The Windows registry explained

You have heard about it. You have been warned about the dangers of messing with it. What is it?

The Windows registry is a central database for the Windows operation system. Settings and information that control hardware configuration, operating system configuration, installed software configuration, and user preferences are all stored in the registry. If you make a change to a program setting, or something as simple as changing display settings, it is likely those changes are stored in the Windows registry. The registry is very important to Windows! Even with the dire warnings of gloom and doom when editing the registry aren’t anything to be afraid of. In fact you interact with it daily, you just didn’t know it.

With that said, the registry is full of thousands of entries. The chances of one tiny mistake bringing Windows to it’s knees is slim, but possible. It is always a good idea to have a current disk image before jumping into the registry.

Now that I’ve scared the pants off you feel free to follow along as I discuss the registry, just don’t make any changes.

To view or edit the registry Windows includes a program called RegEdit. In Windows 2000 and XP click Start>Run and enter regedit.exe in the run box and then click OK. In Vista and Windows 7 click Start and type “regedit” in the search box, at the bottom of the Start Menu, followed by the Enter key. The regedit window below will open.

It’s very apparent that all this HKEY stuff in the left hand column is gibberish. Computer refers to your computer and each entry under that is a specific section or hive. Let’s take a look at each hive and see what it does.

  • HKEY_CLASSES_ROOT –  storage for information about registered programs and file associations.
  • HKEY_CURRENT_USER – storage for settings specific to the current user. If your computer is set up with multiple user accounts this is where the settings for each user are kept.
  • HKEY_LOCAL_MACHINE – storage for settings that apply to all users of the computer.
  • HKEY_USERS – storage for subkeys which correspond to the HKEY_CURRENT_USER keys for each user account.
  • HKEY_CURRENT CONFIG – storage for keys generated during boot. This hive is actually created when the computer boots and is not stored on your hard drive.

The Windows registry is actually made up of several files named SAM, SOFTWARE, SECURITY, and SYSTEM (notice no file extension) located in the c:\windows\system32\config folder. There is also a file named NTUSER.DAT, which is located in c:\Documents and Settings\<your user name> for Windows XP and c:\Users\<your user name> for Windows Vista and Windows 7. These files relate to the above hives.

  • NTUSER.DAT – contains the HKEY_CURRENT_USER hive.
  • SAM – contains the HKEY_LOCAL_MACHINE\SAM hive.
  • SECURITY – contains the HKEY_LOCAL_MACHINE\SECURITY hive.
  • SOFTWARE – contains the HKEY_LOCAL_MACHINE\SOFTWARE hive.
  • SYSTEM – contains all other sub hives of THE HKEY_LOCAL_MACHINE hive.

We know where the files are and what they do. Let’s go back to Regedit and look around. Click the arrow next to HKEY_CLASSES_ROOT and you will see something similar to the picture below.

These are all of the file extensions which have been registered on your computer. File extensions tell Windows which program to use for a specific file type.

Scroll down (a lot of scrolling) to txtfile. This is the entry responsible for how your computer handles text files.

This is a screenshot of my registry. Yours will be similar, but different. Next to txtfile you will see another arrow. Clicking this arrow will expand the tree below the txtfile entry. Under shell you will see that I use a program named EditPad Lite to view and edit text files. Yours will most likely be notepad.exe.

You will notice the second column is labeled Type. Here is a list of common Types and what they represent:

  • REG_BINARY – The value will be in Binary format. Usually used for hardware component entries.
  • REG_DWORD – These values are commonly a “0” for a disabled option or a “1” for an enabled option.
  • REG_SZ – These values are stored in a readable format like the one above.

Take a few minutes and look around the registry. You will be amazed at the complexity and might even be surprised that you recognize, even vaguely, some of the entries! When you are finished just click on the “X” in the upper right corner of regedit to close it.

When you install software on your computer settings for that software are often times stored in the registry. This isn’t the best solution because registry corruption can render programs useless. Another problem is that programs writing to the registry could possibly overwrite an important entry rendering the computer unbootable. Microsoft has tried to eliminate this in Vista and Windws 7 by providing a specific directory (c:\program data) for software authors to store program settings and information.

Software is either installed for a specific user or for all users of the computer. It is a 50/50 change whether software will be installed for the current user, or all users, though some programs allow you to choose. Navigate by clicking the “+” or the triangle beside each hive to HKEY_CURRENT_USER>SOFTWARE

Here you will see quite a few of the programs you have installed on your computer. Each of the entries in this tree is a software author. If you have more than one program installed from the same author you will find entries for each under the software author’s folder. Settings in this tree will be user specific.

Scroll down to the Microsoft entry and expand (HKEY_CURRENT_USER>SOFTWARE>MICROSOFT). Very interesting to note that Microsoft lists most of the programs and features of the OS here. Windows itself is listed under the Microsoft folder. Feel free to have a look around.

Ok, Let’s check out the HKEY_LOCAL_MACHINE hive. Click the “-” or tilted triangle next to all entries you have expanded to close them. Click the “+” or triangle next to HKEY_LOCAL_MACHINE to expand the tree and scroll down to software. You will notice there are many similar entries and quite a few that don’t show in HKEY_CURRENT_USER.

Scroll down to Microsoft and expand the tree (HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT). Scroll down again to Windows (HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT>WINDOWS) and expand. CurrentVersion should be the first entry (HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT>WINDOWS>CurrentVersion). Here is where you will find most settings that control Windows appearance and function.

Most entries are self explanatory. Control Panel contains settings for the Control Panel, Run contains settings that cause programs to run at startup, Uninstall will contain the uninstallation strings for most programs, etc. Have a look around. You will be surprised at what may look familiar. The next time you make a settings change you’ll have a better idea of what is going on behind the scenes.

Last Known Good Configuration

Have you ever had a windows error which caused a reboot? If you have you probably were presented with a black screen that offered several options (none of which seem like a good idea at the time). The screen offers several options: Safe Mode, Safe Mode with Networking, and Last Known Good Configuration.

Exactly what is Last Known Good Configuration? I’ll tell you now it isn’t a life saver, but it could come in handy. Each time your computer boots normally there is a backup made of the Hkey_Local_Machine\System\CurrentControlSet tree and its’ sub keys. Choosing Last Known Good Configuration causes Windows to load that backup in place of the current registry file during boot. If the original problem was a registry issue that affected that tree and/or sub keys then you may be able to recover by choosing that option.

Generally I find that registry entries related to hardware affect this tree, so if you’ve made a hardware or driver change before the problem this may be a wise choice. If you haven’t made any hardware or driver changes I would stay away. It is in no way a substitute for a good backup!

CLSID

There were a few readers who discovered entries labeled CLSID as they were exploring the registry. CLSID is short for Class Identifier or Global Unique Identifier (GUID). Here is an example of a CLSID – {6B9228DA-9C15-419e-856C-19E768A13BDC}. A long (128 bit) number that means nothing to you or I. In actuality it is a unique number which references an executable on your computer. Here is an example. The Vista Sidebar allows you to add Gadgets to your desktop. If we look in Hkey_Classes_Root we will see the following:

So we know the CLSID Windows is using for gadgets. Let’s have a look around and see what file extension Windows associates with sidebar gadgets.

I know not everyone has Vista or Windows 7. This was just an example. Look around. Find an extension you are familiar with. Use Edit>Find to locate the associated program.

.reg files

You may run into files on the internet or through emails that have the file extension .reg. These files are meant to add, change, or delete entries from the registry in a way that is much simpler than explaining how to navigate to a specific key(s) and make a specific change(s). It is a simple text file created in a specific format. These files can run the gamut from innocent to evil. Be VERY careful if you are ever told to download or execute a file with this extension. Only do so if you are absolutely sure of the source, trust the source, and have a current backup. These can get you in a lot of trouble if you aren’t careful!

Let’s wrap it up

I hope you’ve learned a little about the Windows Registry from this post. At least enough so you aren’t scared when someone mentions the word “Registry”!

This article is available in pdf form. Download your copy of An_Introduction_to_the_Windows_Registry now!

4 thoughts on “The Windows registry explained”

  1. Hello Dave,

    I am hoping that you may have the experience to help us with a question that many have been asking. Furst we are all still running XP Pro and are not inclined to downgrade to Vista or Win7!
    When running a program that calls the Windows Media Player or any sound device, we need to be able to change the destination of the audio without restarting the Player. We already know how to go to the Regestry and change the settings for “Sound and Audio Device Properties -> Audio -> Sound Playback -> and then select from (example) SigmaTelAudio or USB Sound Device using our various software tools (C, C++, VB6 and so on).
    Unfortunatly this always requires a total restart of whatever Media Player we may be using.
    What is needed is to know where (in the Registery?) is the value needed to be changed to reroute the sound between the playing of a given audio file without the need to completely end and restart the Media Player being used.
    Do you have the experience to know where this location may be and how it is formated? Thank you, Arm

  2. hello sir, i was searching for the class id of some specific application installed on my laptop, but i couldnt find it, on the other hand there are other programs which i reference them in my javascript program have class id, whats the reason, isnt there a class id for every installed program

Comments are closed.

Scroll to Top