Notebooks.com Forums - View Single Post - Something you should know about Microsoft Windows Vista

sushrukh · 05-22-2008, 07:45 PM

Part 3

Registry Structure

Windows Registry is a database of settings used by Windows Vista and the individual applications that run on it.Knowing how to access and modify the Registry effectively is important for troubleshooting, customizing & unlocking hidden features in Windows Vista.The top level of the Registry is organized into five main root branches.By convention,the built-in top-level keys are always shown in all caps, even though the keys in the Registry are not case-sensitive.(For example, HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Windows is identical to HKEY_CURRENT_USER\Software\Microsoft\Windows.) Their purposes and contents are listed in the following summaries. Note that the root keys are sometimes abbreviated for convenience in documentation (although never in practice) ; these abbreviations are shown in parentheses.Subsequent sections discuss the contents of the root keys in more detail.

HKEY_CLASSES_ROOT (HKCR)

Contains file types, filename extensions, URL protocol prefixes, and registered classes.You can think of the information in this branch as the "glue" that binds Windows with the applications and documents that run on it.It is critical to drag-and-drop operations,context menus, double-clicking, and many other familiar user interface semantics. The actions defined here tell Windows how to react to every file type available on the system.This entire branch is a mirror (or symbolic link) of HKEY_LOCAL_MACHINE\SOFTWARE\Classes, provided as a root key purely for convenience.

HKEY_CURRENT_USER (HKCU)

Contains user-specific settings for the currently logged-in user.This entire branch is a mirror (or symbolic link) of one of the subkeys of HKEY_USERS (discussed shortly).This allows Windows and all applications to access and store information for the current user without having to determine which user is currently logged in.

An application that keeps information on a per-user basis should store its data in HKEY_CURRENT_USER\Software and put information that applies to all users of the application in HKEY_LOCAL_MACHINE\SOFTWARE.However, what Windows applications consider user-specific and what applies for all users on the machine is somewhat arbitrary.Like many aspects of Windows, the Registry provides a mechanism for applications to store configuration data, but it does little to enforce any policies about how and where that data will actually be stored.

HKEY_LOCAL_MACHINE (HKLM)

Contains information about hardware and software on the machine that is not specific to the current user.

HKEY_USERS (HKU)

Stores underlying user data from which HKEY_CURRENT_USER is drawn.Although several keys will often appear here, only one of them will ever be the active branch.See the discussion of HKEY_USERS, later in this chapter, for details.

HKEY_CURRENT_CONFIG (HKCC)

Contains hardware configuration settings for the currently loaded hardware profile.This branch works similarly to HKEY_CURRENT_USER in that it is merely a mirror (or symbolic link) of another key.In this case, the source is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardwa re Profiles\XXXX, in which XXXX is a key representing the numeric value of the hardware profile currently in use. On a system with only a single hardware profile,its value will most likely be 0001.

Value Types

Values are where Registry data is actually stored (as opposed to keys, which are simply used to organize values).The Registry contains several types of values, each appropriate to the type of data it is intended to hold.There are six primary types of values that are displayed and modified in the Registry Editor:

String values (REG_SZ)

String values contain strings of characters, more commonly known as text.Most values discussed in this book are string values; they're the easiest to edit and are usually in plain English.In addition to standard strings, there are two far less common string variants, used for special purposes:

Multistring values (REG_MULTI_SZ)

Contain several strings (usually representing a list of some sort), concatenated (glued) together and separated by null characters (ASCII code 00).The dialog used to modify these values is the same as for binary values. Note that the individual characters in REG_MULTI_SZ keys are also separated by null characters, so you'll actually see three null characters in a row between multiple strings.

Expandable string values (REG_EXPAND_SZ)

Contain special variables into which Windows substitutes information before delivering to the owning application.For example, an expanded string value intended to point to a sound file may contain %SystemRoot%\media\startup.wav.When Windows reads this value from the Registry, it substitutes the full Windows path for the variable, %SystemRoot%; the resulting data then becomes (depending on where Windows is installed) C:\windows\media\startup.wav.This way, the value data is correct regardless of the location of the Windows folder.

Binary values (REG_BINARY)

Similarly to string values, binary values hold strings of characters. The difference is the way the data is entered.Instead of a standard text box, binary data is entered with hexadecimal codes in an interface commonly known as a hex editor.Each individual character is specified by a two-digit number in base 16 (e.g., 6E is 110 in base 10), which allows characters not found on the keyboard to be entered. Note that you can type hex codes on the left or normal ASCII characters on the right, depending on where you click with the mouse.

Note that hex values stored in binary Registry values are displayed in a somewhat unconventional format, in which the lowest-order digits appear first, followed by the next-higher pair of digits, and so on.In other words, the digits in a binary value are paired and their order reversed: the hex value 1B3 thus needs to be entered as B3 01.If you want to convert a binary value shown in the Registry Editor to decimal, you'll have to reverse this notation.For example, to find the decimal equivalent of 47 00 65 6e, set the Windows Calculator to hexadecimal mode and enter 6e650047, and then switch to decimal mode to display the decimal equivalent, 1,852,112,967.

Binary values are often not represented by plain English and, therefore, should be left unchanged unless you either understand the contents or are instructed to change them by a solution in this book.

DWORD values (REG_DWORD)

Essentially, a DWORD is a number. Often, the contents of a DWORD value are easily understood, such as 0 for no and 1 for yes, or 60 for the number of seconds in some timeout setting.A DWORD value is used only where numerical digits are allowed; string and binary types allow anything.

Warning: In some circumstances, the particular number entered into a DWORD value is actually made up of several components, called bytes.The REG_DWORD_BIGENDIAN type is a variant of the DWORD type, where the bytes are in a different order.Unless you're a programmer, you'll want to stay away from these types of DWORD values.

The DWORD format, like the binary type, is a hexadecimal number, but this time in a more conventional representation.The leading 0x is a standard programmer's notation for a hex value, and the number is properly read from left to right.The equivalent decimal value is shown in parentheses following the hex value.What's more, when you edit a DWORD value, the edit dialog box gives you a choice of entering the new value in decimal or hex notation.

Even if you're not a programmer, you can figure out hexadecimal values pretty easily with the Windows Calculator (calc.exe).Just enter the number you want to convert and click the Hex radio button to see the hexadecimal equivalent; 435 decimal is equal to 1B3 hex.
--------------------------------------------------------------------------------
Tip: If you aren't sure about the meaning of a specific Registry value, don't be afraid to experiment.Experimenting might include editing a value with the Registry Editor, but it might be easier or safer to work from the other end: open the application whose data is stored there (e.g., a Control Panel applet), change a setting, and watch how the Registry data changes.In this way, you can derive the meaning of many binary-encoded values.Note that although the Registry data will often change immediately, you may need to press F5 (Refresh) to force the Registry Editor to display the newly affected data.It's a good idea, though, to make a backup copy of a Registry key before making any changes.
--------------------------------------------------------------------------------
QWORD values (REG_QWORD)

This is much like a DWORD value, with one difference: it is a 64-bit value, rather than a 32-bit value like DWORD.

05-22-2008, 07:45 PM	#3 (permalink)
sushrukh Status: Senior Member Join Date: May 2008 Posts: 192	Part 3 Registry Structure Windows Registry is a database of settings used by Windows Vista and the individual applications that run on it.Knowing how to access and modify the Registry effectively is important for troubleshooting, customizing & unlocking hidden features in Windows Vista.The top level of the Registry is organized into five main root branches.By convention,the built-in top-level keys are always shown in all caps, even though the keys in the Registry are not case-sensitive.(For example, HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Windows is identical to HKEY_CURRENT_USER\Software\Microsoft\Windows.) Their purposes and contents are listed in the following summaries. Note that the root keys are sometimes abbreviated for convenience in documentation (although never in practice) ; these abbreviations are shown in parentheses.Subsequent sections discuss the contents of the root keys in more detail. HKEY_CLASSES_ROOT (HKCR) Contains file types, filename extensions, URL protocol prefixes, and registered classes.You can think of the information in this branch as the "glue" that binds Windows with the applications and documents that run on it.It is critical to drag-and-drop operations,context menus, double-clicking, and many other familiar user interface semantics. The actions defined here tell Windows how to react to every file type available on the system.This entire branch is a mirror (or symbolic link) of HKEY_LOCAL_MACHINE\SOFTWARE\Classes, provided as a root key purely for convenience. HKEY_CURRENT_USER (HKCU) Contains user-specific settings for the currently logged-in user.This entire branch is a mirror (or symbolic link) of one of the subkeys of HKEY_USERS (discussed shortly).This allows Windows and all applications to access and store information for the current user without having to determine which user is currently logged in. An application that keeps information on a per-user basis should store its data in HKEY_CURRENT_USER\Software and put information that applies to all users of the application in HKEY_LOCAL_MACHINE\SOFTWARE.However, what Windows applications consider user-specific and what applies for all users on the machine is somewhat arbitrary.Like many aspects of Windows, the Registry provides a mechanism for applications to store configuration data, but it does little to enforce any policies about how and where that data will actually be stored. HKEY_LOCAL_MACHINE (HKLM) Contains information about hardware and software on the machine that is not specific to the current user. HKEY_USERS (HKU) Stores underlying user data from which HKEY_CURRENT_USER is drawn.Although several keys will often appear here, only one of them will ever be the active branch.See the discussion of HKEY_USERS, later in this chapter, for details. HKEY_CURRENT_CONFIG (HKCC) Contains hardware configuration settings for the currently loaded hardware profile.This branch works similarly to HKEY_CURRENT_USER in that it is merely a mirror (or symbolic link) of another key.In this case, the source is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardwa re Profiles\XXXX, in which XXXX is a key representing the numeric value of the hardware profile currently in use. On a system with only a single hardware profile,its value will most likely be 0001. Value Types Values are where Registry data is actually stored (as opposed to keys, which are simply used to organize values).The Registry contains several types of values, each appropriate to the type of data it is intended to hold.There are six primary types of values that are displayed and modified in the Registry Editor: String values (REG_SZ) String values contain strings of characters, more commonly known as text.Most values discussed in this book are string values; they're the easiest to edit and are usually in plain English.In addition to standard strings, there are two far less common string variants, used for special purposes: Multistring values (REG_MULTI_SZ) Contain several strings (usually representing a list of some sort), concatenated (glued) together and separated by null characters (ASCII code 00).The dialog used to modify these values is the same as for binary values. Note that the individual characters in REG_MULTI_SZ keys are also separated by null characters, so you'll actually see three null characters in a row between multiple strings. Expandable string values (REG_EXPAND_SZ) Contain special variables into which Windows substitutes information before delivering to the owning application.For example, an expanded string value intended to point to a sound file may contain %SystemRoot%\media\startup.wav.When Windows reads this value from the Registry, it substitutes the full Windows path for the variable, %SystemRoot%; the resulting data then becomes (depending on where Windows is installed) C:\windows\media\startup.wav.This way, the value data is correct regardless of the location of the Windows folder. Binary values (REG_BINARY) Similarly to string values, binary values hold strings of characters. The difference is the way the data is entered.Instead of a standard text box, binary data is entered with hexadecimal codes in an interface commonly known as a hex editor.Each individual character is specified by a two-digit number in base 16 (e.g., 6E is 110 in base 10), which allows characters not found on the keyboard to be entered. Note that you can type hex codes on the left or normal ASCII characters on the right, depending on where you click with the mouse. Note that hex values stored in binary Registry values are displayed in a somewhat unconventional format, in which the lowest-order digits appear first, followed by the next-higher pair of digits, and so on.In other words, the digits in a binary value are paired and their order reversed: the hex value 1B3 thus needs to be entered as B3 01.If you want to convert a binary value shown in the Registry Editor to decimal, you'll have to reverse this notation.For example, to find the decimal equivalent of 47 00 65 6e, set the Windows Calculator to hexadecimal mode and enter 6e650047, and then switch to decimal mode to display the decimal equivalent, 1,852,112,967. Binary values are often not represented by plain English and, therefore, should be left unchanged unless you either understand the contents or are instructed to change them by a solution in this book. DWORD values (REG_DWORD) Essentially, a DWORD is a number. Often, the contents of a DWORD value are easily understood, such as 0 for no and 1 for yes, or 60 for the number of seconds in some timeout setting.A DWORD value is used only where numerical digits are allowed; string and binary types allow anything. Warning: In some circumstances, the particular number entered into a DWORD value is actually made up of several components, called bytes.The REG_DWORD_BIGENDIAN type is a variant of the DWORD type, where the bytes are in a different order.Unless you're a programmer, you'll want to stay away from these types of DWORD values. The DWORD format, like the binary type, is a hexadecimal number, but this time in a more conventional representation.The leading 0x is a standard programmer's notation for a hex value, and the number is properly read from left to right.The equivalent decimal value is shown in parentheses following the hex value.What's more, when you edit a DWORD value, the edit dialog box gives you a choice of entering the new value in decimal or hex notation. Even if you're not a programmer, you can figure out hexadecimal values pretty easily with the Windows Calculator (calc.exe).Just enter the number you want to convert and click the Hex radio button to see the hexadecimal equivalent; 435 decimal is equal to 1B3 hex. -------------------------------------------------------------------------------- Tip: If you aren't sure about the meaning of a specific Registry value, don't be afraid to experiment.Experimenting might include editing a value with the Registry Editor, but it might be easier or safer to work from the other end: open the application whose data is stored there (e.g., a Control Panel applet), change a setting, and watch how the Registry data changes.In this way, you can derive the meaning of many binary-encoded values.Note that although the Registry data will often change immediately, you may need to press F5 (Refresh) to force the Registry Editor to display the newly affected data.It's a good idea, though, to make a backup copy of a Registry key before making any changes. -------------------------------------------------------------------------------- QWORD values (REG_QWORD) This is much like a DWORD value, with one difference: it is a 64-bit value, rather than a 32-bit value like DWORD.