1 microsoft windows internals, 4 ed chapter 4. management mechanisms the registry 965202095...
TRANSCRIPT
1
Microsoft Windows Internals, 4ed
• Chapter 4. Management Mechanisms
• The Registry
965202095 謝承璋
2008 年 05 月 07 日
2
Introduction
• The registry is the repository for both systemwide and per-user settings.
• Regedit.exe• A tool for editing the registry.
• Windows Server 2003 Deployment Kit http://www.microsoft.com/windowsserver2003/techinfo/reskit/deploykit.mspx.
3
Registry Usage
• 3 principal times that configuration data is read:• During the boot process.• During login.• During applications' startup.
• On an idle system there should be no registry activity.
4
Registry Data Types
• The registry is a database whose structure is similar to that of a disk volume.
• The registry contains keys, which are similar to a disk's directories, and values, which are comparable to files on a disk.
• A key is a container that can consist of subkeys or values. • Values store data.• Top-level keys are root keys.
• Only root keys are not subkeys.
5
Registry Data Types (Cont.)
• Regedit displays the unnamed value as (Default).• The majority of registry values are REG_DWORD,
REG_BINARY, or REG_SZ.• The REG_LINK type lets a key transparently point to
another key or value. • Links aren't saved; they must be dynamically created
after each reboot.
6
Registry Value Type
Table 4-1. Registry Value Type
Value Description
REG_SZ Fixed-length Unicode string.
REG_BINARY Arbitrary-length binary data.
REG_DWORD 32-bit number.
REG_LINK Unicode symbolic link.
7
Table 4-2. The Six Root Keys
Root Key Description
HKEY_CURRENT_USER Data associated with the currently logged-on user
HKEY_USERS Information about all the accounts on the machine
HKEY_CLASSES_ROOT File association
HKEY_LOCAL_MACHINE System-related information
HKEY_PERFORMANCE_DATA Performance information
HKEY_CURRENT_CONFIG Current hardware profile
8
Registry Logical Structure
• Why do root-key names begin with an H?• Because the root-key names represent Windows
handles (H) to keys (KEY).
9
HKEY_CURRENT_USER
• The HKCU root key contains• the preferences and software configuration of the
locally logged-on user.• It points to the currently logged-on user's user profile,
located on the hard disk at• \Documents and Settings\<username>\Ntuser.dat.
10
HKEY_USERS
• HKU contains• a subkey for each loaded user profile and user
class registration database on the system.• It also contains a subkey named HKU\.DEFAULT
that is linked to the profile for the system.
11
HKEY_USERS (Cont.)
• The following registry value defines the location of system profiles• HKLM\Software\Microsoft\Windows NT\
CurrentVersion\ProfileList\ProfilesDirectory.• It is by default set to
• %SystemDrive%\Documents and Settings.
12
Figure 4-1. The User Profiles Management Dialog Box
13
HKEY_CLASSES_ROOT
• The data under HKEY_CLASSES_ROOT comes from two sources:• 1. The per-user class registration data in HKCU\
SOFTWARE\Classes• 2. Systemwide class registration data in HKLM\
SOFTWARE\Classes
14
HKEY_CLASSES_ROOT (Cont.)
• The reason that there is a separation of per-user registration data from systemwide registration data is customizations.
• Nonprivileged users can read systemwide data.• They can add new keys and values to systemwide
data (which are mirrored in their per-user data).• But they can modify existing keys and values in their
private data only.
15
HKEY_LOCAL_MACHINE
• HKLM is the root key that contains all the systemwide configuration subkeys:• HARDWARE• SAM• SECURITY• SOFTWARE• SYSTEM.
16
HKLM
• The HKLM\HARDWARE subkey maintains descriptions of the system's hardware and all hardware device-to-driver mappings.
• HKLM\SAM holds local account and group information, such as user passwords, group definitions, and domain associations.
• HKLM\SECURITY stores systemwide security policies and user-rights assignments.• HKLM\SAM is linked into the SECURITY subkey
under HKLM\SECURITY\SAM.
17
HKLM (Cont.)
• HKLM\SOFTWARE is where Windows stores systemwide configuration information not needed to boot the system.
• HKLM\SYSTEM contains the systemwide configuration information needed to boot the system, such as which device drivers to load and which services to start.
• last known good control set
18
HKEY_CURRENT_CONFIG
• HKEY_CURRENT_CONFIG is just a link to the current hardware profile, stored under HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current.
HKEY_PERFORMANCE_DATA
• You won't find HKEY_PERFORMANCE_DATA by looking in the Registry Editor.
• This key is available only programmatically through the Windows registry functions, such as• RegQueryValueEx.• Performance Data Helper API (Pdh.dll).
19
Figure 4-2. Registry performance counter
architecture
20