Windows NT Registry
The registry is used to store:
- Hardware configuration information
- System software configuration
- User security information
- Current User information
- Application configuration information
It is a hierarchical database of user and system information. Some Windows NT components that use the Registry include:
- NTDETECT.COM - Detects system hardware and places configuration information detected at startup in the registry.
- NTOSKRNL.EXE - The Kernel extracts information such as device-driver load order from the registry.
- Many administration programs such as the control panel applets User Manager, and the Registry Editor.
- Applications - Many applications modify and use information in the registry.
- Device Driver information similar to information stored on the DOS DEVICE line in the Config.sys file is stored in the registry.
The registry is organized as follows with each entry being a sub category of the previous entry. The main subtree includes keys, subkeys, and values. It has its own file stored at \WINNT40\SYSTEM32\CONFIG. Hives are a set of keys, subkeys, and values in the registry that are stored in files in the root directory under SYSTEM32\CONFIG. The files that the registry is stored in and are contained in a single file and a .log or .alt file.
- Subtree - A top level key. There are 5.
- Keys - Container for subkeys and values.
- Subkeys - Container for values.
The NT 4.0 resource kit explains all registry keys, subtrees and values.
Parameter Data Types
- REG_SZ - A string of regular data
- REG_DWORD - A string of a numeric value written in hexadecimal.
- REG_BINARY - A string of hexadecimal digits where each pair of digits is a byte.
- REG_EXPAND_SZ - A string with a replaceable or expandable value which starts and ends with the % sign.
- REG_MULTI_SZ - Multiple strings or entries within the same value separated by NULLs.
There is a register edit program in \SYSTEM32\WINNT\REGEDIT32.EXE or \SYSTEM32\WINNT40\REGEDIT32.EXE. REGEDIT.EXE can also be used to modify the registry but it was written for Windows 95. Users with administrative access may modify the registry. The five main subtrees of the registry (called keys) are:
- HKEY_LOCAL_MACHINE - Contains data used to configure the system including device drivers, services to be run, hardware profiles, and applications that are loaded. There are 5 hives in this key with a registry file for each hive, except the hardware hive, in the \WINNT40\SYSTEM32\CONFIG directory. The hives are:
- HARDWARE - Contains data about detected devices on the system including processor, keyboard, ports, memory and more.
- SOFTWARE - Contains information about installed software including driver files, and services on the system. Two files, SOFTWARE and SOFTWARE.LOG, are associated with this hive. The manufacturer and version number of software packages are included. Functions include WINLOGON service, browser, and NetDDE.
- SYSTEM - It describes/controls services that are loaded providing configuration for NT to boot and maintain its configuration. The files, SYSTEM and SYSTEM.ALT, in the WINNT40\SYSTEM32\CONFIG store information for this hive.
- SAM - Security account manager with user account, group account, workgroup membership, and domain membership information. This hive is not viewable. The registry file is SAM and the log file is SAMLOG in the WINNT40\SYSTEM32\CONFIG directory.
- SECURITY - Contains information about specific user rights for user and group accounts. It contains the Local Security Account (LSA) policy information. This hive is not viewable. The registry file is SECURITY and the log file is SECURITYLOG in the WINNT40\SYSTEM32\CONFIG directory.
- HKEY_CURRENT_CONFIG - Contains information about the computers configuration and hardware settings. Required to support the multiple hardware profile capability. This is a new subtree in NT 4.0 with information about software and system modifications made in the current session.
- HKEY_USERS - Includes two subkeys with user setting information.
- HKEY_USERS\DEFAULT - Contains system default settings that are used when the LOGON screen is displayed.
- HKEY_CURRENT_USER - It is used to store specific user information. The entries under the users security identifier (SID) describe the entries in the user's environment such as wallpaper, cursor pointers, and color scheme. File names for cursor types have extension .CUR or .ANI.
- HKEY_CURRENT_USER - It points to the SID of the current user in HKEY_USERS.
- HKEY_CLASSES_ROOT - Provides backward compatibility with OLE and file association to win 3.1. This is also a subtree of HKEY_LOCAL_MACHINE\SOFTWARE so a copy of it may be found there.
Values found in the registry have the following syntax:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem - If the parameter Win31Filesystem is set to 0, long filenames are supported on FAT32 filesystems. If set to 1, long filenames are not supported and only DOS 8.3 names are supported.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers - To change the location of the spool folder for all printers, change the value of DefaultSpoolDirectory to reflect the new spool location. This affects all printers installed on the computer. You can also change the spool location of each of the printers installed on the computer individually by modifying the SpoolDirectory value of their key entry.
- HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\Browser\Parameters. - If the parameter MaintainServerList is set to "Auto" it participates in smb election processes normally. Set this value to NO if you don't want the computer to become a browser. If the parameter Preferred-MasterBrowser is added and set to 0 the computer will not become a master browser. If set to 1, the computer has a better chance of becoming a master browser.
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\ WINDOWS NT\CURRENT VERSION\WINLOGON\
- Add variable DontDisplayLastUserName with value of 1 so the last user who logged on will not have their name displayed for new logons.
- To add a legal notice at the time of logon: Modify the variable LegalNoticeCaption to have a value of "Unauthorized Access Warning!" or something like it, then modify the variable LegalNoticeText to something like "Unauthorized access is a crime punishable by death!".
- To change the default shell: Modify the value Shell from explorer.exe to progman.exe.
- Change the variable ShutdownWithoutLogon to 1 to allow the computer to be shutdown by a user that has not logged on. 1 enables the shutdown button and 0 disables the shutdown button.
- To automate logon,
- set the value DefaultDomainName to your domain name value string
- and set DefaultUserName to the user you want to be logged on.
- Set the DefaultPassword value to the user's password
- Set the AutoAdminLogon value to 1.
- PowerdownAfterShutdown - Set the value to 1 to allow the computer to powerdown after shutdown. A value of 0 disables it. This feature works for computers that have BIOS that supports powering down at shutdown.
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\PPP - If the parameter "Logging" is set to 1, PPP connections will be logged to the log file, \WINNT40\SYSTEM32\RAS\PPP.LOG. If the value is 2, PPP connection logging is verbose.
- HKEY_USERS\DEFAULT\DESKTOP\Wallpaper - Change the Wallpaper value from DEFAULT to YOURWALLPAPER.BMP. This will change the startup screen displayed when booting and logging of NT.
- HKEY_LOCAL_MACHINE\System\Select\LastKnownGood - The Last known good value which refers to the CurrentControlSet.
- HKEY_LOCAL_MACHINE\System\CurrentControlSetControl\ServiceGroupOrder - A list of services started and their order. The registry key HKEY_LOCAL_MACHINE\System\CurrentControlSetControl\servicename defines which services require which other services.
Regedit allows serarching for:
Regedit32 anly allows searching for keys.