The Registry is a database used to store settings and options for the

The Registry is a database used to store settings and options for the

OS 2010 BAHAR
EGEMYO BİLPROG
THE REGISTERY
The Registry is a database used to store settings and options for the 32
bit versions of Microsoft Windows including Windows 95, 98, ME and
NT/2000. It contains information and settings for all the hardware,
software, users, and preferences of the PC.
Whenever a user makes changes to a Control Panel settings, or File
Associations, System Policies, or installed software, the changes are
reflected and stored in the Registry.
It is contained in two hidden files in your Windows directory, called
USER.DAT and SYSTEM.DAT, for Windows Me there is an additional
CLASSES.DAT file,
while under Windows NT/2000 the files are contained seperately in the
%SystemRoot%\System32\Config directory.
You can not edit these files directly, you must use a tool commonly known
as a "Registry Editor" to make any changes.
Launching Registry Editor
To look at registry, launch the Registry Editor. Type “Win+r” to launch the
run dialog, then type “regedit”.
The Registry Editor in Windows Vista.
Yard. Doç. Dr. C. Harmanşah
1
OS 2010 BAHAR
EGEMYO BİLPROG
The Structure of the Registry
The Registry has a hierarchal structure, although it looks complicated the
structure is similar to the directory structure on your hard disk, with
Regedit being similar to Windows Explorer.
Each main branch (denoted by a folder icon in the Registry Editor, see
left) is called a Hive, and Hives contains Keys. Each key can contain other
keys (sometimes referred to as sub-keys), as well as Values. The values
contain the actual information stored in the Registry. There are three
types of values; String, Binary, and DWORD - the use of these depends
upon the context.
There are six main branches, each containing a specific portion of the
information stored in the Registry. They are as follows:
Yard. Doç. Dr. C. Harmanşah
2
OS 2010 BAHAR
EGEMYO BİLPROG
Name
Abbreviation
HKEY_CLASSES_ROOT
HKCR
HKEY_CURRENT_USER
HKCU
HKEY_LOCAL_MACHINE
HKLM
HKEY_USERS
HKU
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT - This branch contains all of your file
association mappings to support the drag-and-drop feature, OLE
information, Windows shortcuts, and core aspects of the Windows
user interface.
HKEY_CURRENT_USER - This branch links to the section of
HKEY_USERS appropriate for the user currently logged onto the PC
and contains information such as logon names, desktop settings,
and Start menu settings.
HKEY_LOCAL_MACHINE - This branch contains computer specific
information about the type of hardware, software, and other
preferences on a given PC, this information is used for all users who
log onto this computer.
HKEY_USERS - This branch contains individual preferences for each
user of the computer, each user is represented by a SID sub-key
located under the main branch.
HKEY_CURRENT_CONFIG - This branch links to the section of
HKEY_LOCAL_MACHINE
appropriate
for
the
current
hardware
configuration.
HKEY_DYN_DATA
-
This
branch
points
to
the
part
of
HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of
Windows, this section is dymanic and will change as devices are
added and removed from the system.
Each registry value is stored as one of five main data types:
Yard. Doç. Dr. C. Harmanşah
3
OS 2010 BAHAR
EGEMYO BİLPROG
REG_BINARY - This type stores the value as raw binary data. Most
hardware component information is stored as binary data, and can
be displayed in an editor in hexadecimal format.
REG_DWORD - This type represents the data by a four byte
number and is commonly used for boolean values, such as "0" is
disabled and "1" is enabled. Additionally many parameters for
device driver and services are this type, and can be displayed in
REGEDT32 in binary, hexadecimal and decimal format, or in
REGEDIT in hexadecimal and decimal format.
REG_EXPAND_SZ - This type is an expandable data string that is
string containing a variable to be replaced when called by an
application. For example, for the following value, the string
"%SystemRoot%" will replaced by the actual location of the
directory containing the Windows NT system files. (This type is only
available using an advanced registry editor such as REGEDT32)
REG_MULTI_SZ - This type is a multiple string used to represent
values that contain lists or multiple values, each entry is separated
by a NULL character. (This type is only available using an advanced
registry editor such as REGEDT32)
REG_SZ - This type is a standard string, used to represent human
readable text values.
Other data types not available through the standard registry editors
include:
REG_DWORD_LITTLE_ENDIAN - A 32-bit number in little-endian
format.
REG_DWORD_BIG_ENDIAN - A 32-bit number in big-endian
format.
REG_LINK - A Unicode symbolic link. Used internally; applications
should not use this type.
REG_NONE - No defined value type.
REG_QWORD - A 64-bit number.
Yard. Doç. Dr. C. Harmanşah
4
OS 2010 BAHAR
EGEMYO BİLPROG
REG_QWORD_LITTLE_ENDIAN - A 64-bit number in little-endian
format.
REG_RESOURCE_LIST - A device-driver resource list.
Importing and Exporting Registry Settings
Registry Editor is it's ability to import and export registry settings to a text
file, this text file, identified by the .REG extension, can then be saved or
shared with other people to easily modify local registry settings.
You can see the layout of these text files by simply exporting a key to a
file and opening it in Notepad, to do this using the Registry Editor select a
key, then from the "Registry" menu choose "Export Registry File...",
choose a filename and save. If you open this file in notepad you will see a
file similar to the example below:
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\Setup]
"SetupType"=dword:00000000
"CmdLine"="setup -newsetup"
"SystemPrefix"=hex:c5,0b,00,00,00,40,36,02
The layout is quite simple, REGEDIT4 indicated the file type and version,
[HKEY_LOCAL_MACHINE\SYSTEM\Setup]
values
are
from,
indicated
"SetupType"=dword:00000000
the
are
key
the
the
values
themselves the portion after the "=" will vary depending on the type of
value they are; DWORD, String or Binary.
So by simply editing this file to make the changes you want, it can then
be easily distributed and all that need to be done is to double-click, or
choose "Import" from the Registry menu, for the settings to be added to
the system Registry.
Deleting keys or values using a REG file
It is also possible to delete keys and values using REG files. To delete a
Yard. Doç. Dr. C. Harmanşah
5
OS 2010 BAHAR
EGEMYO BİLPROG
key start by using the same format as the the REG file above, but place a
"-" symbol in front of the key name you want to delete.
For example to delete the [HKEY_LOCAL_MACHINE\SYSTEM\Setup] key
the reg file would look like this:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\Setup]
The format used to delete individual values is similar, but instead of a
minus sign in front of the whole key, place it after the equal sign of the
value. For example, to delete the value "SetupType" the file would look
like:
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\Setup]
"SetupType"=Use this feature with care, as deleting the wrong key or value could cause
major problems within the registry, so remember to always make a
backup first.
Yard. Doç. Dr. C. Harmanşah
6
OS 2010 BAHAR
EGEMYO BİLPROG
Regedit Command Line Options
Regedit has a number of command line options to help automate it's use
in either batch files or from the command prompt.
regedit.exe [options] [filename] [regpath]
Import .reg file into the registry
[filename]
/s [filename]
/e
[filename]
[regpath]
/L:system
/R:user
Silent import, i.e. hide confirmation box
when importing files
Export the registry to [filename] starting
at
[regpath] e.g. regedit
/e file.reg
HKEY_USERS\.DEFAULT
Specify the location of the system.dat to
use
Specify the location of the user.dat to
use
C [filename]
Compress (Windows 98)
/D [regpath]
Delete the specified key (Windows 98)
Yard. Doç. Dr. C. Harmanşah
7
OS 2010 BAHAR
EGEMYO BİLPROG
Where the Registry is stored
The Registry itself is stored on your computer in certain files. Below we
detail what files and their locations are used to store the Registry based
upon the particular version of Windows.
For Windows NT 4.0, Windows 2000, Windows XP, and Windows Server
2003, the Registry files are stored in the following directories:
Systemroot\System32\Config
Systemroot\Profiles\Username
The names for the registry files are:
Sam, Sam.log, Sam.sav
Security, Security.log, Security.sav
Software, Software.log, Software.sav
System, System.alt, System.log, System.sav
System, System.alt, System.log, System.sav, Ntuser.dat, Ntuser.dat.log
Default, Default.log, Default.sav
For Windows 98,
the registry files are named User.dat and System.dat and are stored in
the
C:\Windows directory.
Yard. Doç. Dr. C. Harmanşah
8
OS 2010 BAHAR
EGEMYO BİLPROG
How to edit the Registry
In order to modify values in the Registry you need to use a program called
a Registry Editor. Windows comes with a program called regedit.exe or
otherwise known as Registry Editor.
When you open Registry Editor you will see two panes.
The left pane is your navigation pane. By default it will list all the Hives
with a + or - next to each one. You can click the + to expand the tree
underneath that Hive revealing Keys and Subkeys.
Then you will see in the right pane a listing of the values associated with
that key.
In the screenshow below you will see an image of the Registry Editor
where I have navigated to the key:
HKEY_CURRENT_USER\Control Panel\Colors
Figure 1. Registry Editor
Yard. Doç. Dr. C. Harmanşah
9
OS 2010 BAHAR
EGEMYO BİLPROG
In Figure 1 above,
the Hive that we are in is HKEY_CURRENT_USER.
They Key is Control Panel and the Subkey is Colors.
The right hand portion shows all the Values contained in the Subkey
Colors.
To modify a Value, you would double-click on the value name and a
screen similar to Figure 2 below would appear.
Figure 2: Modifying a Value
You then would type in the appropriate information into the Value data
field and press the OK button.
Yard. Doç. Dr. C. Harmanşah
10
OS 2010 BAHAR
EGEMYO BİLPROG
Startup Tasks
Under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
you'll find keys named
Run, RunOnce,
RunServices
and
RunServicesOnce.
Open the Run key.
In here you'll see several named values containing paths to programs. The exact
contents will vary from system to system but a few are created by Windows
Setup such as the “ScanRegistry” entry.
This contains the value “C:\WINDOWS\scanregw.exe /autorun” which causes the
automatic registry check and backup to be performed each time Windows starts.
To prevent a program from being launched automatically at start-up using this
mechanism you can simply delete the value containing its path. To add a new
startup task right-click the right hand pane and create a new string value, name
it appropriately and enter as its value the path (and command line arguments, if
any) of the program you want to start.
Yard. Doç. Dr. C. Harmanşah
11
OS 2010 BAHAR
EGEMYO BİLPROG
RunOnce will be empty, but it can contain entries for programs that are to be run
once at startup.
After the program has been run Windows deletes its entry from the Registry. This
key would typically be used by a Setup program to perform some configuration
task that can only be done right after a restart.
RunServices is similar to Run. It is used to start special tasks called “services”.
Services are programs that run as part of the system. Under Windows NT they
have extra privileges compared with normal tasks.
Programs
may
also
be
started
automatically
by
adding
values
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
to
and
RunOnce.
This
key
is
part
of
HKEY_CURRENT_USER
and
not
the
system-wide
HKEY_LOCAL_MACHINE.
Programs that use this mechanism run when the user logs in (or when the
default desktop loads if user profiles aren't enabled under Windows 9x.) This
means that different users can have different programs start automatically when
they log in. This is more closely comparable to the function of the StartUp folder,
which is also unique to each user.
Removing Windows Messenger from Internet Explorer
A simple registry edit which enables the windows messenger toolbar and icon to
be removed from Internet explorer.



Launch regedit
Navigate to HKEY_LOCAL_MACHINE/Software/Microsoft/Internet
Explorer/Extensions.
Right click on the key {FB5F1910-F110-11d2-BB9E-00C04F795683} and
choose rename. Add a „-„(minus) to the start of the key.
Yard. Doç. Dr. C. Harmanşah
12
OS 2010 BAHAR
EGEMYO BİLPROG
On restarting Internet Explorer the Windows Messenger integration with IE will
be removed.
Disable task manager
An excellent administration lock down, preventing users from accessing the task
manager in order to view processes, applications and make precedence changes
to individual tasks.



Launch regedit
Navigate to HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current
Version/policies/system.
Under the system key create a new DWORD value called
“DisableTaskMgr”. Set the value to „1‟. This will disable the task manager
To revert back to the default simply set the value to „0‟ = no effect. For this
change to take effect the user will need to log off, although it does not require a
full reboot.
Preventing the system from automatically rebooting after a windows
update
Yard. Doç. Dr. C. Harmanşah
13
OS 2010 BAHAR
EGEMYO BİLPROG
As is the case for the vast majority of users, windows is configured to perform
automatic updates. When these updates are performed, if any individual
components require a reboot of windows then the system automatically reboots.
The following registry edit enables the user to control this rebooting.




Launch regedit
Navigate to
HKEY_LOCAL_MACHINE/Software/Policies/Microsoft/Windows/Windows
Update/AU.
Under the AU key create a new DWORD value called
“NoAutoRebootWithLoggedOnUsers”.
We are wanting to toggle „on‟ or „off‟ the reboot process. As such enter „1‟
to disable the automatic reboot
To revert back to the default simply set the value to „0‟ = no effect (continue as
before, i.e. reboot). Somewhat ironically, you will need to reboot the system for
this change to take effect!
Adding a Right click menu option to Favorites
Adding right click menu functionality is another excellent tweak within the
windows registry. One example is adding a right click menu option to your
favorites, where the end user can open the favorite in a new window.





Launch regedit
Navigate to HKEY_CLASSES_ROOT/InternetShortcut/Shell
Under the shell key create a new subkey called “Open in a new window”.
Under this new key create a further subkey called “command”.
In the right hand pane open the „default‟ key and enter the value
“rundll32.exe shdocvw.dll, OpenURL %1”
Select OK for the change to take effect
Yard. Doç. Dr. C. Harmanşah
14
OS 2010 BAHAR
EGEMYO BİLPROG
Right click on one of your favorites. There will be a menu option to “Open in a
new window”.
Configure Windows to close services correctly by increasing the
shutdown process time





Launch regedit
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control.
In the right hand pane, create a new String value, or modify the existing
value „WaitToKillServiceTimeout‟
Enter the Value Data = „20000‟
Click Ok – Exit - Reboot.
Removing ‘Properties’ option in My Computer





Launch regedit
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Polici
es/Explorer
In the right hand pane, create a new DWORD value, or modify the existing
value „NoPropertiesMyComputer‟.
Enter the Value Data „1‟ = No Properties. To revert back set „0‟ = Show
Properties
Click Ok – Exit - Reboot
Enable Start Menu Scrolling





Launch regedit
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explo
rer/Advanced
In the right hand pane, create a new String value, or modify the existing
value 'StartMenuScrollPrograms‟
Enter the Value Data "Yes" or "No"
Click Ok – Exit - Reboot.
Yard. Doç. Dr. C. Harmanşah
15
OS 2010 BAHAR
EGEMYO BİLPROG
Remove the ‘Links’ Folder from Favorites




Launch regedit
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Toolbar
Set the „LinksFolderName‟ value to a blank string, i.e. delete the value
data
Click Ok – Exit.
Launch Internet Explorer and delete the „Links‟ folder from the Favorites menu.
Any subsequent launch of Internet Explorer will not create the „Links‟ folder.
Disable Error Reporting




Launch regedit
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/PCHealth/ErrorReporting
In the right hand pane, create a new DWORD value, or modify the existing
value 'DoReport'
Enter the Value Data '0' = Disables Reporting or '1' = Send Report
Yard. Doç. Dr. C. Harmanşah
16
OS 2010 BAHAR
EGEMYO BİLPROG
References
http://www.pctools.com/guides/article
http://www.bleepingcomputer.com
http://www.brighthub.com
Yard. Doç. Dr. C. Harmanşah
17