The Windows XP Registry
I have written this article more as a reference for myself than anything else. I always seem to be delving into the registry to find something such as a key to remove because I have uninstalled the software and it has not tidied up after itself. Or because my PC has been infected with a virus and I need to make sure that it can not run. So here are my notes. I hope that they are as useful to you as they are to me.
The data that is stored in the registry these days used to be stored in flat files called win.ini and system.ini. Although still around these files are mainly used by legacy software.
The Registry is a tree-based hierarchical flexible database that can store many different forms of data.
The Registry is organised into 5 major hives (sections) with its own storage area and log file. Each hive has 'keys' (directories) and 'subkeys' (subdirectories). Each key has an associated 'value' (file) which can not exceed 1MB in size.
- A key can have zero, one or many values.
- A key can have a default value.
- Each value has a name, type and value.
The 5 hives (or 'hive keys' aka HKEY) are:
- HKEY_CLASSES_ROOT - stores info about OLE and file associations
- HKEY_CURRENT_USER - a link to the data in HKEY_USERS for the current user
- HKEY_LOCAL_MACHINE - info on the machine that XP is running on
- HKEY_USERS - info on each user on this system with an active profile
- HKEY_CURRENT_CONFIG - info about the systems current configuration
The Windows XP system and any software installed on the system can use the registry to store shared data.
The Registry is located in %SystemRoot%\system32\config as the following files:
- autoexec.nt - MS_DOS environment initialisation
- config.nt - MS_DOS environment initialisation
- Default - default registry file
- SAM - Security Accounts Manager registry file
- Security - security registry file
- setup.log - list of every file that was installed at the time of your XP installation
- Software - application software registry file
- System - system registry file
Registry Key data types are:
- REG_BINARY - binary/hex values
- REG_SZ - case sensitive strings
- REG_EXPAND_SZ - as above but allows interpreted values for variables
- REG_DWORD - 32-bit dec/hex value
- REG_DWORD_BIG_ENDIAN - as above but supports Apple Mac formats
- REG_DWORD_LITTLE_ENDIAN - Supports Intel processors
- REG_MULTI_SZ - multiple strings
- REG_FULL_RESOURCE_DESCRIPTOR - hardware information
- REG_NONE - null data
- REG_UNKNOWN - unsupported data types
- REG_LINK - symbolic link with application data
- REG_QWORD - 64-bit integer
- REG_RESOURCE_LIST - device driver entries
- REG_RESOURCE_REQUIREMENTS_LIST - driver resource list
Backing up the Registry
When you backup the registry using the XP backup program it is stored in %SystemRoot%:\Repair. It is generally advisable to store a copy elsewhere such as on removable media.
Use XP backup, NTBackup.exe or the Registry Editor, regedit.exe
Using Regedit to perform a registry backup:
- Go to Start, Run and type regedit
- Ensure that 'My Computer' is highlighted so that everything below this is backed up
- Select Export Registry File from the menu
- Select a location and filename for your backup and click Save
- Exit regedit
To load a backup, import it using regedit (or double-click the backup file) then restart your PC.
Run at Startup
A list of executables that will run at startup are located in the registry under:
You can search the registry. It is not a case sensitive search.
Don't leave your registry backups lying around. They can be used to hack your system.
If you restore your system using your installation CD all that happens is the original system files are copied onto your system over the old ones. If you installed any service packs or Microsoft updates since your original installation you will have to re-install them.
If you have any feedback regarding this article, or you have a suggestion for a new article, or just want to say thanks for the info then feel free to drop me an email at email@example.com.
Article date: 07-Oct-2003