Windows registry

Windows registry

Windows registry is a database where Windows stores its configuration data and Software's information and settings, before Windows registry settings and informations were stored on files, and each application had its own configuration files, that caused a security problem and administrating a computer was a hard task, so windows introduced the registry to centralise configuration data into one place and made them secure.

The registry is being used all the time, any modification you make is stored transparently into the appropriate Area into the registry.

How to open Windows registry editor:

Although it's not recommended to touch the registry, you need sometimes to change manually some values, Windows has a builtin editor called regedit that allows you to open the registry and edit it, warning though, this tool doesn't check what you enter, so don't change anything unless you're sure of it.

There are several ways to open regedit editor depending on the Windows version you use, I'll give you here a method that works for all Windows versions:

- Press Windows key + R.

- Type regedit then press enter.

- This will open the regedit editor.

Windows registry structure:

The registry structure is similar to folders and files structure, while a folder is a container similarly a key is a container in the registry and the value is similar to a file, keys are shown in the left side of the regedit editor window while the values of a key are shown in the right side.

There are six principle root keys in the registry:

HKEY_CLASSES_ROOT (HKCR):

Contains information about file extension correspondance, which means what program opens a specific file extension for example files with .txt extension are opened with notepad.

HKEY_CURRENT_USER (HKCU):

Contains informations and settings of the current user logged into Windows. Note that changing values in this Area affects only the logged in user.

HKEY_LOCAL_MACHINE (HKLM):

Contains computer-specific settings about hardware and softwares installed and much more, those informations concern all the users of the computer.

HKEY_USERS (HKU):

Contains informations and settings about the users of the computer.

HKEY_CURRENT_CONFIG (HKCC):

Contains informations about the current hardware  and software configuration, this key is generated at boot time and is not stored on disk.

HKEY_PERFORMANCE_DATA:

This key is not displayed in the regedit editor, it's visible through advanced control panel items such as performance monitor or through registry functions in the Windows API it contains informations about the performance provided by the kernel itself or running system drivers and services and programs.

where does Windows store the registry?

Windows registry is stored physically on disk at the location c:\windows\system32\config\, this folder contains the files associated with the registry hives as follow:

HKEY_LOCAL_MACHINE\SYSTEM: \system32\config\system

HKEY_LOCAL_MACHINE\SAM : \system32\config\sam

HKEY_LOCAL_MACHINE\SECURITY:\system32\config\security

HKEY_LOCAL_MACHINE\SOFTWARE:\system32\config\software
HKEY_USERS.DEFAULT : \system32\config\default  

Inside this folder there is another folder called RegBack which contains another copy of the registry that you can use if you messed the original registry without making a backup copy, note that this copy is not up-to-date but it serves as a last chance to