There are five primary, or root, branches of the Registry, each containing a specific portion of the information stored therein. These root keys can’t be deleted, renamed, or moved, because they are the basis for the organization of the Registry. They are:
HKEY_CLASSES_ROOT
This branch contains the information that comprises
your Windows file types. See the discussion of file types in Chapter 4 for details on the
structure of most of the entries in this branch. A few special
keys here, such as CLSID
(short for Class ID), contain
“registered” components of Windows and your installed
applications. The contents of HKEY_CLASSES_ROOT
are generally easy to
edit, but it’s best not to mess with anything in the CLSID
branch, because almost none of it
is in plain English.
This entire branch is a symbolic link,[1] or “mirror,” of HKEY_LOCAL_MACHINESOFTWAREClasses
but
is displayed separately in this branch for clarity and easy
access.
HKEY_USERS
This branch contains a sub-branch for the currently logged-in user, the name of which is a long string of numbers, which will look something like this:
S-1-5-21-1727987266-1036259444-725315541-500
This number is the SID (security identifier), a unique ID for each user on your system. See Chapter 8 for more information on SIDs.
While it may sound like a good idea to edit the contents of
this branch, you should instead use the HKEY_CURRENT_USER
branch described
later, which is a symbolic link, or “mirror,” of this branch. No
matter which user is logged in, HKEY_CURRENT_USER
will point to the
appropriate portion of HKEY_USERS
.
Because Windows only loads the profile (this portion of the
Registry) of the currently logged-in user, only one user branch
will ever be shown here. However, there will be a few other
branches here, such as .default
(used as a template when creating new user accounts), and a few
others that will be of little interest to most users.
HKEY_CURRENT_USER
This branch simply points to a portion of HKEY_USERS
, signifying the currently
logged-in user. This way, any application can read and write
settings for the current user without having to know which user is
currently logged on.
In each user’s branch are the settings for that user, such as Control Panel settings and Explorer preferences. Most applications store user-specific information here as well, such as toolbars, high scores for games, and other personal settings.
The settings for the current user are divided into several
categories; among them are AppEvents
, Control
Panel
, Identities
, RemoteAccess
, Software
, and System
. The most useful of these
branches, Software
, contains a
branch for almost every application installed on your computer,
arranged by manufacturer. Here and in HKEY_LOCAL_MACHINESOFTWARE
(discussed
later) can be found all of your application settings. As though
Windows were just another application on your system, you’ll find
most user-specific Windows settings in HKEY_CURRENT_USERSoftwareMicrosoftWindows
.
HKEY_LOCAL_MACHINE
This branch contains information about all of the hardware and software installed on your computer that isn’t specific to the currently logged-in user. The settings in this branch are the same for all users on your system.
The sub-branch of most interest here is the SOFTWARE
branch, which contains all of
the information specific to the applications installed on your
computer. Both this branch and the aforementioned HKEY_CURRENT_USERSoftware
branch are
used to store application-specific information. Those settings
that are specific to each user (even if your computer has only one
user), such as toolbar configurations, are stored in the HKEY_CURRENT_USER
branch; those settings
that are not user-dependent, such as installation folders, are
stored in the HKEY_LOCAL_MACHINE
branch. You’ll want
to look in both places if you’re trying to find a particular
application setting, because most manufacturers (even Microsoft)
aren’t especially careful about which branch is used for any given
setting.
HKEY_CURRENT_CONFIG
This branch typically contains a small amount of information, most of which is simply symbolic links, or “mirrors,” of other keys in the Registry. There’s little reason to mess with this branch.
Values are where Registry data are actually stored (keys are simply used to organize values). The Registry contains several types of values, each appropriate to the type of data they are intended to hold. There are seven types of values that are displayed in the Registry Editor, each of which is known by two different names (see Table 3-1).[2] Each type is known by at least two different names, the common name and the symbolic name (shown in parentheses).
Table 3-1. Value types visible in the Registry Editor
Value type | Icon usedin RegEdit | Can be createdin RegEdit? |
---|---|---|
String (REG_SZ) |
| Yes |
Multi-String[3] (REG_MULTI_SZ) |
| Yes |
Expandable String (REG_EXPAND_SZ) |
| Yes |
Binary (REG_BINARY) |
| Yes |
DWORD (REG_DWORD) |
| Yes |
DWORD (REG_DWORD_BIGENDIAN) |
| No |
Resource List (REG_RESOURCE_LIST, REG_RESOURCE_REQUIREMENTS_LIST, or FULL_RESOURCE_DESCRIPTOR) |
| No |
[3] Multi-String values are also sometimes called String Array values. |
Although the Registry Editor allows you to view and edit all seven types of values, it only allows you to create the five most common (and not surprisingly, most useful) types.[4] Although each of these value types is explained below, they’ll make more sense when discussed in the context of the solutions throughout the rest of this book.
String values contain strings of characters, more commonly known as plain text. Most values of interest to us will end up being string values; they’re the easiest to edit and are usually in plain English.[5] String values are easy to edit; just double-click and type a string of text into the text field (Figure 3-3).
In addition to standard strings, there are two far less common string variants, used for special purposes:
Contains several strings, concatenated (glued) together and separated by null characters. Although the Registry Editor now lets you create these values, it’s impossible to type null characters (character #0 in the ASCII character set) from the keyboard. The only way to place a null character into a Registry value is either programmatically or via cut-and-paste from another application.
Contains special variables, into which Windows
substitutes information before delivering it to the owning
application. For example, an expanded string value
intended to point to a sound file may contain %SystemRoot%Mediadoh.wav
. When
Windows reads this value from the Registry, it substitutes
the full Windows path for the variable, %SystemRoot%
; the resulting data
then becomes (depending on where Windows is installed)
c:WindowsMediadoh.wav
. This
way, the value data is correct regardless of the location
of the Windows folder.
Similarly to string values, binary values hold strings of characters. The difference is the way the data is entered. Instead of a standard text box, binary data is entered with hexadecimal codes in an interface commonly known as a hex editor .[6] Each individual character is specified by a two-digit number in base-16 (e.g., the number 6E in base-16 is the number 110 in good-ol’ base-10), which allows characters not found on the keyboard to be entered. See Figure 3-4 for an example. Note that you can type hex codes on the left or normal ASCII characters on the right, depending on where you click with the mouse.
The contents of binary values often don’t appear in plain English, making understanding their use, not to mention modifying them, that much more difficult. Figure 3-4 shows a binary value that just happens to have readable text.
Figure 3-4. Binary values are entered differently from the common string values, but the contents are sometimes nearly as readable
Note also the various Resource List value types (see Table 3-1), which are just special cases of binary values; you’ll find very little reason to ever mess with these.
Essentially, a DWORD is a number. Often, the contents of a DWORD
value are easily understood, such as 0
for no and 1
for yes, or 60
for the number of seconds in some
timeout setting. A DWORD value is used where only numerical
digits are allowed, whereas string and binary values allow
anything.
In the DWORD value editor (Figure 3-5), you can change the base of the number displayed. For values of 9 or smaller, this option won’t make any difference. For 10 and larger, however, the wrong selection will result in the wrong value being entered. In most cases, you’ll want to select Decimal (even though it’s not the default), since decimal notation is what we use for ordinary counting numbers. Note that if there’s already a number in the Value data field, it will be instantly converted when you switch the Base, which is a good way to illustrate the difference between the two.
Figure 3-5. DWORD values are just numbers, but they can be represented in Decimal or Hexadecimal notation
In some circumstances, the particular number entered into a DWORD value is actually made up of several components, called bytes. This way, several values can be represented by a single number. While this notation is often convenient for programmers, it’s decidedly inconvenient for lowly users fishing around in the Registry. The REG_DWORD_BIGENDIAN type is a variant of the DWORD type, wherein said bytes are simply represented in the opposite order.
Most Registry editing involves modifying existing values, as opposed to creating new ones. This often makes things easier, as the existing value and its contents can be used as an example.
The application that creates each value in the Registry solely
determines the particular type and purpose of the value. In other
words, no strict rules limit which types are used in which
circumstances or how values are named. A programmer may choose to
store, say, the high scores for some game in a binary value called
High
Scores
or in a string value called Lard Lad Donuts
.
An important thing to notice at this point is the string
value named (default)
that appears
at the top of every key.[7] The default value cannot be removed or renamed, although
its contents can be changed; an empty default value is signified by
value
not
set
.
The (default)
value doesn’t
necessarily have any special meaning that differentiates it from any
other value, apart from what might have been assigned by the
programmer of the particular application that created the key.
[1] A symbolic link is different from a Windows shortcut you’d find on your hard disk. Information in a linked branch appears twice and can be accessed at two different locations, even though it’s stored only once. This means that Find may stop in both places if they contain something you’re looking for and, as you might expect, changes in one place will be immediately reflected in the mirrored location.
[2] Another type of value, known as REG_LINK, is invisible in the Registry Editor. It facilitates symbolic links; the HKEY_CURRENT_USER branch, discussed earlier in this chapter, is an example.
[4] In previous versions of Windows, the Registry Editor only allowed you to create String, Binary, and DWORD values. The ability to create Multi-String and Expandable String values is new in Windows XP. Note that you’ll find little reason to ever create the other two available types shown in Table 3-1.
[5] Although Windows is available in a wide variety of localized languages, most of the internal Registry data will still be in English, primarily because Microsoft is located in the United States, but also because the programming languages used to write Windows components and applications are all based on American English.
[6] See Section 4.2.2 for an example of how a hex editor is used.
[7] In the more simplistic Registry found in Windows 3.1 and Windows NT 3.x, each key had only one value. Starting in Windows 95, a key could contain any number of values; the default value simply took the place of the lone value from previous versions, allowing compatibility with older applications that were written before the change took effect. In fact, many things you’ll find in the Registry are designed with such “legacy” support in mind.
13.59.18.83