The Windows Registry is a database in which Windows and application programs store configuration settings, startup information, hardware settings, user preferences, file locations, license and registration information, last-viewed file lists, and so on. The Registry holds a huge amount of information about installed program components and subcomponents (DLLs, COM objects, and so on). In addition, the Registry stores the associations between file types and the applications that create and use them. For example, the Registry holds the information that tells Windows to use Media Player when you click an MPG movie file. In the early days of DOS and Windows, this kind of information was stored in a random collection of hundreds of files scattered all over your hard disk. Now, almost all configuration information for Windows itself is stored in the Registry. While many Modern apps store setup information and preferences online through cloud services, and some desktop applications store information in your user profile folder, under the subfolder AppData
, the Registry is still a sort of Grand Central Station for Windows.
Most of the time the Registry does its job behind the scenes. Most Registry information is set and read by Control Panel applets, applications, Windows services, device drivers, and so on. You’ll rarely if ever need to touch it directly. However, some settings can be made only by manually changing Registry values, and knowing how the Registry works can help you track down viruses and annoying auto-starting programs. Therefore, it’s worth knowing how the Registry is organized and how to make changes when necessary.
Tip
If you’re already familiar with the Registry, you might want to skip ahead to the section “New Registry Features,” where you learn how User Account Control and 64-bit Windows impact the Registry.
The Registry is organized a lot like the files and folders on a hard disk. Just as a hard disk can contain partitions, the Registry contains separate sections called top-level keys. In each section is a list of named entries, called keys, which correspond to the folders on a hard disk. And just as a folder can contain files and more nested folders, a Registry key can contain values, which hold information such as numbers or text strings, and more nested keys. Even the way that file folders and Registry keys are described is similar: A folder might be named Usersrianchapter29
, and a Registry key might be named HKEY_CURRENT_USERControl PanelDesktop
. You can see this structure in Figure 29.1. Control Panel
and Desktop
are the names of keys, and the Desktop
key contains values, which have names like ActiveWndTrackTimeout
and AutoColorization
.
The two main top-level keys are as follows:
HKEY_LOCAL_MACHINE
contains all the hardware and machine-specific setup information for your computer. Most values and keys under HKEY_LOCAL_MACHINE
can be changed only by Computer Administrator users running with elevated privileges. This helps protect this Registry section from malware.
Some of the primary keys in HKEY_LOCAL_MACHINE
are as follows:
BDC00000000
contains system boot information. (The data in this key is actually stored in a separate partition on the boot hard drive.)
HARDWARE
contains information gathered by the Plug and Play system during Windows startup.
SOFTWARE
contains Windows and application information that applies to all users of the computer. Most software vendors create a subkey under SOFTWARE
with their company name, with subkeys below that for each of their applications. On 64-bit systems, a subkey named Wow6432Node
holds information for 32-bit applications and software components. We address this later in the chapter under “Registry Redirection and Reflection.”
SYSTEM
contains information about installed services and device drivers.
HKEY_USERS
contains a key for each user account created on the computer, including the accounts used only internally by Windows services.
The keys under HKEY_USERS
are mostly named using long numeric strings that are the user account’s security identifier (SID) number. Usually, not all accounts’ keys are visible at the same time. Each account’s key is loaded into the Registry when the user logs on and is unloaded a short time after the user logs out. Each user’s key contains his or her personal Windows and application settings and preferences. Most entries are secured so that only the owning user can modify them.
The Registry Editor displays three other sections that look as if they are separate top-level keys but are actually views of information inside HKEY_LOCAL_MACHINE
or HKEY_USERS
:
HKEY_CURRENT_USER
is a shortcut to the subsection of HKEY_USERS
that corresponds to the currently logged-on user. That is, when you run the Registry Editor, HKEY_CURRENT_USER
shows your Windows and application preferences and settings.
Some of the primary keys in HKEY_CURRENT_USER
are as follows:
Control Panel
holds per-user preferences set by—you guessed it—Control Panel applets.
Environment
contains per-user environment variables set in the Advanced Computer Properties dialog box (sysdm.cpl
).
Network
contains information about mapped network drives.
Software
, the largest section, contains per-user application preferences and configuration.
HKEY_CURRENT_CONFIG
is a shortcut to HKEY_LOCAL_MACHINESystemCurrentControlSetHardware ProfilesCurrent
and contains hardware and device settings specific to the hardware profile used when Windows was started.
HKEY_CLASSES_ROOT
stores file associations, the information that Windows uses to link file types to applications, and a huge amount of setup information for Windows software components. It is actually a combined view of the contents of two other Registry sections: HKEY_LOCAL_MACHINESoftwareClasses
, which holds settings that are made for all users on this computer, and HKEY_CURRENT_USERSoftwareClasses
, which holds personal settings made just by the current user. If the same value is defined in both HKEY_CURRENT_USER...
and HKEY_LOCAL_MACHINE...
, the HKEY_CURRENT_USER
value is used.
Note
HKEY_LOCAL_MACHINE
is often abbreviated as HKLM
, and HKEY_CURRENT_USER
is often abbreviated as HKCU
. We’ll use those abbreviations in this chapter.
Registry keys have the exact same types of security settings as files and folders. In most cases, you have full control over the keys under your own account’s HKCU
section, unless an application explicitly removes the Modify or Delete permissions from its keys. And in general, only Computer Administrator users with elevated privileges can edit the contents of HKLM
, except keys that were explicitly set to allow other users to edit it. (Some application installers do this.) We talk more about Registry security later in this chapter.
When User Account Control is active, and you are logged on as a Computer Administrator, the Registry Editor requests elevated permissions so that you can edit HKLM
keys. This is why you get a User Account Control prompt when you run it. If you are not logged on as a Computer Administrator, the Registry Editor will run with reduced privileges unless you use the Run As Administrator option to start it. We discuss this later in the chapter, too.
Windows Vista introduced some new features to the Registry: virtualization and 64/32–bit reflection. These features are also present, although somewhat changed, in Windows 7 through 10. The following sections give you a brief tour. The features are called Registry virtualization, redirection, and reflection. This topic is somewhat gnarly and obscure, so on your first read, you might want to skip ahead to the section titled “Backing Up and Restoring the Registry.”
In the days before Windows security became a serious concern, many applications stored information in keys under HKLM
, typically in a key named along the lines of HKLMSoftwareManufacturerNameApplicationName
, so that the information could be made available to all users on the computer. Imagine a game that keeps track of the highest score achieved by any user. It has to store that high score somewhere accessible to all users, and HKLM
is exactly such a place. So, versions of Windows up to XP let any application write to this key or its subkeys. But this became an enormous security problem, because this also made it very easy for malware to make changes to global Windows settings affecting all users.
User Account Control, first introduced in Windows Vista, brought an end to this. Now, by default, only trusted setup programs or programs running with elevated permissions may make changes to keys and values under HKLMSoftware
. Application developers today are supposed to know this, and if an application really needs to store updatable information under HKLM, its developer needs to create these keys during installation and change their permission settings so that “normal” users can modify them later.
However, tens of thousands of older Windows applications were designed before this change in the rules, and they would stop working if they couldn’t make the Registry changes they expect to make. To get around this issue, Microsoft added Registry virtualization. Here’s how it works: When User Account Control is enabled, if an application attempts to store information in HKEY_LOCAL_MACHINESoftware
but doesn’t have permission to change information there, the information will actually get stored in HKEY_CURRENT_USERSoftwareCLASSESVirtualStoreMACHINESoftware
.
Applications still “see” the information as if it were in the intended location; this alternative key location “overlays” the original location. As a result, applications that aren’t aware of the new, tighter restrictions on HKEY_LOCAL_MACHINE
will run without a hitch, although their settings and data will be per-user instead of machinewide.
You must know this so you can check the alternative locations when you’re investigating problems with Registry settings in your system.
If you change an application program’s preference setting that should apply to all users of the program, but it affects only you, and the setting isn’t changed when other users run the application, most likely the configuration setting is stored in a Registry key under HKEY_LOCAL_MACHINE
to which you cannot write. When you make the change, Windows virtualizes the Registry value, and only your account sees the change.
To fix this issue, first try to contact the software manufacturer for a workaround. If none exists, try this:
1. Locate the Registry key in which the setting is being saved. Either search the Registry for the setting value or use a Registry change-monitoring tool such as Registrar Registry Manager (or procmon from sysinternals.com) to see where the application saves your setting.
2. As an Administrator, locate the key in the left pane of the Registry Editor, right-click it, and select Permissions. Select an entry under Group or Users names and check Full Control.
3. Using your account, locate the virtualized copy of the key under HKEY_CLASES_ROOTVirtualStore
and delete it.
4. Run the application and change the setting again.
After this, everyone should share the same copy of the setting.
Virtualization doesn’t occur under some circumstances. In those cases, the application simply is allowed to fail in its attempt to make changes to HKEY_LOCAL_MACHINE
. These circumstances are as follows:
If User Account Control is disabled.
If virtualization is disabled by your network administrator, using Group Policy on a Windows domain network.
If the application is a 64-bit or WinRT application.
If the application program has a manifest, a block of data that the developer included inside the application or in a separate file to describe advanced security settings. The logic is that manifests are a relatively new construct. If an application is new enough to have a manifest, its developer should know how to cooperate with User Account Control. Almost all the applications that come with Windows—including Notepad, the Command Prompt interpreter (cmd.exe
), and the Registry Editor—have manifests, so almost all Windows utilities do not see virtualized Registry settings.
If a key is marked with a special flag that indicates that it is not to be redirected. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
is marked this way so that a virus that attempts to set itself up to run at logon via this key won’t be capable of doing so. The command-line utility REG can modify the virtualization flag. Type REG FLAGS /? at the command-line prompt for more information.
Virtualization is seen as a stopgap measure and may be removed from some future version of Windows, after most applications either store information in HKEY_CURRENT_USER
or explicitly set less restrictive permissions on their keys in HKEY_LOCAL_MACHINE
when they’re installed.
The 64-bit versions of Windows support running 32-bit Windows applications (and, in fact, most software is still 32-bit, including the majority of Microsoft Office installations). This presents a problem because many Windows subcomponents (objects and dynamic link libraries) can be present in both 32- and 64-bit versions on the same computer, and information about their file locations and configuration is stored in the Registry under keys whose names were set in stone before Microsoft considered the need to distinguish between the two flavors. To work around this issue, when a 32-bit application attempts to read or write information to a few specific Registry keys, Windows silently uses an alternative location. The application is none the wiser. This is called Registry redirection. The result is that 32-bit and 64-bit applications can both use these same, fixed key names but their information doesn’t get intermingled.
Most but not all of the subkeys under HKEY_LOCAL_MACHINESoftware and HKEY_CURRENT_USERSoftware
are subject to redirection. Those that are not redirected are considered “shared”; 32-bit and 64-bit applications see the same value. For information about which specific subkeys are redirected and which are shared, go to msdn.microsoft.com and search for the article “Registry Keys Affected By Wow64.” (Because the information shown under HKEY_CLASSES_ROOT
is actually stored under those two Software keys, many of its keys are redirected too).
Redirected information for 32-bit applications is actually stored under HKEY_LOCAL_MACHINESoftwareWOW6432Node
(for systemwide settings) and HEY_CURRENT_USERSoftwareWOW6432Node
(for per-user settings). When a 32-bit application requests information from a redirected key using the original location, it is fed information from below WOW6432Node
.
Tip
This point is really important: Most of us use 64-bit versions of Windows now, but if you do end up fiddling with the Registry, most of the time the instructions you’ll read online will not take this into account. So if, for example, you’re following a suggestion to look for something in HKEY_CURRENT_USERSoftware
SomeSubKey, it’s very likely that you’ll actually have to look in HKEY_CURRENT_USERSoftwareWOW6432Node
SomeSubKey. Read on for some more detailed examples.
Here’s an example: a software manufacturer might decide to store the locations of its program files under the key HKEY_LOCAL_MACHINESoftwarePrettyGoodProgramsMyFiles
. A 64-bit application from this vendor will store its information in that actual location. A 32-bit application from this vendor will think it’s storing and reading information there, but it will actually be fed the information from HKEY_LOCAL_MACHINESoftwareWOW6432NodePrettyGoodProgramsMyFiles
. The 32- and 64-bit programs can thus see entirely different values from the same Registry key.
This impacts you too: when working with the Registry on a 64-bit system, you need to know to look under these two WOW6432Node
entries when looking for setup information for 32-bit components. When you’re tracking down configuration problems, you should usually check both locations.
Note
You must close the 64-bit version of the Registry Editor before you can open the 32-bit version, and vice versa, unless you start the second instance of the Registry Editor with the -m
command-line argument. (That is, you would have to start regedit using the command line regedit -m
.)
Alternatively, you can use the 32-bit version of regedit; this presents all information in the standard locations seen by 32-bit applications. When you run regedit from the command line, you get the 64-bit version. However, if you run %systemroot%syswow64
egedit.exe
, you get the 32-bit version and can edit the values seen by 32-bit applications.
Windows Vista had a feature that automatically copied some information set by 32-bit and 64-bit components and applications to both the 32- and 64-bit locations. This was called Registry reflection. Reflection does not occur in Windows 7 through 10. For more information, visit msdn.microsoft.com and search for the topics “Removal of Windows Registry Reflection.” Also, see the Microsoft Knowledge Base article http://support.microsoft.com/kb/305097.
Because the Registry is the one place where all the Windows hardware and software settings are stored, it’s also the one thing that Windows absolutely needs to run. If you have to use the Registry Editor to manually change Registry settings, we strongly suggest that you back up your Registry before you make any changes.
You can back up the Registry in several ways, including (in order of preference) using a third-party Registry-backup program, backing up the entire hard disk using a third-party program or File Recovery, using System Restore, and using the Registry Editor to save a key to a text file. In general, backups that include the entire hard disk should include the Registry, because the Registry’s data is stored in ordinary files. Some backup applications have a Registry backup as an explicit option. The Windows built-in System Restore feature backs up the HKLM
Registry section automatically.
We suggest that before you install a piece of new hardware or a significant software application or update, do a full disk backup, including the Registry. Alternatively, use System Restore to manually create a restore point, in case the application installer does not do this itself. These methods are discussed later.
Before you manually edit the Registry for other purposes, back up the Registry by any of the means discussed in the next few sections.
Third-party programs are available for you to back up and restore the Registry. See the section “Other Registry Tools,” later in this chapter.
If you’re adventurous, you can download a free tool called ERUNT from www.larshederer.homepage.t-online.de/erunt. At the time this was written it was described as supporting Windows 7, but it should work on Windows 10 as well.
These programs come with instructions on backing up, restoring, repairing, and maintaining the Registry.
You can save the Registry by performing a complete “image” backup of the entire contents of the hard disk on which Windows resides. To start a backup, right-click or touch and hold the Start button, then select Control Panel. Search for File History, select File History in the results list, and then, at the lower left, select System Image Backup.
For more information, see “Creating a System Image Backup,” p. 750.
Alternatively, use a third-party disk backup program and ensure that it’s backing up the Registry. Check your backup software’s manual for instructions on saving Registry and system information when you back up. We suggest that you always include the Registry in your backups.
Caution
Be aware that the backup programs provided with Windows 10 do not provide a simple means of backing up the Registry as insurance against accidents. File Recovery is useful for Registry backups only if you create a complete system image backup, which can take a long time. Restoring from such a backup would take a long time, too. System Restore backs up only HKEY_LOCAL_MACHINE
, not your own HKEY_CURRENT_USER
data. System Restore is an effective backup only if you’re modifying just HKEY_LOCAL_MACHINE
settings.
If you will be changing only entries under HKEY_LOCAL_MACHINE
, you can create a restore point to back up a copy of this part of the Registry. To create a restore point, follow these steps:
1. Right-click or touch and hold the Start button, then select Control Panel. Search the Control Panel for the word point
, and select Create a Restore Point.
2. Be sure that drive C:, the disk volume that contains Windows, is listed in the Protection Settings box with protection On. If it’s not on, select Configure, turn on system protection, and then click OK.
3. Click Create, enter a description for the restore point, such as Before changing Registry, and then click Create.
Now you can edit the Registry as described later in this chapter.
The Registry Editor has a mechanism to export a set of Registry keys and values to a text file. If you can’t or won’t use a more comprehensive backup system before you manually edit the Registry, at least use this editor to select and back up the key that contains all the subkeys and values you plan to modify. Remember, though, that this method cannot remove entries you add after creating the backup; it can only restore settings you change or delete.
To back up a key and its subkeys and values, follow these steps:
1. Press the Windows Logo key to display the Start menu and type regedit. Then take one of the following actions:
If you are logged on as a Computer Administrator, click the regedit Windows application icon in the results list and confirm the User Account Control (UAC) prompt.
If you are not a Computer Administrator and want to back up your own keys in HKCU
, follow the same procedure. There will be no UAC prompt.
If you are not a Computer Administrator and need to back up HKLM
keys, right-click the regedit Windows application icon in the search results and select Run As Administrator. Then enter credentials for a Computer Administrator account.
Note
The reason for these complicated variations is that malicious programs and email attachments can easily abuse the Registry Editor, so it’s subject to UAC restrictions. The Registry Editor must be running in elevated mode to edit, restore, or modify Registry keys that only a Computer Administrator account can change. By the way, the Registry Editor’s title bar provides no indication to tell you whether it’s running with elevated privileges; you just have to remember.
2. Locate and select the key you plan to modify, or a key containing all the keys you plan to modify, in the left pane.
3. Select File, Export.
4. Choose a location and filename to use to store the Registry keys. (I usually use the desktop for temporary files like this, so that I can see them and delete them later.)
5. Select All Files from the Save As Type list and enter a name (possibly with an extension other than .reg
—for example, before.sav
).
6. Click Save. The chosen key or keys are then saved as a text file.
If you’ve made Registry changes that cause problems, you can try to remember each and every change you made, reenter the original information, delete any keys you added, and thus undo the changes manually. Good luck! If you were diligent and made a backup before you started, however, you can simply restore the backup and have confidence that the recovery is complete and accurate.
If you made a Registry backup using a disk or Registry backup tool, use the instructions that came with your product to restore the Registry. If you created a restore point or used Regedit, follow the steps described in the following sections.
If you created a restore point before modifying the Registry, you can back out of the change by following these steps:
1. Right-click or touch and hold the Start button, then select Control Panel. Type point in its Search box and select Create a Restore Point. (Alternatively, right-click or touch and hold the Start button, select System, and then at the left, select System Protection.)
2. Click System Restore and locate the restore point you created. Select it and click Next; then click Finish. Windows restarts.
If the Registry problem is severe enough that Windows can’t boot or get to the System Restore function, you can perform a system restore from the system recovery tools on your Windows setup DVD.
For instructions on performing a system restore this way, see “Recovering Using System Restore,” p. 624.
If a Registry-editing session has gone awry and you need to restore the Registry from a key you saved from within Regedit, follow these steps:
1. Press Windows Logo to display the Start menu and type regedit. Then take one of the following actions:
If you are logged on as a Computer Administrator, click the regedit Windows application icon in the results list and confirm the User Account Control (UAC) prompt.
If you are not a Computer Administrator and want to restore your own keys in HKCU
, follow the same procedure. There will be no UAC prompt.
If you are not an Administrator and need to restore HKLM
keys, right-click the regedit Windows application icon in the search results and select Run As Administrator. Then enter credentials for a Computer Administrator account.
Tip
If you encounter what you think are Registry problems with add-on software, your best bet is to uninstall the software, if possible, and reinstall it before attempting any Registry restores or repairs.
2. In the Registry Editor, select File, Import.
3. Select All Files from the Files of Type list.
4. Locate the file you used to back up the Registry key or keys—for example, before.sav
.
5. Select Open.
The saved Registry keys are then imported, replacing any changes or deletions. However, any keys or values you’ve added to the Registry are not removed. If they are the cause of the problem, this restore will not help.
If the Registry problems persist, you can try a rather drastic measure: You can use Regedit to delete the key or keys that were changed and then import the backup file again. This time, any added keys or values are removed. We suggest that you try this approach only with keys related to add-on software, not for any of the Microsoft software or hardware keys.
Most people never need to edit the Registry by hand because most Registry keys are set by the software that uses them. However, you might need to edit the Registry by hand if you’re directed by a technical support person who’s helping you fix a problem, or when you’re following a published procedure to make an adjustment for which there is no Control Panel setting.
In the latter case, before going any further, we need to say this one last time, to make it absolutely clear: Unless you’re quite certain that you can’t make a mistake, back up the Registry (or at least the section you want to change) before making any changes.
The next few sections cover the basics of the Registry Editor.
The easiest way to run the Registry Editor is to press the Windows Logo key to display the Start menu and type regedit. Then take one of the following actions:
If you are logged on as a Computer Administrator, click the regedit Windows application icon in the results list and confirm the User Account Control (UAC) prompt. The Registry Editor will run with full elevated privileges.
If you are not a Computer Administrator and want to edit just your own keys in HKEY_CURRENT_USER
, follow the same procedure. There will be no UAC prompt. The Registry Editor will run with reduced privileges, and you will not be able to change systemwide settings.
If you are not a Computer Administrator and need to edit keys in HKEY_LOCAL_MACHINE
, right-click the regedit Windows application icon in the search results and select Run As Administrator. Then enter credentials for a Computer Administrator account.
Regedit offers a two-pane display, as shown earlier in Figure 29.1. The top-level keys, which are listed below Computer, can be expanded just like drives and folders in File Explorer. In the pane on the right are the values for each key. The name of the currently selected key appears in the status bar.
Values have names, just as the files in a folder do, and it’s in the values that configuration information is finally stored. Each key has a (Default) value, which is the value of the key itself, and any number of named values. For example, Figure 29.1 shows the key HKEY_CURRENT_USERControl PanelDesktop
. The value of HKEY_CURRENT_USERControl PanelDesktop
itself is undefined (blank), and the value HKEY_CURRENT_USERControl PanelDesktopDragFullWindows
is 1.
Registry values have a data type, which is usually one of the types shown in Table 29.1. The Registry Editor display lists values by their technical names.
Other data types, such as REG_DWORD_BIG_ENDIAN
and REG_RESOURCE_LIST
, exist, but they are obscure and rare and can’t be edited with Regedit.
You can search for a Registry entry by key name, value name, or the contents of a value string. First, select a starting point for the search in the left pane. You can select Computer to select the entire Registry, or you can limit your search to one of the top-level keys or any subordinate key. Next, select Edit, Find from the menu and enter a search string in the Find dialog box. The Find feature is not case sensitive, so it doesn’t matter whether you use upper- or lowercase letters. You can check any of the Look At boxes to designate where in the Registry you expect to find the desired text: in the name of a key, in the name of a value, or in the data, the value itself. You can also check Match Whole String Only.
Note
When I search the Registry, most of the time, I check all the Look At boxes but not Match Whole String Only.
Check Match Whole String Only to search only for items whose whole name or value is the desired string.
Click Find Next to start the search. The Regedit display indicates the first match to your string; by pressing F3, you can repeat the search to look for other instances.
Also remember that Windows might store information in some places you are not familiar with, as discussed previously under “New Registry Features.”
Tip
The search function has two limitations:
You can’t enter a backslash () in the search string when looking for a key or value name; Regedit won’t complain, but it won’t find anything, either.
You can’t search for the initial HKEY_xxx
part of a key name. That’s not actually part of the name; it’s just the section of the Registry in which the key resides.
For example, to find a key named HKEY_CLASSES_ROOTMIDFileshellPlayCommand
, you can’t type all that in and have Find jump right to the key. If you already know the full pathname of a key, use the left pane of Regedit to browse for the key directly.
Regedit has no Save and Undo menu items and no Recycle Bin. Changes to the Registry happen immediately and permanently. Additions, deletions, and changes are for real. This is the reason for all the warnings to back up before you poke into the Registry.
To add a value to a key, select the key in the left pane and choose Edit, New. Select the type of value to add; you can select any of the supported Registry data types, which are listed by the “friendly” names shown previously in Table 29.1. The instructions you’re following indicate which type of value to add. A new value entry then appears in the right pane.
Type the new value’s name and press Enter to edit the value:
For string values, enter the text of the desired string.
For DWORD values, choose Decimal or Hexadecimal, and enter the desired value in the chosen format.
For binary values, enter pairs of hexadecimal characters as instructed. (You’ll never be asked to do this, we promise.)
If you want to change a value, double-click it in the right pane to bring up the Edit Value dialog box. Alternatively, right-click it and select Modify. Then make the desired change and click OK.
Note
Many of the keys that control Windows itself have access restrictions and can be modified only by a Computer Administrator, and only when the Registry Editor is running with elevated permissions. For instructions on running with elevated permissions, see “Viewing the Registry,” earlier in this chapter.
That is all you will likely ever need to do with Regedit. However, in the extremely unlikely case that you want to delete a value or add or remove a key, the following sections can help see you through these processes.
If you’ve added a Registry value in the hope of fixing some problem and found that the change wasn’t needed, or if you’re instructed to delete a value by a Microsoft Knowledge Base article or other special procedure, you can delete the entry by viewing its key and locating the value on the right pane.
Caution
There is no Undo command in the Registry Editor. When you delete a value, it’s gone for good. Be sure you’ve made a Registry backup before editing or deleting Registry keys and values.
Select the value and choose Edit, Delete from the menu, or right-click and select Delete from the context menu. Confirm by clicking Yes.
Keys must be added as subkeys of existing keys; you can’t create a new top-level key. To add a key, select an existing key in the left pane and select Edit, New, Key from the menu. Alternatively, right-click the existing key and select New, Key from the context menu. A new key appears in the left pane, where you can edit its name. Press Enter after you enter the name.
Caution
Don’t attempt to rename keys without a very good reason—for example, because you mistyped the name of the key you were adding. If Windows can’t find specific Registry keys it needs, Windows might not boot or operate correctly.
You can delete a key by selecting it in the left pane and choosing Edit, Delete from the menu, or by right-clicking it and selecting Delete from the context menu. Click Yes to confirm that you intend to delete the key. Deleting a key deletes its values and all its subkeys as well, so without the protection of Undo (or a Registry Recycling Bin), this action is serious.
As you have probably guessed, the pattern for renaming a key follows the File Explorer model exactly: Choose the key in the left pane and select Edit, Rename, or right-click the key and select Rename. Finally, enter a new name and press Enter.
As you have probably noticed by now, the names of Registry keys can be quite long, tortuous things. The Registry Editor offers a bit of help to finger-fatigued Registry Editors (and authors): Choosing Edit, Copy Key Name puts the name of the currently selected key into the Clipboard so you can paste it elsewhere if you need to.
As an administrator, you might find it necessary to edit HKEY_USER
entries for another user. For example, a startup program in HKEY_CURRENT_USERSoftwareWindowsCurrentVersionRun
might be causing such trouble that the user can’t log on. If you can’t log on as that user, you can edit his HKEY_CURRENT_USER
Registry keys by loading his Registry data manually. You load the user’s Registry hive and edit it. A hive is a file that contains Registry data. The Registry view that you see in the Registry Editor is the sum total of all loaded hive files. The systemwide Registry sections are loaded when Windows boots. The personal Registry sections are loaded when each user logs on. If a user isn’t logged on, you can manually load and edit his hive file using these steps:
1. Log on as a Computer Administrator and run Regedit with elevated permissions, as discussed in “Viewing the Registry” in this chapter.
2. Select the HKEY_USERS
window.
3. Highlight the top-level key HKEY_USERS
.
4. Select File, Load Hive.
5. Browse to the profile folder for the desired user. For a local user account, this is in Usersusername
. (For a Windows Server domain, look in the folder used for user profiles on the domain controller.) The name of this folder might have the computer name or a domain name attached. For example, on one computer, my profile folder name is bknittel.java
.
6. Type the filename NTUSER.DAT
. (The file will most likely not appear in the Browse dialog box because it’s super hidden—marked with both the Hidden and System attributes.) Click Open.
7. A dialog box appears, asking you to enter a name for the hive. HKEY_USERS
normally loads user hives with a long numeric name, so we suggest that you type the user’s logon name, or something like users_key
. Click OK. The user’s Registry data is then loaded and can be edited, as shown in Figure 29.2.
8. When you’re finished editing, unload the hive. Select the key you added under HKEY_USERS
(for example, lucys_key
in Figure 29.2), and select File, Unload Hive. Confirm by clicking Yes on the warning dialog box.
If you need to retrieve Registry entries from an installation of Windows on another hard disk or partition, perhaps one that can’t boot due to a virus, rootkit, or errant driver, you can load any of that installation’s hive files for editing or exporting.
Note
If the other installation is on a different computer, you’ll need to move its hard disk into your computer. Then, be sure that your computer boots from your hard disk, not the one you just added.
To edit the other installation’s Registry, you need to locate its hive files. They are usually found in the locations shown in Table 29.2.
To edit another Windows installation’s Registry, use the technique described in “Editing Registry Entries for Another User,” but instead of locating a user’s NTUSER.DAT
file, locate the desired hive file on the other hard drive or partition. (We omitted the drive letters from Table 29.2. Find the hive file on the drive that corresponds to the other Windows installation.) Unload the hive after you’ve exported or corrected the desired information.
In some cases, you will find that you cannot view or modify keys loaded from another installation. This occurs if the keys are protected with security attributes that list specific users or groups defined in the other installation. In this case, you need to first take ownership of the keys and then add yourself as a user who is authorized to read or change the keys. The next section describes this process.
Note
You rarely should have to modify Registry security settings, but it does happen. The usual case is that an incorrectly designed program places information in a subkey of HKEY_LOCAL_MACHINESoftware
that is intended to be shared and modified by all users running the program. Because Windows does not permit standard users to modify any keys in HKEY_LOCAL_MACHINESoftware
by default, the program might malfunction. To fix the problem, sometimes you need to modify permissions so that standard users can edit the shared key. Microsoft also sometimes recommends modifying Registry security in emergency security bulletins.
Just as files and folders in an NTFS-formatted disk partition have security attributes to control access based on user and group identity, Registry keys and values also have a complete set of access control attributes that determine who has rights to read, write, and modify each entry.
If you absolutely must change permissions or auditing controls, locate the desired key or value, right-click it, and select Permissions. The Permissions dialog box looks just like the comparable dialog box for files and folders (see Figure 29.3), and it lets you set read, write, and modify rights for specific groups and users. You’ll find a corresponding set of audit settings.
In most cases, a software vendor supplies precise instructions for making changes necessary to work around an application problem. Here, we describe a general procedure to make a given key that all users can read and write. You might do this to make a key capable of sharing information between users or to repair an alternate Windows installation, as mentioned in the previous section. To set more generous permissions, follow these steps:
1. Locate and select the key in the left pane.
2. Right-click it and select Permissions.
3. Select the Users entry in the top Group or User Names section. If Users is not listed, click Add, type Users, and click OK.
4. In the lower section, check Allow in the Full Control row and then click Apply. If this is successful, click OK.
5. If you are unable to make the changes, even though you’re running the Registry Editor as a Computer Administrator user, click Advanced and select the Owner tab.
6. If the Current Owner is listed as unknown, select Administrators in the lower list and click OK.
7. Click OK to close the Advanced Security Settings dialog box, and return to step 3.
This is a risky procedure because it could result in another user or application being unable to access its own Registry keys. Use this as a procedure of last resort.
You can use some third-party tools to edit the Registry and adjust Windows features. Next, we describe three of the more popular utilities.
Registry Toolkit is a shareware Registry Editor made by Funduc software (www.funduc.com) with a nifty search-and-replace system. You can scan the Registry, changing all occurrences of one string to another, which is something most other Windows Registry Editors can’t do. Its user interface isn’t very comfortable or slick, but if you need to manage a lot of identical changes in the Registry, this is one cool tool. It’s free to try, $25 to register, at www.funduc.com.
Registrar Registry Manager is a powerful Registry-editing tool produced by Resplendence Software Projects (www.resplendence.com), with a drag-and-drop interface. It includes a Registry backup, restore, and defragmentation tool; a Registry-compare tool; an Undo capability; and many more features. The full version costs $55, and there is a free “home” version.
Tweak-10 from Totalidea Software (www.totalidea.com) combines tweaking tools with additional enhancements and plug-ins. The cost is approximately $25 for one computer, with multiple-license discounts available. Check the totalidea.com website for this and other cool Windows tools.
On Windows corporate domain-type networks, Administrators can use the policy system to restrict users’ ability to change their computer configuration. When you log on using a Domain user account, the policy system downloads and installs Registry settings prepared by system administrators. These Registry settings not only can help automate the setup of networking and other components, but can also restrict your ability to (mis)manage your computer.
Here’s how it works: Windows looks at a boatload of Registry entries to determine what features to make available to you. For example, one value determines whether the Start menu is allowed to display the Run item; another makes the Control Panel hide the Power Management settings. Most of these values normally don’t appear in the Registry at all, but they can be installed there by the policy system, and Windows security settings prevent users from changing or deleting them.
On a computer that’s a member of a Windows Domain network, the policy system is called Group Policy. On a standalone computer, it’s called Local Security Policy. For a more detailed discussion of Local Security Policy, see “Tightening Local Security Policy,” p. 794.
3.145.20.132