Previous Page | Next Page

  1. Introduction
  2. Capabilities
  3. Structure
  4. The Registry
  5. System and Configuration Files
  6. Security
  7. Application Support
  8. Requirements
  9. Installation
  10. Unattended Installation
  11. Booting
  12. Filesystems
  13. Programs
  14. Control Panel
  15. Tool
  16. Commands
  17. Customization
  18. Environment Variables
  19. Printing
  20. Performance
  21. System Services
  22. Permissions
  23. Groups
  24. User Rights and Auditing
  25. User Profiles
  26. Policies
  27. Network Model
  28. Resource Access
  29. Network Browsing
  30. Protocol Support
  31. RAS
  32. Networking
  33. Backups
  34. Events
  35. Error Handling
  36. Diagnostic Tools
  37. Items to Memorize
  38. Terms
  39. Credits

Windows NT Registry

The registry is used to store:

  • Hardware configuration information
  • System software configuration
  • User security information
  • Current User information
  • Application configuration information

It is a hierarchical database of user and system information. Some Windows NT components that use the Registry include:

  • NTDETECT.COM - Detects system hardware and places configuration information detected at startup in the registry.
  • NTOSKRNL.EXE - The Kernel extracts information such as device-driver load order from the registry.
  • Many administration programs such as the control panel applets User Manager, and the Registry Editor.
  • Applications - Many applications modify and use information in the registry.
  • Device Driver information similar to information stored on the DOS DEVICE line in the Config.sys file is stored in the registry.

Registry Organization

The registry is organized as follows with each entry being a sub category of the previous entry. The main subtree includes keys, subkeys, and values. It has its own file stored at \WINNT40\SYSTEM32\CONFIG. Hives are a set of keys, subkeys, and values in the registry that are stored in files in the root directory under SYSTEM32\CONFIG. The files that the registry is stored in and are contained in a single file and a .log or .alt file.

  • Subtree - A top level key. There are 5.
    • Keys - Container for subkeys and values.
      • Subkeys - Container for values.
        • Values
          • Data

The NT 4.0 resource kit explains all registry keys, subtrees and values.

Parameter Data Types

  1. REG_SZ - A string of regular data
  2. REG_DWORD - A string of a numeric value written in hexadecimal.
  3. REG_BINARY - A string of hexadecimal digits where each pair of digits is a byte.
  4. REG_EXPAND_SZ - A string with a replaceable or expandable value which starts and ends with the % sign.
  5. REG_MULTI_SZ - Multiple strings or entries within the same value separated by NULLs.

There is a register edit program in \SYSTEM32\WINNT\REGEDIT32.EXE or \SYSTEM32\WINNT40\REGEDIT32.EXE. REGEDIT.EXE can also be used to modify the registry but it was written for Windows 95. Users with administrative access may modify the registry. The five main subtrees of the registry (called keys) are:

  • HKEY_LOCAL_MACHINE - Contains data used to configure the system including device drivers, services to be run, hardware profiles, and applications that are loaded. There are 5 hives in this key with a registry file for each hive, except the hardware hive, in the \WINNT40\SYSTEM32\CONFIG directory. The hives are:
    • HARDWARE - Contains data about detected devices on the system including processor, keyboard, ports, memory and more.
    • SOFTWARE - Contains information about installed software including driver files, and services on the system. Two files, SOFTWARE and SOFTWARE.LOG, are associated with this hive. The manufacturer and version number of software packages are included. Functions include WINLOGON service, browser, and NetDDE.
    • SYSTEM - It describes/controls services that are loaded providing configuration for NT to boot and maintain its configuration. The files, SYSTEM and SYSTEM.ALT, in the WINNT40\SYSTEM32\CONFIG store information for this hive.
    • SAM - Security account manager with user account, group account, workgroup membership, and domain membership information. This hive is not viewable. The registry file is SAM and the log file is SAMLOG in the WINNT40\SYSTEM32\CONFIG directory.
    • SECURITY - Contains information about specific user rights for user and group accounts. It contains the Local Security Account (LSA) policy information. This hive is not viewable. The registry file is SECURITY and the log file is SECURITYLOG in the WINNT40\SYSTEM32\CONFIG directory.
  • HKEY_CURRENT_CONFIG - Contains information about the computers configuration and hardware settings. Required to support the multiple hardware profile capability. This is a new subtree in NT 4.0 with information about software and system modifications made in the current session.
  • HKEY_USERS - Includes two subkeys with user setting information.
    • HKEY_USERS\DEFAULT - Contains system default settings that are used when the LOGON screen is displayed.
    • HKEY_CURRENT_USER - It is used to store specific user information. The entries under the users security identifier (SID) describe the entries in the user's environment such as wallpaper, cursor pointers, and color scheme. File names for cursor types have extension .CUR or .ANI.
  • HKEY_CURRENT_USER - It points to the SID of the current user in HKEY_USERS.
  • HKEY_CLASSES_ROOT - Provides backward compatibility with OLE and file association to win 3.1. This is also a subtree of HKEY_LOCAL_MACHINE\SOFTWARE so a copy of it may be found there.

Values found in the registry have the following syntax:


Registry entries

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem - If the parameter Win31Filesystem is set to 0, long filenames are supported on FAT32 filesystems. If set to 1, long filenames are not supported and only DOS 8.3 names are supported.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers - To change the location of the spool folder for all printers, change the value of DefaultSpoolDirectory to reflect the new spool location. This affects all printers installed on the computer. You can also change the spool location of each of the printers installed on the computer individually by modifying the SpoolDirectory value of their key entry.
  • HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\Browser\Parameters. - If the parameter MaintainServerList is set to "Auto" it participates in smb election processes normally. Set this value to NO if you don't want the computer to become a browser. If the parameter Preferred-MasterBrowser is added and set to 0 the computer will not become a master browser. If set to 1, the computer has a better chance of becoming a master browser.
    • Add variable DontDisplayLastUserName with value of 1 so the last user who logged on will not have their name displayed for new logons.
    • To add a legal notice at the time of logon: Modify the variable LegalNoticeCaption to have a value of "Unauthorized Access Warning!" or something like it, then modify the variable LegalNoticeText to something like "Unauthorized access is a crime punishable by death!".
    • To change the default shell: Modify the value Shell from explorer.exe to progman.exe.
    • Change the variable ShutdownWithoutLogon to 1 to allow the computer to be shutdown by a user that has not logged on. 1 enables the shutdown button and 0 disables the shutdown button.
    • To automate logon,
      • set the value DefaultDomainName to your domain name value string
      • and set DefaultUserName to the user you want to be logged on.
      • Set the DefaultPassword value to the user's password
      • Set the AutoAdminLogon value to 1.
    • PowerdownAfterShutdown - Set the value to 1 to allow the computer to powerdown after shutdown. A value of 0 disables it. This feature works for computers that have BIOS that supports powering down at shutdown.
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\PPP - If the parameter "Logging" is set to 1, PPP connections will be logged to the log file, \WINNT40\SYSTEM32\RAS\PPP.LOG. If the value is 2, PPP connection logging is verbose.
  • HKEY_USERS\DEFAULT\DESKTOP\Wallpaper - Change the Wallpaper value from DEFAULT to YOURWALLPAPER.BMP. This will change the startup screen displayed when booting and logging of NT.
  • HKEY_LOCAL_MACHINE\System\Select\LastKnownGood - The Last known good value which refers to the CurrentControlSet.
  • HKEY_LOCAL_MACHINE\System\CurrentControlSetControl\ServiceGroupOrder - A list of services started and their order. The registry key HKEY_LOCAL_MACHINE\System\CurrentControlSetControl\servicename defines which services require which other services.


Regedit allows serarching for:

  • Keys
  • Values
  • Data

Regedit32 anly allows searching for keys.