Windows Registry

[#wnregsty]: Registry (implemented in Microsoft Windows and similar/compatible environments)

Wine may implement this as a text value. Microsoft Windows may store this data in multiple files that are not stored as simple ASCII text, and so specialized software is used to interact with that data.

Registry terminology

Registry key

A registry key is analogous to a “folder”/“directory”. For those who are familiar with using RegEdit, RegEdit represents the keys as a series of folders in the left pane of the RegEdit window.

handle key

“Deeper into the Windows Registry” says, “When a program uses the API to access the registry the Windows Object Manager will return a handle for the object identified by a key. That is why the "HKEY" in the root keys means "handle key".”

Root key

These are basically top-level keys. The name of a root key often matches the name of a registry hive. (The term “hive” is discussed later.)

The following line of output from REG QUERY /? shows supported short names of root keys:


C:\> REG QUERY /? | find.exe "HKCR" | find.exe "HKCC"



                ROOTKEY - [ HKLM | HKCU | HKCR | HKU | HKCC ]





C:\>

IBM.com: Inspecting the Windows Registry calls those five “the complete list of registry shortcuts”.

Registry value

A registry value is often referred to as a “registry entry”. A value has a name, a type, and data. The “value” is not the data which is stored in the named registry entry. Instead, a value is an actual named registry entry which generally includes a name, and also includes a type, and also includes a section for the “Data”.

If software states that it is asking for a value, it may actually be asking for the “name” of the value. In RegEdit, this name is located in the “Name” column, which is the first (left-most) column of the right pane/half/segment of the RegEdit window.

Hive

MSDN: Registry Hives says, “A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data.” The page also lists the standard hives and files related to those hives. Interestingly, there is no hive at HKEY_LOCAL_MACHINE but there are at least four standard hives that start under the HKEY_LOCAL_MACHINE\ path, at SAM and Security and Software and System.

MSDN: CreateKey method of the StdRegProv class mentions, “A registry tree, also known as a hive”.

Note that those descriptions are not meant to be definitions. So, a person should not just refer to any tree as a “hive”. A hive is a specific type of data collection and has certain characteristics, like how it may be accessed when using the right files. (Most commonly, programs don't interact with those files, but they use the operating system's support for the registry. However, when resetting passwords, sometimes it is helpful to bot an operating system that isn't actively using the registry, and then specifying the desired files.)

Apttech's Blog: “Difference between a registry Hive and a registry Key” says “The Windows registry is divided into several root keys. They can also be called Hives.” It then goes on to list various Hives like HKLM, and some less commonly Hive names like HKLM-Soft and HKLM-Sys. In RegEdit, HKLM-Sys likely looks just like HKLM\System but Apttech's Blog: “Difference between a registry Hive and a registry Key” identifies it as a separate hive with separate related files.

More may be available from MS KB Q256986: Windows registry information for advanced users and/or subpages referred to by that MS KB article.

Format of registry files

[#dotregfl]: *.reg files

MS KB Q310516 shows some information. Note that if the first line says “Windows Registry Editor Version 5.00” then the file is likely in Unicode and will not be understood by older versions of RegEdit. MS KB Q310516 identifies 5.00 as being Windows 2000, XP, and Server 2003, while a header of “REGEDIT4” was used with Windows 98 and NT 4.0.

The format is pretty basic and can be seen by viewing an existing *.reg file or viewing MS KB Q310516. The blank lines before a key may actually be required. What many people, even those who have viewed such files, are probably unaware of are the commands to delete things from the registry. To delete a value, use the syntax: "ValueName=- To remove an entire key, place a hyphen before the key name, but still within the square brackets, like the following example: [-HKEY_LOCAL_MACHINE\Something]

Files storing registry data

Wine

...

Win9x

Windows 95

User.dat and System.dat are documented by MS KB Q131352: Using Registry Editor in Real Mode which is meant for Windows 95. Easy Desk Software: Windows Registry Files notes an 8MB size limit to registry files in Windows 95.

Windows 98

User.dat and System.dat and Policy.pol (as noted by Win98RK Chapter 31 - Windows 98 Registry, “Unlike System.dat and User.dat, Policy.pol is not a mandatory component of a Windows 98 installation.”)

Easy Desk Software: Windows Registry Files notes an 11MB size limit to registry files.

Windows ME

MS KB Q266270 notes another file: HKEY_CLASSES_ROOM was moved from System.dat to Classes.dat.

HKEY_DYN_DATA: An exception

Wayback Machine @ Archive.org's cache of “Troubleshooting and Configuring the Windows NT/95 Registry” Appendix F: “A closer look at HKEY_DYN_DATA” states “None of the data in HKEY_DYN_DATA is written to the hard disk, except in a temporary file. All of the data gets rewritten every time the system restarts.”

Wikipedia's article on the Windows Registry: section about HKEY_DYN_DATA notes that HKEY_DYN_DATA's information is “not stored on the hard drive. The Plug and Play information is gathered and configured at startup and is stored in memory.” MS KB Q250568 does say “The information in this key is newly created every time Windows starts.” (Wikipedia's article on the Windows Registry: section about HKEY_DYN_DATA notes that this registry key does not exist by other operating systems.)

Windows NT

According to a quick review of information from Wikipedia's page on the Windows Registry: section on hives, different sections of the registry are stored in different files.

The actual HKLM is created with each reboot and consists of various sections which are individually stored in different files on the disk. Sections of HKLM are stored in various files (without extensions being part of the filenames) stored in C:\Windows\System32\config\. The HKCU is stored inside two files for each individual user, so a system with multiple active users will have multiple copies of both of these two files. The filenames are NTUSER.DAT and USRCLASS.DAT.

Using the command line

REG.EXE

Some versions of Windows (which? Vista Home does. Earlier?) may have a REG.exe.

Overview/quick tip

The online help is generally rather sufficient, but here's a quick tip:

In some cases, the registry “key”, may need to be specified separate from the name of the “value” which is the named registry entry. (The “value” refers to the name of the actual setting, and is different than the “Data” which refers to the information stored in that setting.) Examples of splitting the value from the key are included in the examples displayed by “ REG ADD /? ” and this type of syntax is also used by REG DELETE ”.

[#wnrgcsav]: Exporting

For systems new enough to support the REG.exe command, there is another option that typically involves less mouse clicking (and can be much easier to use when pasting commands from the clipboard). To export to a standard .reg file which can be imported in RegEdit, use “ reg.exe EXPORT ”. For small tasks, this is generally the convenient option which is preferable over using “ reg.exe SAVE ” (which may create a .hiv file). Another option may be to use reg.exe QUERY and save the results (which can most conveniently be done using text redirection).

[#viewreg]: Viewing registry entries

Using REG.EXE QUERY

For operating systems with the REG.EXE command line utility, REG.EXE QUERY may be the most direct method.


REG.EXE QUERY keyname

That displays all of the values (named entries), including the names and data associated with each value, in the specified key. Adding a /z command line parameter causes a bit more (redundant) information to be shown.

For example, viewing PuTTY's registration keys may be done with:


REG.EXE QUERY /z HKCU\Software\SimonTatham\PuTTY\SshHostKeys

A specific value can also be retrieved from the local system's registry, or from a remote system.


REG QUERY "\\machName\HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v IPEnableRouter

Like many other programs that support modifying both a local machine or a remote networked machine, the “machName” refers to the name of a machine. If the machine being operated on is the local machine, then one convenient way is to refer to “\\.\” although, for a local machine, an even easier method is to just not even use the optional “machName\”. So, for a local machine, the following would also work:


REG QUERY "\HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v IPEnableRouter

[#msrmtreg]: Microsoft's “Remote Registry” service

In order to interact with a remote system's registry, the “RemoteRegistry” service may need to be started. The “Service name” for this service is “RemoteRegistry” (without a space). The “Display Name” is “Remote Registry” (with a space).

Perhaps inconveniently, that service may start out as being “Disabled”.

Once started, it may time out.

Limitations on accessing the registry of a remote system

Although modifying a remote machine may be supported, there are some limitations. If trying to access a different key than one of the two supported keys, REG.exe will report “ERROR: A remote machine was specified, the root key must be HKLM or HKU.” Similarly, RegEdit allows for changing HKLM (HKEY_LOCAL_MACHINE) or HKU (HKEY_USERS), but not the hives that start with HKC: Neither HKCR (HKEY_CLASSES_ROOT) nor HKCU (HKEY_CURRENT_USER) nor HKCC (HKEY_CURRENT_CONFIG). (HKPD, which is HKEY_PERFORMANCE_DATA, is not shown by RegEdit.) It seems likely that Reg may have some of the same sorts of limitations.

The RemoteRegistry service

Requirements

Accessing the registry requires that the “Remote Registry” service is running. (If it is not running, REG may report a line stating “ERROR: The network path was not found.”)

If this required service is not running, the following details might work to help out.


SC \\MachName qc RemoteRegistry | FIND /I "START_TYPE"


SC \\MachName config RemoteRegistry start= demand


SC \\MachName queryex RemoteRegistry


SC \\MachName start RemoteRegistry

(More details, about starting remote software like that, may be found in the section about currently running software: section on adjusting what software is running: sub-section on beginning services in Microsoft Windows.)

[#rmtregtm]: The RemoteRegistry timeout

Note: Do not assume that once the “Remote Registry” service is started, that it will forever remain started. The service may turn off after ten minutes.

Disabling the RemoteRegistry Timeout

Based on information from KB.Paessler.com (“The Network Monitoring Company”) KB: “How do I enable the Remote Registry Service on a Windows PC?”, this shows how to disable the timeout:



C:\> REG QUERY "\\MachName\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RemoteRegistry" /v DisableIdleStop


   DisableIdleStop    REG_DWORD    0x0








C:\> REG ADD /F "\\MachName\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RemoteRegistry" /v DisableIdleStop /t REG_DWORD /d 1

The trigger

KB.Paessler.com (“The Network Monitoring Company”) KB: “How do I enable the Remote Registry Service on a Windows PC?” says the RemoteRegistry service is designed “to be only turned on by a specific trigger so that it doesn't use up resources.” This affects Windows 8, Windows Server 2012, and newer.



C:\>SC
	\\remotesys.example qtriggerinfo RemoteRegistry


[SC] QueryServiceConfig2 SUCCESS





SERVICE_NAME: RemoteRegistry





        START SERVICE



          NETWORK EVENT                : 1f81d131-3fac-4537-9e0c-7e7b0c2f4b55 [NAMED PIPE EVENT]



            DATA                       : winreg





C:\>echo
	%ERRORLEVEL%


0





C:\>

KB.Paessler.com (“The Network Monitoring Company”) KB: “How do I enable the Remote Registry Service on a Windows PC?” points out information about the process to alter the trigger:

Disabling the trigger


SC \\MachName queryex RemoteRegistry

SC \\MachName triggerinfo RemoteRegistry delete

Re-enabling the trigger


SC \\MachName queryex RemoteRegistry

SC \\MachName triggerinfo RemoteRegistry start/namedpipe/1f81d131-3fac-4537-9e0c-7e7b0c2f4b55

Another possibly optional part are the quotation marks: The set of quotation marks around the registry key's name (shown in some examples) are needed if the Registry Key has a space in the name. (For example, when dealing with the “DisableIdleStop” value, the registry key contains “Windows NT” as part of its name. That has a space as part of the name of the registry key.) If the entire registry key does not contain a space, then the quotation marks (that surround the registry key) are not needed.

One way is to view the registry value's data in a graphical interface. Another way is to export the registry data to a .reg file which is then generally relatively easy to view.

[#wnregedc]: Editing the registry from the command line

This section can be performed fairly easily on an operating system with the REG command.

Checking the old value

First, it makes sense to know what the current/old value is. See section on viewing registry for details on how to do this using a command line or other approach.

Removing an old value

As a general practice, it is recommended to save a copy of the old value, so that this may be easily revered. See: Exporting registry information.

In addition to just remembering the value and the name, make sure to also record the type of data.

e.g., after seeing and saving the old value, the following could delete a registry entry:


REG DELETE "FullPathOfRegKey" /v ValueName

e.g.:


REG DELETE "HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v IPEnableRouter

Handling a challenging case: The “HKLM\MY_SYSTEM” may be in use by the operating system. If the goal is to remove some of that information, see: deleting from HKLM\MY_SYSTEM. (Note that this is not particularly common, so there's no need to follow those instructions unless that specific task is desired.)

Adding a new desired value


REG ADD "FullPathOfRegKey" /v ValueName /t REG_typeName /d dataToStore

e.g.:


REG ADD "HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v IPEnableRouter /t REG_DWORD /d 1

If the value pre-exists, the user gets prompted to overwrite the old value with a new value. That prompt may be surpressed by using the /f option (which is probably meant to represent the word “force”).

Accessing a remote registry

This can be as easy as specifying a UNC-like path at the start of the registry. For example:


REG QUERY "\\system.example\HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v IPEnableRouter

The remote system may need to be running a service called “Remote Registry”. (See: RemoteRegistry.)

Using WMI

First, a reference: information about using WMI.

At the time of this writing, there is no information here about retrieving the data from registry values. However, here are some details of what can be done with WMI.

A bit of info

There is a “Registry” object usable in WMIC. This object provides rather little information about the Registry.



WMIC Registry Get /?

Using StdRegProv

WARNING: a bunch of this has currently been untested by the creator of this documentation.

[#winrghkn]: WinReg.h Registry Key numbers

At least when using WMIC with StdRegProv, you will need to specify the registry keys by referencing some numbers.

MSDN: CreateKey method of the StdRegProv class provides the decimal values of these numbers, noting these are defined in WinReg.h. Microsoft: Previous Versions Documentation, “CheckAccess method of the StdRegProv class” also documents the decimal values. Here is a chart showing some values:

Registry Key Name	Registry Shortcut	Decimal Value	Hexadecimal Value
HKEY_CLASSES_ROOT	HKCR	2147483648	80000000
HKEY_CURRENT_USER	HKCU	2147483649	80000001
HKEY_LOCAL_MACHINE	HKLM	2147483650	80000002
HKEY_USERS	HKU	2147483651	80000003
HKEY_CURRENT_CONFIG	HKCC	2147483653	80000005

MSDN: CreateKey method of the StdRegProv class shows example VBScript using &H80000001 and example PowerShell code using 2147483650.

Rob van der Woude's Scripting Pages: WMIC (a page by somebody of no known close relation to Mr. VanderWoude who created this ][CyberPillar][ website) and WMI Registry | WMI Persistence using wmic.exe used those same hexadecimal values in some documentation.

A bunch of examples

MSDN documentation on StdRegProv class lists several “Methods” (a.k.a. “functions”) that can be used.

WMI Registry | WMI Persistence using wmic.exe demonstrated using several of these.

List the sub-keys underneath a registry key

WMI Registry | WMI Persistence using wmic.exe demonstrated how to do this.


wmic /NAMESPACE:"\\root\DEFAULT" path stdregprov call EnumKey ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles"

MSDN: StdRegProv class's EnumValues method mentions that WinNT.h defines the values as corresponding to data types as follows:

REG_SZ	1
REG_EXPAND_SZ	2
REG_BINARY	3
REG_DWORD	4
REG_MULTI_SZ	7
REG_QWORD	11

List the values underneath a registry key:

wmic /NAMESPACE:"\\root\DEFAULT" path stdregprov call EnumValues ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles\Sys" (The documented example showed a value named TasksDir.)

Show the data of a value

wmic /NAMESPACE:"\\root\DEFAULT" path stdregprov call GetStringValue ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles\Sys","TasksDir"

create a child key

MSDN: CreateKey method of the StdRegProv class had some examples with VBScript and PowerShell.

WMI Registry | WMI Persistence using wmic.exe demonstrated using several of these. had this:

wmic /NAMESPACE:"\\root\DEFAULT" path stdregprov call CreateKey ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles\test"

Set some data

e.g., for a key named test, and a value named "Name", and Data containing the text string "Data" wmic /NAMESPACE:"\\root\DEFAULT" path stdregprov call SetStringValue ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles\test","Data","Name

delete key

wmic /NAMESPACE:"\\root\DEFAULT" path stdregprov call DeleteKey ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles\test"

Delete value

wmic /NAMESPACE:"\\root\DEFAULT" path stdregprov call DeleteValue ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles\test","Name"

Permissions checking in WMIC

Rob van der Woude's Scripting Pages: WMIC (a page by somebody of no known close relation to Mr. VanderWoude who created this ][CyberPillar][ website) shows a way of using a Call to the CheckAccess method of a “Registry Provider” Class called StdRegProv to be able to verify permissions (by checking the resulting ERRORLEVEL).

This can be used to determine whether a specific user has a specific permission.

Making changes

This is not used for making changes. Microsfot “Previous Versions” documentation: CheckAccess method of the StdRegProv class” states, “The Registry Provider does not provide a way to list all of the access rights on a given subkey or entry, or to make any changes to the access rights.”

To make changes to the registry settings, see the PowerShell command Set-ACL? Or replace existing Registry permissions settings with RegIni?

An example command line is:



WMIC /NameSpace:\\root\default Class StdRegProv Call CheckAccess hDefKey="&H80000002" sSubKeyName="Software\My Program" uRequired="&H2"

There are three parts of that command line that are most likely to have someone customize.

hDefKey="&H80000002"

The value of "&H80000002" corresponds to HKLM. This is using one of the hexadecimal values from the WinReg.h Registry Key numbers section (noted earlier).
sSubKeyName="Software\My Program"

Clearly this is the name of a registry key underneath the hive mentioned by the hDefKey.
uRequired="&H2"

The value of "&H2" corresponds to a permission called “KEY_SET_VALUE”. How do we know that? Because that is information shown in the example environment variables in examples by
Rob van der Woude's Scripting Pages: WMIC (a page by somebody of no known close relation to Mr. VanderWoude who created this ][CyberPillar][ website). This is just one of ten permissions noted by Rob's web page.

MSDN: Changing Registry Data says: “Using WMI, you cannot set access security on a registry key. However, the StdRegProv.CheckAccess method compares the security settings of the current user to the security descriptor on a registry key to determine if the user has a specific permission, such as KEY_SET_VALUE.”

Microsoft support page says, “To download this code sample, click one of the following links:”. Then, it provides no links. However, the page does seem to suggest a possibility of monitoring with WMI.

Using RegEdit from the command line

Common information

RegEdit may be used to interpret a file that is in the standard “.reg” file format. Generally such files are used to add keys, although they may also be used to remove keys.

Information about Windows 3.1x

MS KB Q82821: Registration Info Editor (REGEDIT) Command-Line Switches shows not much more, at least in the Windows 3.1x versions.

Win9x

MS KB Q131352: Using Registry Editor in Real Mode shows exporting was available as early as Windows 95. The /e may export. The next parameter is a filename. Having yet another parameter is optional, and if it exists then it is expected to be a registry path.

The /c may create a new registry file.

An available option is /L:filename to specify a file that is meant to hold data generally stored in a SYSTEM.DAT file. (Specifying a filename may allow one to perform operations on a backup file.) Similarly, /R:filename lets one specify a file that is meant to hold data typically found in a USER.DAT file. (These filenames are likely specific to Win9x implementations.)

A third party website, Regedit Command Line Options Syntax, notes that a /d switch allows removal of a key in Win98/ME. (However, that may also be done by specifying a registry file that indicates the registry key should be removed.)

Using Windows Script Host



var objShell;


var objError;


var sRegKeyOrVal;


var sRegValueData;


var sRegType;



try {


	
		 objShell = new ActiveXObject("WScript.Shell");

	
	

}


catch (objError) {


	
		 ;

	
	



}


sRegKeyOrVal="HKLM\Blah\BlahBlah\";


sRegType="REG_SZ";


sRegValueData="MyData";


objShell.RegWrite( sRegKeyOrVal , sRegValueData , sRegType );

If sRegKeyOrVal ends with a backslash, then it will be treated as a registry key. Otherwise, it will be treated as a registry value.

MSDN: RegWrite Method. An actual example shown at SquirrelMail: Handling Mailto in Microsoft Windows. (Note that this is not tested: documentation is being shared for convenience.)

Presumably another way to do this with the registry would be to use WMI.

Using PowerShell

(Currently, this information is minimal, showing how to view information, but not how to alter information.)



C:\> powershell


							

PS C:\> cd HKLM:\


PS HKLM\> dir


[output]


PS HKLM\> cd Software


PS HKLM:\Software> dir

(Tested in Windows 7, which came with PowerShell 2.0)

Accessing the Registry from DOS

This is being referenced as an interesting concept, but not one that has been fully verified or recommended by the author of this text. Investigate at your own risk.

The following information has also been found: SuperUser info about editing the registry from DOS.

Using a graphical interface

For most 32-bit versions of Microsoft Windows (and releases that are newer than standard 32-bit versions of Microsoft Windows), RegEdit is an appropriate editor. This includes Windows 95. The exceptions are Windows 2000 and Windows NT (perhaps limited to Windows NT 4.0?). Those operating systems use a 16-bit RegEdit for compatibility to search. To actually edit the registry in those operating systems, Regedt32.exe should be used. (Windows XP at least some newer versions: Server 2003 and Vista, have a Regedt32.exe which just calls Regedit.exe.) (This is documented, and elaborated upon, by MS KB Q141377: Differences between Regedit.exe and Regedt32.exe.)

NirSoft's RegScanner can search through a registry, and show multiple found items at one time. This might be nicer than using RegEdit's ability to search the registry and then show only one item (and then to stop searching until the user decides to look for another occurrence).

The graphical RegEdit command has an ability to export a Registry Key (including all sub-keys). This is not nearly as easy to automate with, but the advantage to the graphical approach is simply that there has been a functional implementation in older operating systems (including Windows 95).

Historical notes

A registry did in fact exist with Windows 3.x. As an example, MS KB Q84791 shows how the registry was used to support file associations. However, the registry was used far more frequently with Windows 95.