windows registry presentation
TRANSCRIPT
1
Registry Presentation IRegistry Presentation I
Scott Selikoff
Topics of Discussion: Part ITopics of Discussion: Part I
l What is what? Keys vs. Data vs. Valuesl Data Typesl Old System of Windowsl Top Level: The HKEY’s!l The Root Keyl The HKLM Key – The Machine Keyl The HKCU Key – The User Key
2
Topics of Discussion: Part IITopics of Discussion: Part II
l Oh, HKDD, where did you go?l The Software/SOFTWARE Keysl What about CSLID’s???l Searching the Registry for Settingsl Regedit Shortcuts!l Regmon and Filemonl The Microsoft Keysl Other Strange Factsl Closing
Keys vs. Data vs. ValuesKeys vs. Data vs. Values
l Keys = Foldersl Value = Label or field for actual Data
(called Name in Regedit)l Data = Actual Information we are storing.l Subkey = Any key that appears below
another key. Often every key you are working with is a subkey of another key (the term subkey is almost interchangeable with term key)
3
Examples:Examples:
l Key: /HKLM/Software/Adobe/Photoshop
l Value: “Version”
l Data: 5.5
More about basic StructureMore about basic Structure
l Keys and Values are set by the program and are usually identical from computer to computer so long as the version and the OS are the same (some exceptions).
l Data is usually specific to computers: directories, registration numbers, settings, etc
4
Data TypesData Types
l String Data – Most often used. Contained in “”
l Binary Data – Hexadecimal Strings (in sets of two).
Example: DA 9D 92 A0l DWORD Data – 4-Byte Hexadecimal
sequences.Example: 0x39902000
Old System of WindowsOld System of Windows
l Windows mostly used .ini files.l Problem: Users figured how to edit them
too easily. Also, not always very organized (I disagree). Windows decided to create a giant structure called the Registry. Basically, they are identical in idea to .ini files with some important exceptions.
l SIDE NOTE: In my opinion, the registry literally designed to be extremely complicated to discourage users from tampering.
5
Differences from the Older systemDifferences from the Older system
l All programs are in one registry as opposed to each program having its own .ini file.
l The registry is made up of the two files system.dat and user.dat
l The registry OFTEN CONTAINS POINTERS TO OTHER SECTIONS OF ITSELF. (will return to this)
Other Useful Information IOther Useful Information I
l It is recreated every time the computer starts (yes, “that’s what taking so long,” every time you bootup)
l VERY, VERY self-repairing. If you try to delete most things they will find there way back someway or another (small things).
l Newer versions of windows often delete .ini files and/or references in win.ini/system.ini and insert them into the registry automatically
6
Other Useful Information IIOther Useful Information II
l Windows keeps 2 copies of your registry, its current one and the last one your computer successfully started with. Used when restarted the computer hangs.
Top Level: The HKEY’s!Top Level: The HKEY’s!
l 6 Major HKEY (Header) Keys (folders, get used to calling them keys).
l Only 2 you will ever need to work with. Also, really only 2 actual keys.
l The 6 Keys:HKEY_CLASSES_ROOT (HKCS)*HKEY_CURRENT_USER (HKCU)*HKEY_LOCAL_MACHINE (HKLM)HKEY_USERS (HKU)HKEY_CURRENT_CONFIG (HKCC)HKEY_DYN_DATA (HKDD)
7
Major PointersMajor Pointers
l HKCR à HKLM/Software/CLASSESl HKCU à HKU/<user id>l HKLM à system.datl HKU à user.datl HKCC à HKLM/Config/000<#>l HKDD à Machine Itself
The Root Key: Let’s get it out of the way!The Root Key: Let’s get it out of the way!
l Its really just the HKLM/SOFTWARE/CLASSES key
l Controls how Windows handles data files.
l References to itself over and over again.
l CLSID’s discussed later.
8
Examples:Examples:
l Keys .txt and .doc might both point to key txtfile.
l Key txtfile might point to something else.l Eventually you get a final key which has
shell command directives. When you right click on an icon, those directives that you can do (like the ability to play a music file or open a word document) are all listed in this final reference key.
HKLM HKLM –– The Machine KeyThe Machine Key
l = system.dat
l Stores all Generic machine related info.
l Has many important subkeys
9
HKLM Important Subkeys IHKLM Important Subkeys I
l A subkey of /Config produces HKCCl /SOFTWARE/CLASSES produces HKCRl /Enum (Win95/Win98)– Library of all
hardware components EVER USED by a computer.
l /Network – Small subkey that handles basic login function to the computer
HKLM Important Subkeys IIHKLM Important Subkeys II
l ***/Hardware – Not used much in Win95/Win98, but replaces Enum in WinNT and 2000***
l SOFTWARE – Contains all Software information that is set independent of the user (more to come on this)
10
HKCU HKCU –– The Current User KeyThe Current User Key
l = section of the user.datl Like HKLM in many ways but is only
refers to the user currently logged in.l Comes from one of the
HKEY_USERS subkeys.l /HKEY_USERS/.default = Default
User configuration
HKCU Important SubkeysHKCU Important Subkeys
l /Software – Same as the HKLM/Software key only tailored to the User
l /AppEvents/Schemes – May contain important program settings
l /Control Panel – All control panel settings.
11
END OF PART IEND OF PART I
lGet some food/drink!
Oh, HKDD, where did you go?Oh, HKDD, where did you go?
l HKEY_DYN_DATAl Win95/Win98 – Using all the library of
HKLM/Enum, it constructs a hardware configuration based on what is currently running on the machine. Uses its own special ID Numbers.
l Deleted along with Enum and sorted to HKLM/Hardware in WinNT and 2000.
l NEVER MODIFY THIS KEY EVER.
12
The Software/SOFTWARE KeysThe Software/SOFTWARE Keys
l HKLM/SOFTWAREl HKCU/Softwarel Caps do not matter (different versions of
windows, for some reason or another, capitalize HKLM/SOFTWARE, others do not).
l 95% of all program settings (if in the registry at all) are found here.
l As stated earlier, HKLM/Software pertains to machine info, HKCU/Software to user info.
Software Keys Software Keys –– StructureStructure
l From the Software Key, the subkeys are company names. Examples: Microsoft, Symantec, etc.
l Subkeys of the Company Keys are programs/utilities.
l Program keys are not always real programs, more often they are keys for helper applications to a real program contained with the same company key.
13
Example:Example:
l /Adobe Photoshop is a subkey of HKLM/Adobe
l BUT. Other keys in /Adobe are created: /Adobe Gamma (a coloring utility) is also installed.
l Even though Adobe Gamma should be able to stand by itself (because it is next to Photoshop and not under it) it is really a part of the main Photoshop application.
More About Software KeysMore About Software Keys
lWhat I have described is the traditional structure: Now, what really happens?
14
Program Type #1Program Type #1
l They actually follow structure and put all of their general settings in HKLM and all their user specific settings in HKCU.
l About 10% of all applications do this. More should.
Program Type #2Program Type #2
l All settings in HKLM –or– all settings in HKCU.
l This is weird condition for programs not wanting to conform to the MS hierarchy.
l 10% of Applications do this
15
Program Type #3Program Type #3
l NO SETTINGS IN REGISTRY –or– they may seem like Program Type #1 or #2 but their keys are extremely short and there are very few if any actually stored settings in the registry.
l Settings kept in program specific files. Most often .ini files in the C:\windows directory or their own program directory.
l Settings could be almost anywherel 80% of all non-MS programs are of this
type.
Program Type #4 (MS)Program Type #4 (MS)
l Disadvantage: The Microsoft Applications rarely ever put settings in places you can find them easily.
l Advantage: They are usually completely contained in the registry.
l More on this later.
16
What are CLSID’s?What are CLSID’s?
l {849t589uis – 38uskgdg}… uh!l They are class identifiers (or GUID’s
– (Globally Unique Identifiers)l Point to a Windows Objectl Specific to each computer –
randomly generated for objects
The HKCR/CLSID KeyThe HKCR/CLSID Key
l The Key HKCR/CLSID contains subkeys that are basically a list of every CLSID on the computer.
l Each subkey of HKCR/CLSID contains a Data field which briefly tells what it points to.
l Each subkey may also contain additional subkeys which give you more information about the program (not required).
17
How are they used?How are they used?
l Each object is assigned by the machine a CLSID (guaranteed by windows never to be identical to another CLSID).
l The CLSID is used (instead of the object type/name) throughout the registry. Most often used in the HKCR key.
l A program that encounters a CLSID while using the registry, uses the list in HKCR\CLSID to decode what to do with the object.
More on CLSIDMore on CLSID
l Right now if a key contains CLSID, DO NOT COPY IT. It is unique to the machine and would be useless on another machine.
l In the future we MIGHT be able to get around this by decoding the CLSID’s ourselves, then re-encoding them on the clients new machine. This feature is really not that important (my opinion).
18
Searching the Registry for Settings ISearching the Registry for Settings I
l Only Search HKLM and HKCU (the others are repeats of these 2).
l Skip the HKLM\CLASSES (HKCR) key. It EXTREMELY rare (actually impossible) to find any settings information in this key so when searching and you encounter it, go back up, shrink it, skip it, then continue.
l Ignore the Start Menu (contained in HKCU)l Ignore keys that contain CLSID’s
Searching the Registry for Settings IISearching the Registry for Settings II
l Ignore keys used by other programs.Examples: The Windows Explorer
key has a subkey that contains a list of recently used programs, obviously that is not a settings key.
Avoid 3rd Party Applications Keys that come from other 3rd Party Applications. For example, chances are if you find a reference for Photoshop under Winzip, it is not vital.
19
Searching the Registry for Settings IIISearching the Registry for Settings III
l Ignore Gibberish (Gibberish can be distinguished by it’s keys, not its value/data).
l Ignore anything in: HKLM\Software\Microsoft\Windows
\CurrentVersion\Uninstall
Regedit Shortcuts!Regedit Shortcuts!
l F3 – Search.l F5 – Refresh – Used if you recently
installed/deleted a program
20
Regmon and FilemonRegmon and Filemon
l I advocate against relying on Regmon. There is a structure and pattern to Settings in the registry. Regmon is too random for my tastes.
l I recommend analyzing where you think the registry will keep it settings for an application, then test with
a) exporting/importing those sections of the registry
b) Regmon
Other Reasons for Why I Don’t Support RegmonOther Reasons for Why I Don’t Support Regmon
l Too much guessworkl You may not be getting all settings used,
finding ALL of them can be difficultl Takes more time; in the end the results
will be the same except you will have lost precious time doing using regmon
l Difficulty: You need to be quite comfortable with the registry.
21
FilemonFilemon
l I like this one. Very useful.l Often 3rd Party Applications can put
their settings almost anywhere and Filemon can really help you out.
l Also, I recommend doing searches for files on your computer modified in the last hour to help locate configuration files.
The Microsoft KeysThe Microsoft Keys
l Often MS applications are more complicated and touch many more keys then 3 rd party applications are likely to do.
l HKLM/Software/Microsoft/Windows contains many windows settings. It is possible almost any program you research may have a setting or two somewhere in this key.
22
Other Strange FactsOther Strange Facts
l 1. Binary data is stored as strings. Example: Data like “0” or “1” is binary but its type will be String.
l 2. The datatype “Binary Data” stores hexadecimal data… anyone confused?
l 3. Hexadecimal data is presented in reverse couples.
For example: A0 B2 would really be the number B2A0. (within the couples they are in correct order)
ClosingClosing
l There are many more details not covered today.
l Questions? Feel free to ask me.l Reference: “The Windows ’98
Registry: A Survival Guide for Users” by John Woram