REGISTRY EDIT

by

Managing The Registry

  • System configuration information is stored centrally in a hierarchical database called the registry.
  • You can use Registry Editor to add and edit registry keys and values, restore the registry from a backup or to default values, and to import or export keys for reference or backup.
  • The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and services that run on Windows. The data is structured in a tree format. Each node in the tree is called a key. Each key can contain both subkeys and data entries called values.
  • Each key has a name consisting of one or more printable characters. Key names are not case sensitive. Key names cannot include the backslash character (\), but any other printable character can be used. Value names and data can include the backslash character.
  • The name of each sub key is unique with respect to the key that is immediately above it in the hierarchy. Key names are not localized into other languages, although values may be.
  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.
  • You must have appropriate permissions to make changes to a registry key. To maintain security when making changes to a registry key for which you need administrative credentials, log in as a member of the Users group and run Regedit as an administrator by right-clicking the Regedit icon, clicking Run as, and clicking an account in the local Administrators group. The Regedit icon does not appear by default from the Start menu. To access the icon, open the Windows or WINNT folder on your computer
  • Start –> Run –> Regedit
  • image
  • Click –>OK  ,Registry Editor Opens It.
  • image
  • Registry structure
  • The registry is organized in a hierarchical structure of subtrees and their keys, subkeys, and entries.
  • The contents of the registry for one computer may vary widely from that of another, depending on the devices, services, and programs installed on each computer.
  • Keys can have subkeys and subkeys can, in turn, have subkeys. While most information in the registry is stored on disk and is considered permanent, some information, stored in volatile keys, is overwritten each time the operating system starts.
  • Subtrees are the root, or primary divisions, of the registry.
  • HKEY_CLASSES_ROOT :Contains information used by various OLE technologies and file-class association data. A particular key or value exists in HKEY_CLASSES_ROOT if a corresponding key or value exists in either HKEY_LOCAL_MACHINE\SOFTWARE\Classes or HKEY_CURRENT_USER\SOFTWARE\Classes. If a key or value exists in both places, the HKEY_CURRENT_USER version is the one that appears in HKEY_CLASSES_ROOT.
  • HKEY_CURRENT_USER :Contains the user profile for the user who is currently logged on interactively (as opposed to remotely), including environment variables, desktop settings, network connections, printers, and program preferences. This subtree is an alias of the HKEY_USERS subtree and points to HKEY_USERS\security ID of current user.
  • HKEY_LOCAL_MACHINE :Contains information about the local computer system, including hardware and operating system data such as bus type, system memory, device drivers, and startup control data.
  • HKEY_USERS : Contains information about actively loaded user profiles and the default profile. This includes information that also appears in HKEY_CURRENT_USER. Users who are accessing a server remotely do not have profiles under this key on the server; their profiles are loaded into the registry of their own computers.
  • HKEY_CURRENT_CONFIG :Contains information about the hardware profile used by the local computer system at startup. This information is used to configure settings such as the device drivers to load and the display resolution to use. This subtree is part of the HKEY_LOCAL_MACHINE subtree and points to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current.
  • Each root key name begins with HKEY_ to indicate to software developers that this is a handle that a program can use. A handle is a value used to identify a resource so that a program can access it.
  • reg3
  • Registry hives and files
  • The term hive describes a body of keys, subkeys, and values that is rooted at the top of the registry hierarchy. A hive is backed by a single file and a .log file that are in the systemroot\System32\Config or the systemdrive\Documents and Settings\username folders.
    • In the Windows Server 2003 family of operating systems, the location of user profile information for each user of a computer, including the Ntuser.dat and Ntuser.dat.log, may depend on whether the installation of the operating system was a fresh installation or whether it was installed as an upgrade from Windows NT or Windows 2000.
    • In fresh installations, the Ntuser.dat and Ntuser.dat.log files are stored in the systemdrive\Documents and Settings\username folder. In installations that are upgrades from Windows NT or Windows 2000, the Ntuser.dat and Ntuser.dat.log files are stored in the systemroot\Profiles\username folder.
    • image
    • By default, most hive files (DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM) are stored in the systemroot\System32\Config folder.
    • HKEY_LOCAL_MACHINE\SAM  –>Sam and Sam.log
    • HKEY_LOCAL_MACHINE\SECURITY –> Security and Security.log
    • HKEY_LOCAL_MACHINE\SOFTWARE –> Software and Software.log
    • HKEY_LOCAL_MACHINE\SYSTEM  –> System and System.log
    • HKEY_CURRENT_CONFIG  –> System and System.log
    • HKEY_CURRENT_USER  –> Ntuser.dat and Ntuser.dat.log
    • HKEY_USERS\.DEFAULT  –>Default and Default.log
    • Entries in the registry keys
    • Each registry key or subkey can contain data called entries. Some entries store information that is specific to each user, while others store information that applies to all users of a computer. An entry has three parts: the name of the value, the data type of the value, and the value itself.
    • Data types describe the format of the data. Data types from 0 through 0x7FFFFFFF are reserved for definition by the system. Programs are encouraged to use these data types, but data types from 0x80000000 through 0xFFFFFFFF are also reserved for use by programs.
    • REG_BINARY: Most hardware component information is stored as binary data and is displayed in Registry Editor in hexadecimal format.
    • REG_DWORD :Data represented by a number that is 4 bytes long. Many parameters for device drivers and services are this type and are displayed in Registry Editor in binary, hexadecimal, or decimal format.
    • REG_EXPAND_SZ :A variable-length data string. This data type includes variables that are resolved when a program or service uses the data.
    • REG_MULTI_SZ :A multiple string. Values that contain lists or multiple values in a form that people can read are usually this type. Entries are separated by spaces, commas, or other marks.
    • REG_SZ.A fixed-length text string.
    • REG_FULL_RESOURCE_DESCRIPTOR:A series of nested arrays designed to store a resource list for a hardware component or driver.
    • Change keys and values
    • To find a string, value, or key
    • Open Registry Editor.
    • On the Edit menu, click Find.
    • In Find what, type the string, value, or key you want to find.
    • Select the Keys, Values, Data, and Match whole string only check boxes to match the type of search you want, and then click Find Next. 
    • To add a registry key to Favorites
    • To open Registry Editor, click Start, click Run, type regedit, and then click OK.
    • You can create a list of favorite/frequently visited registry keys.
    • To remove a registry key from the Favorites list, on the Favorites menu, click Remove Favorite, and you can select one or more registry keys to remove from the Favorites list.Renaming a favorite does not rename the corresponding registry key.
    • To add a value to a registry key entry
    • Open Registry Editor.
    • Click the key or entry where you want to add the new value.
    • On the Edit menu, point to New, and then click the type of value you want to add: String Value, Binary Value, DWORD Value, Multi-String Value, or Expandable String Value.
    • Type a name for the new value, and then press ENTER.
    • To rename a registry key or value
    • Open Registry Editor.
    • Click the key or entry you want to rename.
    • On the Edit menu, click Rename.
    • Type the new name, and then press ENTER.
    • To connect to a registry over a network
    • Open Registry Editor.
    • On the File menu, click Connect Network Registry.
    • In the Select Computer dialog box, type the name of the computer to whose registry you want to connect.
    • To disconnect from a network registry
    • Open Registry Editor.
    • On the File menu, click Disconnect Network Registry.
    • In the Disconnect Network Registry dialog box,
    • click the name of the computer from whose registry you want to disconnect.
    • To copy a registry key name
    • Open Registry Editor.
    • In the registry tree (on the left), click a registry key.
    • On the Edit menu, click Copy Key Name.
    • Paste the name of the registry key into another program or document.
    • To restore the registry
    • Open Registry Editor.
    • Click Start, and then click Shut Down.
    • In the list, click Restart, and then click OK.
    • When you see the message Please select the operating system to start, press F8.
    • Use the arrow keys to highlight Last Known Good Configuration, and then press ENTER.
    • NUM LOCK must be off before the arrow keys on the numeric keypad will function.
    • Use the arrow keys to highlight an operating system, and then press ENTER.
    • Choosing Last Known Good Configuration provides a way to recover from problems such as a newly added driver that may be incorrect for your hardware. It does not solve problems caused by corrupted or missing drivers or files.
    • When you choose Last Known Good Configuration, Windows restores information in registry key HKLM\System\CurrentControlSet only. Any changes you have made in other registry keys remain.
    • Exporting registry files
    • Open Registry Editor. If you want to save only a particular branch, select it.
    • On the File menu, click Export….
    • In File name, enter a name for the registry file.
    • In Save as type, select the file type you wish to use for the saved file (registration file, registry hive file, text file, Windows 98/NT4.0 registration file).
    • In Export Range, use the radio buttons to select whether you want to export the entire registry or only the selected branch.
    • Click Save.
    • Registry Editor provides a number of commands that are designed primarily for maintaining your system.
    • For example, Load Hive and Unload Hive allow a part of your system to be temporarily downloaded onto another computer for maintenance. Before a hive can be loaded or restored, it must be saved as a key,
    • Either to a floppy disk or to your hard disk.
    • Importing registry files
    • Open Registry Editor.
    • On the File menu, click Import
    • Find the file you want to import, click the file to select it, and then click Open.
    • A restored hive overwrites an existing registry key and becomes a permanent part of your configuration. For example, to perform maintenance on part of your system, you can use Export to save a hive to a disk. When you are ready, you can then use Import on the File menu to restore the saved key to your system
    • To grant full control of a registry key
    • Open Registry Editor.
    • Click the key to which you want to grant full control.
    • On the Edit menu, click Permissions.
    • Under Group or user names, click the user to whom you want to grant full control of your registry key.
    • Under Permissions for name, where name represents the name of the user to whom you are granting full control of the key, select the Allow check box for Full Control.
    • permissions

    • To Assign permissions to a registry key
    • Open Registry Editor.
    • Click the key to which you want to assign permissions.
    • On the Edit menu, click Permissions.
    • Assign an access level to the selected key as follows
    • To grant the user permission to read the key contents, but not save any changes made to the file, under Permissions for name, for Read, select the Allow check box.
    • To grant the user permission to open, edit, and take ownership of the selected key, under Permissions for name, for Full Control, select the Allow check box.
    • To grant the user special permission in the selected key, click Advanced.
    • If you are assigning permissions to a subkey and you want the inheritable permissions assigned to the parent key to apply to the subkey also, click Advanced and select the Inherit from parents the permission entries that apply to child objects. Include these with entries explicitly defined here check box.
    • To Assign special access to a registry key
    • Open Registry Editor.
    • Click the key to which you want to assign special access.
    • On the Edit menu, click Permissions.
    • Click Advanced, and then double-click the user or group to whom you want to assign special access.
    • Under Permissions, select the Allow or Deny check box for each permission you want to allow or deny.
    • To add users or groups to the Permissions list
    • Open Registry Editor.
    • Click the key whose Permissions list you want to change.
    •  p7
    • On the Edit menu, click Permissions, and then click Add.
    • In the Select Users, Computers, or Groups dialog box, click Locations, and then click the computer or domain of the users and groups you want to view.
    • Type the name or names of the users or groups you would like to add, separating each name with a semicolon. Click Check Names to validate names with the directory.
    • When you are finished entering names, click OK.
    • In the Permissions dialog box, under Permissions for name, assign a type of access to the selected user or group as follows:
    • To grant the user permission to read the key contents but not to save any changes made to it, select the Allow check box for Read.
    • To grant the user permission to open, edit, and take ownership of the selected key, select the Allow check box for Full Control.
    • If the check boxes under Permissions are shaded, the key has inherited permissions from the parent object key.
    • To allow permissions assigned to a parent key to apply to its subkeys also, click Advanced, and select the Inherit from parent the permission entries that apply to child objects. Include these with
    • entries explicitly defined here check box.
    • In the Select Users, Computers, or Groups dialog box, if you type the name, rather than selecting it, click Check Names before clicking OK.
    • To remove a user or group from the Permissions list
    • Open Registry Editor.
    • Click the key whose Permissions list you want to change.
    • On the Edit menu, click Permissions.
    • Under Group or user names: , Click the name of the user or group that you want to remove from the Permissions list.
    • Click Remove.
    • To audit activity on a registry key
    • Open Registry Editor.
    • Click the key you want to audit.
    • On the Edit menu, click Permissions.
    • Click Advanced, and then click the Auditing tab.
    • p4
    • Double-click the name of a group or user.
    • Under Access, select or clear the Successful and Failed check boxes for the activities that you want to audit or to stop auditing:
    • Query Value->Any attempts to read a entry from a registry key
    • Set Value->Any attempts to set entries in a registry key
    • Create Subkey->Any attempts to create subkeys on a selected registry key
    • Enumerate Subkeys->Any attempts to identify the subkeys of a registry key
    • Notify->Any notification events from a key in the registry
    • CreateLink->Any attempts to create a symbolic link in a particular key
    • Delete->Any attempts to delete a registry object
    • Write DAC ->Any attempts to write a discretionary access control list on the key
    • Write Owner->Any attempts to change the owner of the selected key
    • Read Control->Any attempts to open the discretionary access control list on a key
    • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
    • If your computer is connected to a network, network policy settings might prevent you from completing this procedure.
    • You must first add users and groups before specifying the events to audit.
    • Auditing activity can slow the computer down significantly. Consider auditing only failures, and not successes.
    • To take ownership of a registry key
    • Open Registry Editor.
    • Click the key you want to take ownership of
    • On the Edit menu, click Permissions
    • Click Advanced, and then click the Owner tab.
    • Under Change owner to, click the new owner, and then click OK.
    • To remove a user or group from the audit list
    • Open Registry Editor
    • Click the key whose Audit list you want to change
    • On the Edit menu, click Permissions.
    • Click Advanced, and then click the Auditing tab
    • Click the user or group that you want to remove, and then click Remove
    • To add users or groups to the Audit list
    • Open Registry Editor.
    • Click the key you want to audit
    • On the Edit menu, click Permissions
    • Click Advanced, click the Auditing tab, and then click Add
    • p6
    • Click Object Types, select the type or types of users or groups you want to find, and then click OK.
    • Click Locations, select the computer or domain of the users or groups you want to view, and then click OK.
    • Type the name of the user or group you want to add and then click OK to open the Auditing Entry dialog box, or click Advanced to search for a user, computer, or group based on parameters you set.