1

Microsoft Windows Internals, 4ed

• Chapter 4. Management Mechanisms

• The Registry

965202095 謝承璋

2008 年 05 月 07 日

2

Introduction

• The registry is the repository for both systemwide and per-user settings.

• Regedit.exe• A tool for editing the registry.

• Windows Server 2003 Deployment Kit http://www.microsoft.com/windowsserver2003/techinfo/reskit/deploykit.mspx.

3

Registry Usage

• 3 principal times that configuration data is read:• During the boot process.• During login.• During applications' startup.

• On an idle system there should be no registry activity.

4

Registry Data Types

• The registry is a database whose structure is similar to that of a disk volume.

• The registry contains keys, which are similar to a disk's directories, and values, which are comparable to files on a disk.

• A key is a container that can consist of subkeys or values. • Values store data.• Top-level keys are root keys.

• Only root keys are not subkeys.

5

Registry Data Types (Cont.)

• Regedit displays the unnamed value as (Default).• The majority of registry values are REG_DWORD,

REG_BINARY, or REG_SZ.• The REG_LINK type lets a key transparently point to

another key or value. • Links aren't saved; they must be dynamically created

after each reboot.

6

Registry Value Type

Table 4-1. Registry Value Type

Value Description

REG_SZ Fixed-length Unicode string.

REG_BINARY Arbitrary-length binary data.

REG_DWORD 32-bit number.

REG_LINK Unicode symbolic link.

7

Table 4-2. The Six Root Keys

Root Key Description

HKEY_CURRENT_USER Data associated with the currently logged-on user

HKEY_USERS Information about all the accounts on the machine

HKEY_CLASSES_ROOT File association

HKEY_LOCAL_MACHINE System-related information

HKEY_PERFORMANCE_DATA Performance information

HKEY_CURRENT_CONFIG Current hardware profile

8

Registry Logical Structure

• Why do root-key names begin with an H?• Because the root-key names represent Windows

handles (H) to keys (KEY).

9

HKEY_CURRENT_USER

• The HKCU root key contains• the preferences and software configuration of the

locally logged-on user.• It points to the currently logged-on user's user profile,

located on the hard disk at• \Documents and Settings\<username>\Ntuser.dat.

10

HKEY_USERS

• HKU contains• a subkey for each loaded user profile and user

class registration database on the system.• It also contains a subkey named HKU\.DEFAULT

that is linked to the profile for the system.

11

HKEY_USERS (Cont.)

• The following registry value defines the location of system profiles• HKLM\Software\Microsoft\Windows NT\

CurrentVersion\ProfileList\ProfilesDirectory.• It is by default set to

• %SystemDrive%\Documents and Settings.

12

Figure 4-1. The User Profiles Management Dialog Box

13

HKEY_CLASSES_ROOT

• The data under HKEY_CLASSES_ROOT comes from two sources:• 1. The per-user class registration data in HKCU\

SOFTWARE\Classes• 2. Systemwide class registration data in HKLM\

SOFTWARE\Classes

14

HKEY_CLASSES_ROOT (Cont.)

• The reason that there is a separation of per-user registration data from systemwide registration data is customizations.

• Nonprivileged users can read systemwide data.• They can add new keys and values to systemwide

data (which are mirrored in their per-user data).• But they can modify existing keys and values in their

private data only.

15

HKEY_LOCAL_MACHINE

• HKLM is the root key that contains all the systemwide configuration subkeys:• HARDWARE• SAM• SECURITY• SOFTWARE• SYSTEM.

16

HKLM

• The HKLM\HARDWARE subkey maintains descriptions of the system's hardware and all hardware device-to-driver mappings.

• HKLM\SAM holds local account and group information, such as user passwords, group definitions, and domain associations.

• HKLM\SECURITY stores systemwide security policies and user-rights assignments.• HKLM\SAM is linked into the SECURITY subkey

under HKLM\SECURITY\SAM.

17

HKLM (Cont.)

• HKLM\SOFTWARE is where Windows stores systemwide configuration information not needed to boot the system.

• HKLM\SYSTEM contains the systemwide configuration information needed to boot the system, such as which device drivers to load and which services to start.

• last known good control set

18

HKEY_CURRENT_CONFIG

• HKEY_CURRENT_CONFIG is just a link to the current hardware profile, stored under HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current.

HKEY_PERFORMANCE_DATA

• You won't find HKEY_PERFORMANCE_DATA by looking in the Registry Editor.

• This key is available only programmatically through the Windows registry functions, such as• RegQueryValueEx.• Performance Data Helper API (Pdh.dll).

19

Figure 4-2. Registry performance counter

architecture

20