Regedit: Hands-On - Windows XP Registry Hack Tutorials

Regedit is a program you can use to access and edit the Registry. It normally ships with the default Windows installation and can be launched from the Run command box in the Start Menu by typing in "regedit" or "regedit.exe". Editing the Registry should be done with care, and with as much understanding as possible as to why and where you are making a change. Additionally, it is strongly recommended that you back up the Registry immediately prior to making a change. You also need to understand how to restore the Registry in case things go awry. The following sections deal with how to back up and restore the Registry.



2.1 Backup And Restore

There are two things you can do in terms of backing up the Registry: either back up the entire Registry, or export the specific key you are going to edit.



To export a Registry key, open Regedit using the Run command box. Find the key or sub-key you want to edit and select it by clicking on it. Choose File > Export. In the dialog box, select the location where you want to save the key, select to save it as a .reg file, and select the "Selected Branch" option. Give a name for the file and click Save. It will be saved as a .reg file.



If you want to back up the entire Registry, use the backup utility provided with XP. It is generally not recommended to export the entire Registry or a hive using the "export" method, as any changes or accidental erasures while working with .reg file may have disastrous consequences. (Please bear with our warnings— you might just be glad you did!) Open the backup software from All Programs > Accessories > System Tools > Backup. Select the checkbox that says "System State Data". This will back up the registry, boot files, and the COM+ class registration database.



At any later point, you can either restore the individual key you exported using the method above, or the entire system state. Restoring the individual key is a simple double-click on the .reg file you saved.



To restore the system state, open the Backup utility, click Advanced Mode and select the Restore and Manage Media tab. Select the backed up system state file you want to restore. Check the System State box. In the "Restore Files to" box, select Original Location. In the Tools menu, select Options, and click on "Always replace the file on my computer", then on OK. (If you don't do this, you will be asked for a confirmation for each and every file during the restore process.) Click "Start Restore". You will get a warning that says: "Restoring System State will always overwrite current System State unless restoring to an alternative location"; click OK to overwrite. Click OK in the Confirm Restore dialog box. The restore operation will start showing you the progress of the restore. When it completes, click Close and accept the prompt to restart the computer.

Value Types of Windows Registry - Windows XP Registry Hack Tutorials

As mentioned above, each of these hives contain keys and subkeys, which in turn can contain further sub-keys or values. These values are of three major types: DWORD, Binary and String.



REG_DWORD (a DWORD Value) is usually used for Boolean values and is a four-byte number. Many device drivers and services use DWORD values to toggle between options. For example, the UpdateMode setting that controls refresh rates can have a setting of either 0 (disabled) or 1 (enabled). If the DWORD value is set to 0, refreshing does not take place. Each setting has a specific default DWORD value that is used by the system.



REG_BINARY (a Binary Value) is used to store information as raw binary data, and is usually used for hardware components. The String Value type, however, has expansions to accommodate variables and multiple values. The Value types are denoted as:



REG_SZ is the standard string used to display human-readable text.



REG_EXPAND_SZ is an expandable data string that permits storing of variables that can be replaced by actual values by the application calling the key. For example, an application may refer to a particular key in a hive to obtain the location of a system file. The key would contain a setting for that system file, and a string value which is, say, %systemroot%\filename. The %systemroot% will be replaced by the location of the XP operating system folder, which on most machines will be C:\Windows or C:\WINNT.



REG_MULTI_SZ is used to store lists or multiple values, each entry being separated by a NULL character. This is analogous to arrays in programming. For example, a Registry entry could be created to store the IP addresses of multiple timeservers. An application program would then refer to this Registry entry and cycle through the list of IP addresses.

The Structure And Working Of The Registry - Windows XP Registry Hack Tutorials

Registry editors visually depict the logical hierarchy into which the entire Registry is organised. Similar to the folder and sub-folder structure in Explorer, the Registry is divided into six main branches called hives.

Each of these hives contain keys, sub-keys and perhaps sub-subkeys. Visualise this as sub-folders under a main folder. Each key or sub-key can also contain values. These values are where the information regarding software, hardware, and users is stored. The values are categorised into three primary types: DWORD, String, and Binary. These and some xpansions based on them are used depending on the context of the key. "String" is used for human readable text entries, "binary" for most hardware and device settings data in raw binary entered in hexadecimal format, and WORD is allowed for Boolean entries where the option is a list of choices, each of which could invoke a different behaviour by the elevanth section of the operating system, hardware, or the application.



Much of the Registry looks like this—keys, sub-keys, and sub-sub-keys In the image on the previous page the hive HKEY_CLASSES_ROOT has a key called "*"; this key has a sub-key called "shellex", which in turn has a sub-key called "ContextMenuHandlers", which again has a sub-key called avast. The CA_antivirus sub-key, created by the anti-virus program, contains values that tell Windows to include it in the right-click context menu. The program will also have other information—stored elsewhere in the Registry—addressing different aspects of the program's functioning.

Each of the six hives serve a different function, storing information specific to the hive's function. Thus:

HKEY_CLASSES_ROOT contains all the information related to fundamental aspects of the Windows user interface, file association mappings for drag and drop functionality, shortcuts, and OLE (Object Linking and Embedding) information. In XP it is a compilation of the information found in HKEY_CURRENT_USER \Software\Classes and HKEY_LOCAL_MACHINE\Software\Classes. When a value in a sub-key of the same name is present in both hives, the one in HKEY_CURRENT_USER is used.


HKEY_CURRENT_USER contains all the information related to the current user logged into the system including such things as Desktop settings, logon names, and other user- specific information. This information is a copy of the currently logged-in user's configuration and other information merged in from the section of the HKEY_USERS hive relevant to the currently-logged in user.



HKEY_LOCAL_MACHINE contains all the information regarding the hardware, software, and other PC-specific preferences that are common to all the users who log in to the machine.



HKEY_USERS contains all the information related to specific preferences of individual users, who are each identified by a unique security identifier called the SID. This SID is unique for the life of the system. If a user is deleted and another created with the same name, the SIDs will be different. An SID once used will not be repeated. All information regarding each and every user who has ever logged into the system is stored under the SID and is copied over to the HKEY_CURRENT_USER hive at login. This is particularly useful when a user crosses domains in a multi-domain organisation, or is one with a roaming profile. The particular Registry information is stored on the sever in case the user has a roaming profile, and is initialised when he logs in from anywhere on the network. If the user should become part of another domain, a new SID will be created, which will contain information pertinent to that domain—but which will also contain the old SID from the previous domain along with all the information associated with that domain.



HKEY_CURRENT_CONFIG contains all the information gathered when the computer boots up, and is copied and merged in from portions of HKEY_LOCAL_MACHINE relevant to the current hardware profile. This information is not stored: it is regenerated every time the computer starts up. HKEY_DYN_DATA contains all the information relevant to plug-n-play devices, and is linked in from relevant portions of HKEY_LOCAL_MACHINE. Like in HKEY_CURRENT_CONFIG, this information is dynamic, and changes as devices are added or removed.

Some History about Windows Registry - Windows XP Registry Hack Tutorials

SOME BACKGROUND TUTORIAL

The Registry was introduced as a way out of the "INI files mess" that plagued early versions of Windows. Configuration information regarding the operating system, application files, hardware, and so on were stored in INI files scattered all over the system. For example, when an application is installed, it needs to know various parameters regarding the operating system and the available hardware. Much of this information is common to other applications as well. However, if there was any change in the hardware or operating system software, updating the application's INI files used to be hell.



The Registry was conceived as a way out of this madness. It is a hierarchical database that stores information regarding the hardware, operating system software, application software, users preferences and system preferences. The hierarchy separates the machine information, user information and the software information into logically discrete units that can be manipulated with greater ease. Any changes made by users, the operating system, newly installed software, and hardware are all updated and reflected in the Registry.



During system startup, Windows uses the registry to get configuration data regarding the hardware, software and other peripherals that have been configured. It also maintains a backup copy of the registry with which the system had successfully started up last. Hence, if it encounters a problem with the current startup, it can then use the configuration information from the backup to attempt to start the system. Some of the information stored in the registry is specific to the particular startup session only, and is mostly user-specific. When a user installs new software, Windows will either make the installation user-specific or system-wide. In some software, the user is given the option to select whether the installation should or not be available to everyone else who uses the system. In other cases, the software will install itself system-wide and save user specific information separately, making entries in the registry that are both user-specific as well as system-wide.



For example, when you install Yahoo! Messenger, the program is installed system-wide, but the user information is specific to the currently logged-in user. Any preferences that are made are stored under the username in the registry. If another user logs in and starts Yahoo! Messenger, the default preferences are initialised, and a new entry is created in the Registry under this username.



This flexibility has deeper significance when considering a networked scenario. Administrators can specify user rights and access to various system and network components. They can control what users can and cannot do on their machines with a fair degree of granular control. For example, Administrators can specify that users are not allowed to install new applications on their machines. A Registry entry disabling the users' right to install would secure the system. And a Registry entry can be made to prevent unauthorized access to the registry itself!



However, the Registry has not done away entirely with the legacy of INI files, partially due to Microsoft's commitment to backward compatibility and partially because in some cases the Registry wouldn't be available—as n the case of the boot process, when the boot.ini file is used to get the initial startup information.



Critics of the Registry concept point to it as a "single point of failure." If the Registry is damaged, XP will fail to start up, and in most cases will require a complete reinstall. It is for this reason that the Registry is hidden deep in the system, and any discussion on the tweaking the Registry is accompanied by dire warnings of disaster if one does anything wrong. Also, if an application doesn't uninstall correctly, it can leave traces in the registry, which over time will increase its size and affect performance.



Physically, the Registry information in XP is stored in multiple files in the \System32\Config folder of the operating system (or root) folder—usually C:\Windows or C:\WINNT. These files cannot be edited directly; they have to be accessed through a Registry-editing program such as Regedit.exe or Regedt32.exe.

Welcome

Welcome to my new blog!!