Registry editors visually depict the logical hierarchy into which the entire Registry is organised. Similar to the folder and sub-folder structure in Explorer, the Registry is divided into six main branches called hives.
Each of these hives contain keys, sub-keys and perhaps sub-subkeys. Visualise this as sub-folders under a main folder. Each key or sub-key can also contain values. These values are where the information regarding software, hardware, and users is stored. The values are categorised into three primary types: DWORD, String, and Binary. These and some xpansions based on them are used depending on the context of the key. "String" is used for human readable text entries, "binary" for most hardware and device settings data in raw binary entered in hexadecimal format, and WORD is allowed for Boolean entries where the option is a list of choices, each of which could invoke a different behaviour by the elevanth section of the operating system, hardware, or the application.
Much of the Registry looks like this—keys, sub-keys, and sub-sub-keys In the image on the previous page the hive HKEY_CLASSES_ROOT has a key called "*"; this key has a sub-key called "shellex", which in turn has a sub-key called "ContextMenuHandlers", which again has a sub-key called avast. The CA_antivirus sub-key, created by the anti-virus program, contains values that tell Windows to include it in the right-click context menu. The program will also have other information—stored elsewhere in the Registry—addressing different aspects of the program's functioning.
Each of the six hives serve a different function, storing information specific to the hive's function. Thus:
HKEY_CLASSES_ROOT contains all the information related to fundamental aspects of the Windows user interface, file association mappings for drag and drop functionality, shortcuts, and OLE (Object Linking and Embedding) information. In XP it is a compilation of the information found in HKEY_CURRENT_USER \Software\Classes and HKEY_LOCAL_MACHINE\Software\Classes. When a value in a sub-key of the same name is present in both hives, the one in HKEY_CURRENT_USER is used.
HKEY_CURRENT_USER contains all the information related to the current user logged into the system including such things as Desktop settings, logon names, and other user- specific information. This information is a copy of the currently logged-in user's configuration and other information merged in from the section of the HKEY_USERS hive relevant to the currently-logged in user.
HKEY_LOCAL_MACHINE contains all the information regarding the hardware, software, and other PC-specific preferences that are common to all the users who log in to the machine.
HKEY_USERS contains all the information related to specific preferences of individual users, who are each identified by a unique security identifier called the SID. This SID is unique for the life of the system. If a user is deleted and another created with the same name, the SIDs will be different. An SID once used will not be repeated. All information regarding each and every user who has ever logged into the system is stored under the SID and is copied over to the HKEY_CURRENT_USER hive at login. This is particularly useful when a user crosses domains in a multi-domain organisation, or is one with a roaming profile. The particular Registry information is stored on the sever in case the user has a roaming profile, and is initialised when he logs in from anywhere on the network. If the user should become part of another domain, a new SID will be created, which will contain information pertinent to that domain—but which will also contain the old SID from the previous domain along with all the information associated with that domain.
HKEY_CURRENT_CONFIG contains all the information gathered when the computer boots up, and is copied and merged in from portions of HKEY_LOCAL_MACHINE relevant to the current hardware profile. This information is not stored: it is regenerated every time the computer starts up. HKEY_DYN_DATA contains all the information relevant to plug-n-play devices, and is linked in from relevant portions of HKEY_LOCAL_MACHINE. Like in HKEY_CURRENT_CONFIG, this information is dynamic, and changes as devices are added or removed.
