help you navigate and hack through the registry with atleast a partial map to guide you. Originally submitted by j79zlr
 
 
   
Today, there have been 3 visitors (4 hits) on this page!
This website was created for free with Own-Free-Website.com. Would you also like to have your own website?
Sign up for free