Registry editing necessary because it would be impossible to design a GUI for every conceivable registry edit

Root Keys

• HKCR Root
• HKCU Current User
• HKLM Local Machine
• HKU Users
• HKCC CurrentConfig

Regedit: functions of regedt32 have been incorporated into Registry Editor 5.1 (regedit). Registry entries are case insensitive. 'default' key values are normally not defined. All other values specify name, type and value. Registry stored on disk in several separate HIVE files. Appropriate hive files are read into memory when system starts and when a user logs in, and are then assembled into the registry (See HKLM\System\CurrentControlSet\Control\HiveList). \Registry\Machine\Hardware has no associated hive file: information is generated dynamically during boot. Hives located at system32\config or docs and settings. Each hive has an associated .log (transaction file) and .alt (backup).

Data Types

• Reg_Sz: zero terminated string (zero termination 00, added automatically)
• Reg_Multi_Sz: group of zero-terminated strings
• Reg_Expand_Sz: zero terminated string containing environment variable, e.g. %systemroot%
• Reg_Binary: binary data
• Reg_Dword: double word, 32-bit value, often used to record boolean values 0 or 1
• Reg_Link: pointer to other part of the registry, e.g. HKCU->HKU\CurrentUserSID allows application to check current users key without knowing their SID
• Reg_None: rarely used. Used where value important but data not
• Reg_Full_Resource_Descriptor, Reg_Resource_List, Reg_Resource_Requirements_List: provide information on resource requirements for various components

Registry Backup and Restore

regedit, file export then choose format. Best format to use before edits is 'registry hive'. Binary format, saves current key and subkeys. Use file import to restore to current key, removes all existing data. Text file formats can be edited and restored, will not overwrite data if those values do not exist in the .reg file. System restore can also be used to backup the registry. Ntbackup can backup system state: copies registry hives to backup media and to %systemroot%\repair. Registry Editor includes a favorites menu and Ctrl+F for find (forward only). Keyboard can be used to navigate right pane: use letters for quick move, right arrow key to expand a key, left arrow key to move up a folder.

Registry Files can be saved to earlier format. Header line is 'Windows Registry Editor Version 5.00' for Windows 2000 and XP (unicode). or 'REGEDIT 4' for NT4, 95, 98, Me. Format:

Key names are delimited with square brackets. Contain full paths from root

default value: undefined values do not appear. defined values are named '@'

Value Names: enclosed in quotes followed by an equal sign. Order of values not important

Data Types: dword, hex, hex(2) for expand_sz, hex(7) for multi_sz, hex(8), hex(9), hex(a), hex(0) for none. A colon separates the type from the data. Reg_sz values need quotes and back slashes need to be doubled. Do not use 0x for hex prefix. use backslash for line continuation. Can use blank lines for readability and semicolons to begin comments

To delete and existing value give its value a hyphen, e.g. 'Thumbnails'=-

To delete a key insert a hyphen inside inside brackets, before key name

Use fc (file compare) to compare registry changes:

fc /u before.reg after.reg > regcomp.txt

By default administrators and System have full control over the registry, creator owner has full control and users have read only access.