Windows Registry
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Windows Registry as PDF for free.
More details
- Words: 4,025
- Pages: 14
Windows Registry The Registr y has to be one of the least understood aspects of the Windows operating system family. Even seasoned professionals approach it with a degree of caution, knowing that a wrong entry can potentially wreak havoc on the system. Description of the registry. Wean defines the registry as: A central hierarchical database used in Microsoft Windows used to store information that is necessary to configure the system for one or more users, applications and hardware devices. The Registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system, and the ports that are being used. The Registry replaces most of the text-based .ini files that are used in Windows 3.x and MS-DOS configuration files, such as the Autoexec.bat and Config.sys. Although the Registry is common to several Windows operating systems, there are some differences among them.
Some History The Registry was introduced as a way out of the “INI files mess” that plagued early versions of Windows. Configuration information regarding the operating system, application files, hardware, and soon were stored in INI files scattered all over the system. For example, when an application is installed, it needs to know various parameters regarding the operating system and the available hardware. Much of this information is common to other applications as well. However, if there was any change in the hardware or operating system software, updating the application’s INI files used to be hell. The Registry was conceived as a way out of this madness. It is a hierarchical database that stores information regarding the hardware, operating system software, application software, users preferences and system preferences. The hierarchy separates the machine infor mation, user information and the software infor mation into logically discrete units that can be manipulated with greater ease. Any changes made by users, the operating system, newly installed software, and hardware are all updated and reflected in the Registry. During system startup, Windows uses the registry to get configuration data regarding the hardware, software and other peripherals that have been configured. It also maintains a backup copy of the registry with which the system had successfully started up last. Hence, if it encounters a problem with the current startup, it can then use the configuration information from the backup to attempt to start the system. Some of the information stored in the registry is specific to the particular startup session only, and is mostly user-specific.
This flexibility has deeper significance when considering a networked scenario. administrators can specify user rights and access to various system and network components. They can control what users can and cannot do on their machines with a fair degree of granular control. For example, Administrators can specify that users are not allowed to install new applications on their machines. A Registr y entry disabling the users’ right to install would secure the system. And a Registr y entr y can be made to prevent unauthorized access to the registr y itself! Physically, the Registry information in XP is stored in multiple files in the \System32\Config folder of the operating system (or root) folder—usually C:\Windows or C:\WINNT. These files cannot be edited directly; they have to be accessed through a Registryediting program such as Regedit.exe or Regedt32.exe.
Registry Hives A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files that contain backups of its data. The supporting files for all hives except HKEY_CURRENT_USER are in the %SystemRoot%\System32\Config folder on Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The supporting files for HKEY_CURRENT_USER are in the %SystemRoot%\Profiles\Username folder. The file name extensions of the files in these folders indicate the type of data that they contain. Also, the lack of an extension may sometimes indicate the type of data that they contain.. Registry hive Supporting files HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav HKEY_LOCAL_MACHINE\Security Security, Security.log, Security.sav HKEY_LOCAL_MACHINE\Software Software, Software.log, Software.sav HKEY_LOCAL_MACHINE\System System, System.alt, System.log, System.sav System, System.alt, System.log, System.sav, Ntuser.dat, HKEY_CURRENT_CONFIG Ntuser.dat.log HKEY_USERS\DEFAULT Default, Default.log, Default.sav
In Windows 98, the registry files are named User.dat and System.dat. In Windows Millennium Edition, the registry files are named Classes.dat, User.dat, and System.dat.
The registry contains 6 main keys: HKEY_CURRENT_USER Contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored
here. This information is associated with the user's profile. This key is sometimes abbreviated as "HKCU." HKEY_USERS Contains all the actively loaded user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. HKEY_USERS is sometimes abbreviated as "HKU." HKEY_LOCAL_MACHINE Contains configuration information particular to the computer (for any user). This key is sometimes abbreviated as "HKLM." HKEY_CLASSES_ROOT Is a subkey of HKEY_LOCAL_MACHINE\Software. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as "HKCR." HKEY_CURRENT_CONFIG Contains information about the hardware profile that is used by the local computer at system startup. HKEY_DYN_DATA Contains real-time performance statistics on the computer's hardware. Structure The registry is made up of "Keys". Each key is like the branch of a tree. Each key has one parent key, and zero or more child keys. Each key can contain zero or more "Values", each of which contains a single piece of data. To make navigating the registry a bit easier, you can think of the registry's construction like your hard drives. Hard drive <-> Registry Folders <-> Keys Files <-> Values The Registry Editor View
REGEDIT Regedit is a program you can use to access and edit the Registry. It normally ships with the default Windows installation and can be launched from the Run command box in the Start Menu by typing in “regedit” or “regedit.exe”. Editing the Registry should be done with care, and with as much understanding as possible as to why and where you are making a change. Additionally, it is strongly recommended that you back up the Registry immediately prior to making a change. You also need to understand how to restore the Registry in case things go awry. The following sections deal with how to back up and restore the Registry. Value Types As mentioned above, each of these hives contain keys and subkeys, which in turn can contain further sub-keys or values. These values are of three major types: DWORD, Binary and String. REG_DWORD - (a DWORD Value) is usually used for Boolean values and is a fourbyte number. Many device drivers and services use DWORD values to toggle between options. For example, the UpdateMode setting that controls refresh rates can have a setting of either 0 (disabled) or 1 (enabled). If the DWORD value is set to 0, refreshing does not take place. Each setting has a specific default DWORD value that is used by the system. REG_BINARY - (a Binary Value) is used to store information as raw binary data, and is usually used for hardware components. The String Value type, however, has
expansions to accommodate variables and multiple values. The Value types are denoted as: REG_SZ - is the standard string used to display human-readable text. REG_EXPAND_SZ is an expandable data string that permits storing of variables that can be replaced by actual values by the application calling the key. For example, an application may refer to a particular key in a hive to obtain the location of a system file. The key would contain a setting for that system file, and a string value which is, say, %systemroot%\filename . The %systemroot% will be replaced by the location of the XP operating system folder, which on most machines will be C:\Windows or C:\WINNT . REG_MULTI_SZ - is used to store lists or multiple values, each entry being separated by a NULL character. This is analogous to arrays in programming. For example, a Registry entry could be created to store the IP addresses of multiple timeservers. An application program would then refer to this Registry entry and cycle through the list of IP addresses.
Backup And Restore There are two things you can do in terms of backing up the Registry: either back up the entire Registry, or export the specific key you are going to edit. To export a Registry key, open Regedit using the Run command box. Find the key or sub-key you want to edit and select it by clicking on it. Choose File > Export . In the dialog box, select the location where you want to save the key, select to save it as a .reg file, and select the “Selected Branch” option. Give a name for the file and click Save. It will be saved as a .reg file. If you want to back up the entire Registry, use the backup utility provided with XP.
Open the backup software from All Programs > Accessories > System Tools > Backup. Select the checkbox that says “System State Data”. This will back up the registry, boot files, and the COM+ class registration database. At any later point, you can either restore the individual key you exported using the method above, or the entire system state. Restoring the individual key is a simple double-click on the .reg file you saved. To restore the system state, open the Backup utility, click Advanced Mode and select the Restore and Manage Media tab. Select the backed up system state file you want to restore. Check the System State box. In the “Restore Files to” box, select Original Location. In the Tools menu, select Options, and click on “Always replace the file on my computer”, then on OK. (If you don’t do this, you will be asked for a confirmation for each and every file during the restore process.) Click “Start Restore”. You will get a warning that says: “Restoring System State will always overwrite current System State unless restoring to an alternative location”; click OK. to overwrite. Click OK in the Confirm Restore dialog box. The
restore operation will start showing you the progress of the restore. When it completes, click Close and accept the prompt to restart the computer. Searching the Registry You can search the Registry by choosing "Find" from the Edit menu, or pressing Ctrl+F.
It is quite easy to search the Registry for items that might apply to a particular aspect of Windows or your installed software that you want to change. However, it can also be time-consuming - especially if you have an older, slow computer. It can be misleading as well, since you may not be sure what the references you find in the Registry actually do, so be cautious. In the "Find What" field, type in what you're looking for and, in the "Look At" section, check off whether you want to search the Keys, Value Names, or Value Data, or any combination of these. If it finds an instance, you may want to check to see if there are any further references. Under the File menu, select Find Next, or just hit the F3 key. Editing the Registry Modifying the registry can potentially make Windows unbootable. Be careful! Always make a backup of the registry before making changes. To edit a registry value, first navigate the tree until the value is displayed . For example, we have navigated to the registry value that controls the delay before a menu pops up.
To edit a value, double click on its name. If you are following this example, go ahead and change the MenuShowDelay value from 100 to 0. After making this change, like most changes made in the registry, you will need to reboot. After rebooting, all menus should pop up noticeably faster. Removing Entries • • •
Navigate to the key or value that you wish to delete. Make sure the key or value is selected. Right-click on the name of the key or value, then select Delete. Or, press the Delete key.
Adding to the Registry
• • • • •
Navigate to the parent key where you wish to add a value. Right click on the key name, and open the "New" submenu. Choose the type of data you wish to add. Enter the name of the value. Edit the value by double clicking on its name. It may be necessary to reboot to make the change take effect.
How to recover from a corrupted registry that prevents Windows XP from starting When you try to start or restart your Windows XP-based computer, you may receive one of the following error messages: Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SOFTWARE Stop: c0000218 {Registry File Failure} The registry cannot load the hive (file): \SystemRoot\System32\Config\SOFTWARE or its log or alternate System error: Lsass.exe When trying to update a password the return status indicates that the value provided as the current password is not correct. Part one In part one, you start the Recovery Console, create a temporary folder, back up the existing registry files to a new location, delete the registry files at their existing location, and then copy the registry files from the repair folder to the System32\Config folder. When you have finished this procedure, a registry is created that you can use to start Windows XP. This registry was created and saved during the initial setup of Windows XP. Therefore any changes and settings that occurred after the Setup program was finished are lost. To complete part one, follow these steps: 1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer. Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so. 2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console. 3. If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.
4. When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER. 5. At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line: md tmp copy c:\windows\system32\config\system c:\windows\tmp\system.bak copy c:\windows\system32\config\software c:\windows\tmp\software.bak copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak copy c:\windows\system32\config\security c:\windows\tmp\security.bak copy c:\windows\system32\config\default c:\windows\tmp\default.bak delete delete delete delete delete copy copy copy copy copy
c:\windows\system32\config\system c:\windows\system32\config\software c:\windows\system32\config\sam c:\windows\system32\config\security c:\windows\system32\config\default
c:\windows\repair\system c:\windows\system32\config\system c:\windows\repair\software c:\windows\system32\config\software c:\windows\repair\sam c:\windows\system32\config\sam c:\windows\repair\security c:\windows\system32\config\security c:\windows\repair\default c:\windows\system32\config\default
6. Type exit to quit Recovery Console. Your computer will restart. Note This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location. If you have access to another computer, to save time, you can copy the text in step five, and then create a text file called "Regcopy1.txt" (for example). To use this file, run the following command when you start in Recovery Console: batch regcopy1.txt With the batch command in Recovery Console, you can process all the commands in a text file sequentially. When you use the batch command, you do not have to manually type as many commands. Part two To complete the procedure described in this section, you must be logged on as an administrator, or an administrative user (a user who has an account in the Administrators group). If you are using Windows XP Home Edition, you can log on as an administrative user. If you log on as an administrator, you must first start Windows XP Home Edition in Safe mode. To start the Windows XP Home Edition computer in Safe mode, follow these steps.
Note Print these instructions before you continue. You cannot view these instructions after you restart the computer in Safe Mode. If you use the NTFS file system, also print the instructions from Knowledge Base article KB309531. Step 7 contains a reference to the article. 1. Click Start, click Shut Down (or click Turn Off Computer), click Restart, and then click OK (or click Restart). 2. Press the F8 key. On a computer that is configured to start to multiple operating systems, you can press F8 when you see the Startup menu. 3. Use the arrow keys to select the appropriate Safe mode option, and then press ENTER. 4. If you have a dual-boot or multiple-boot system, use the arrow keys to select the installation that you want to access, and then press ENTER. In part two, you copy the registry files from their backed up location by using System Restore. This folder is not available in Recovery Console and is generally not visible during typical usage. Before you start this procedure, you must change several settings to make the folder visible: 1. 2. 3. 4.
Start Windows Explorer. On the Tools menu, click Folder options. Click the View tab. Under Hidden files and folders, click to select Show hidden files and folders, and then click to clear the Hide protected operating system files (Recommended) check box. 5. Click Yes when the dialog box that confirms that you want to display these files appears. 6. Double-click the drive where you installed Windows XP to display a list of the folders. If is important to click the correct drive. 7. Open the System Volume Information folder. This folder is unavailable and appears dimmed because it is set as a super-hidden folder. Note This folder contains one or more _restore {GUID} folders such as "_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}". 8. Open a folder that was not created at the current time. You may have to click Details on the View menu to see when these folders were created. There may be one or more folders starting with "RPx under this folder. These are restore points. 9. Open one of these folders to locate a Snapshot subfolder. The following path is an example of a folder path to the Snapshot folder: C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EBA81BE6EE3ED8}\RP1\Snapshot
10.From the Snapshot folder, copy the following files to the C:\Windows\Tmp folder: o _REGISTRY_USER_.DEFAULT o _REGISTRY_MACHINE_SECURITY o _REGISTRY_MACHINE_SOFTWARE o _REGISTRY_MACHINE_SYSTEM o _REGISTRY_MACHINE_SAM 11.Rename the files in the C:\Windows\Tmp folder as follows: o Rename _REGISTRY_USER_.DEFAULT to DEFAULT o Rename _REGISTRY_MACHINE_SECURITY to SECURITY o Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE o Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM o Rename _REGISTRY_MACHINE_SAM to SAM These files are the backed up registry files from System Restore. Because you used the registry file that the Setup program created, this registry does not know that these restore points exist and are available. A new folder is created with a new GUID under System Volume Information and a restore point is created that includes a copy of the registry files that were copied during part one. Therefore, it is important not to use the most current folder, especially if the time stamp on the folder is the same as the current time. The current system configuration is not aware of the previous restore points. You must have a previous copy of the registry from a previous restore point to make the previous restore points available again. The registry files that were copied to the Tmp folder in the C:\Windows folder are moved to make sure that the files are available under Recovery Console. You must use these files to replace the registry files currently in the C:\Windows\System32\Config folder. By default, Recovery Console has limited folder access and cannot copy files from the System Volume folder. Part Three In part three, you delete the existing registry files, and then copy the System Restore Registry files to the C:\Windows\System32\Config folder: 1. Start Recovery Console. 2. At the command prompt, type the following lines, pressing ENTER after you type each line: del c:\windows\system32\config\sam del c:\windows\system32\config\security del c:\windows\system32\config\software
del c:\windows\system32\config\default del c:\windows\system32\config\system copy c:\windows\tmp\software c:\windows\system32\config\software copy c:\windows\tmp\system c:\windows\system32\config\system copy c:\windows\tmp\sam c:\windows\system32\config\sam copy c:\windows\tmp\security c:\windows\system32\config\security copy c:\windows\tmp\default c:\windows\system32\config\default Note Some of these command lines may be wrapped for readability. 3. Type exit to quit Recovery Console. Your computer restarts. Note This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location. If you have access to another computer, to save time, you can copy the text in step two, and then create a text file called "Regcopy2.txt" (for example). To use this file, run the following command when you start in Recovery Console: batch regcopy2.txt Part Four 1. Click Start, and then click All Programs. 2. Click Accessories, and then click System Tools. 3. Click System Restore, and then click Restore to a previous RestorePoint.
How to gain access to the System Volume Information folder To gain access to the System Volume Information folder, use the steps in the appropriate section. Microsoft Windows XP Professional or Windows XP Home Edition Using the FAT32 File System 1. Click Start, and then click My Computer. 2. On the Tools menu, click Folder Options. 3. On the View tab, click Show hidden files and folders.
4. Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change. 5. Click OK. 6. Double-click the System Volume Information folder in the root folder to open it. Windows XP Professional using the NTFS File System on a Workgroup or Standalone Computer 1. 2. 3. 4. 5. 6. 7. 8. 9.
Click Start, and then click My Computer. On the Tools menu, click Folder Options. On the View tab, click Show hidden files and folders. Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change. Clear the Use simple file sharing (Recommended) check box. Click OK. Right-click the System Volume Information folder in the root folder, and then click Properties. Click the Security tab. Click Add, and then type the name of the user to whom you want to give access to the folder. Typically, this is the account with which you are logged on. Click OK, and then click OK again.
Double-click the System Volume Information folder in the root folder to open it. Using CACLS with Windows XP Home Edition Using the NTFS File System In Windows XP Home Edition with the NTFS file system, you can also use the Cacls tool, which is a command-line tool, to display or modify file or folder access control lists (ACLs). For more information about the Cacls tool, including usage and switches, search the Help and Support Center for "cacls." 1. Click Start, click Run, type cmd, and then click OK. 2. Make sure that you are in the root folder of the partition for which you want to gain access to the System Volume Information folder. For example, to gain access the C:\System Volume Information folder, make sure that you are in the root folder of drive C (at a "C:\" prompt). 3. Type the following line, and then press ENTER: cacls "driveletter:\System Volume Information" /E /G username:F Make sure to type the quotation marks as indicated. This command adds the specified user to the folder with Full Control permissions. 4. Double-click the System Volume Information folder in the root folder to open it. 5. If you need to remove the permissions after troubleshooting, type the following line at a command prompt:
cacls "driveletter:\System Volume Information" /E /R username This command removes all permissions for the specified user.
The following steps also work if you restart the computer to Safe mode because simple file sharing is automatically turned off when you run the computer in Safe mode. 1. Open My Computer, right-click the System Volume Information folder, and then click Properties. 2. Click the Security tab. 3. Click Add, and then type the name of the user to whom you want to give access to the folder. Typically, this is the account with which you are logged on. 4. Click OK, and then click OK again. 5. Double-click the System Volume Information folder to open it.
Some History The Registry was introduced as a way out of the “INI files mess” that plagued early versions of Windows. Configuration information regarding the operating system, application files, hardware, and soon were stored in INI files scattered all over the system. For example, when an application is installed, it needs to know various parameters regarding the operating system and the available hardware. Much of this information is common to other applications as well. However, if there was any change in the hardware or operating system software, updating the application’s INI files used to be hell. The Registry was conceived as a way out of this madness. It is a hierarchical database that stores information regarding the hardware, operating system software, application software, users preferences and system preferences. The hierarchy separates the machine infor mation, user information and the software infor mation into logically discrete units that can be manipulated with greater ease. Any changes made by users, the operating system, newly installed software, and hardware are all updated and reflected in the Registry. During system startup, Windows uses the registry to get configuration data regarding the hardware, software and other peripherals that have been configured. It also maintains a backup copy of the registry with which the system had successfully started up last. Hence, if it encounters a problem with the current startup, it can then use the configuration information from the backup to attempt to start the system. Some of the information stored in the registry is specific to the particular startup session only, and is mostly user-specific.
This flexibility has deeper significance when considering a networked scenario. administrators can specify user rights and access to various system and network components. They can control what users can and cannot do on their machines with a fair degree of granular control. For example, Administrators can specify that users are not allowed to install new applications on their machines. A Registr y entry disabling the users’ right to install would secure the system. And a Registr y entr y can be made to prevent unauthorized access to the registr y itself! Physically, the Registry information in XP is stored in multiple files in the \System32\Config folder of the operating system (or root) folder—usually C:\Windows or C:\WINNT. These files cannot be edited directly; they have to be accessed through a Registryediting program such as Regedit.exe or Regedt32.exe.
Registry Hives A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files that contain backups of its data. The supporting files for all hives except HKEY_CURRENT_USER are in the %SystemRoot%\System32\Config folder on Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The supporting files for HKEY_CURRENT_USER are in the %SystemRoot%\Profiles\Username folder. The file name extensions of the files in these folders indicate the type of data that they contain. Also, the lack of an extension may sometimes indicate the type of data that they contain.. Registry hive Supporting files HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav HKEY_LOCAL_MACHINE\Security Security, Security.log, Security.sav HKEY_LOCAL_MACHINE\Software Software, Software.log, Software.sav HKEY_LOCAL_MACHINE\System System, System.alt, System.log, System.sav System, System.alt, System.log, System.sav, Ntuser.dat, HKEY_CURRENT_CONFIG Ntuser.dat.log HKEY_USERS\DEFAULT Default, Default.log, Default.sav
In Windows 98, the registry files are named User.dat and System.dat. In Windows Millennium Edition, the registry files are named Classes.dat, User.dat, and System.dat.
The registry contains 6 main keys: HKEY_CURRENT_USER Contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored
here. This information is associated with the user's profile. This key is sometimes abbreviated as "HKCU." HKEY_USERS Contains all the actively loaded user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. HKEY_USERS is sometimes abbreviated as "HKU." HKEY_LOCAL_MACHINE Contains configuration information particular to the computer (for any user). This key is sometimes abbreviated as "HKLM." HKEY_CLASSES_ROOT Is a subkey of HKEY_LOCAL_MACHINE\Software. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as "HKCR." HKEY_CURRENT_CONFIG Contains information about the hardware profile that is used by the local computer at system startup. HKEY_DYN_DATA Contains real-time performance statistics on the computer's hardware. Structure The registry is made up of "Keys". Each key is like the branch of a tree. Each key has one parent key, and zero or more child keys. Each key can contain zero or more "Values", each of which contains a single piece of data. To make navigating the registry a bit easier, you can think of the registry's construction like your hard drives. Hard drive <-> Registry Folders <-> Keys Files <-> Values The Registry Editor View
REGEDIT Regedit is a program you can use to access and edit the Registry. It normally ships with the default Windows installation and can be launched from the Run command box in the Start Menu by typing in “regedit” or “regedit.exe”. Editing the Registry should be done with care, and with as much understanding as possible as to why and where you are making a change. Additionally, it is strongly recommended that you back up the Registry immediately prior to making a change. You also need to understand how to restore the Registry in case things go awry. The following sections deal with how to back up and restore the Registry. Value Types As mentioned above, each of these hives contain keys and subkeys, which in turn can contain further sub-keys or values. These values are of three major types: DWORD, Binary and String. REG_DWORD - (a DWORD Value) is usually used for Boolean values and is a fourbyte number. Many device drivers and services use DWORD values to toggle between options. For example, the UpdateMode setting that controls refresh rates can have a setting of either 0 (disabled) or 1 (enabled). If the DWORD value is set to 0, refreshing does not take place. Each setting has a specific default DWORD value that is used by the system. REG_BINARY - (a Binary Value) is used to store information as raw binary data, and is usually used for hardware components. The String Value type, however, has
expansions to accommodate variables and multiple values. The Value types are denoted as: REG_SZ - is the standard string used to display human-readable text. REG_EXPAND_SZ is an expandable data string that permits storing of variables that can be replaced by actual values by the application calling the key. For example, an application may refer to a particular key in a hive to obtain the location of a system file. The key would contain a setting for that system file, and a string value which is, say, %systemroot%\filename . The %systemroot% will be replaced by the location of the XP operating system folder, which on most machines will be C:\Windows or C:\WINNT . REG_MULTI_SZ - is used to store lists or multiple values, each entry being separated by a NULL character. This is analogous to arrays in programming. For example, a Registry entry could be created to store the IP addresses of multiple timeservers. An application program would then refer to this Registry entry and cycle through the list of IP addresses.
Backup And Restore There are two things you can do in terms of backing up the Registry: either back up the entire Registry, or export the specific key you are going to edit. To export a Registry key, open Regedit using the Run command box. Find the key or sub-key you want to edit and select it by clicking on it. Choose File > Export . In the dialog box, select the location where you want to save the key, select to save it as a .reg file, and select the “Selected Branch” option. Give a name for the file and click Save. It will be saved as a .reg file. If you want to back up the entire Registry, use the backup utility provided with XP.
Open the backup software from All Programs > Accessories > System Tools > Backup. Select the checkbox that says “System State Data”. This will back up the registry, boot files, and the COM+ class registration database. At any later point, you can either restore the individual key you exported using the method above, or the entire system state. Restoring the individual key is a simple double-click on the .reg file you saved. To restore the system state, open the Backup utility, click Advanced Mode and select the Restore and Manage Media tab. Select the backed up system state file you want to restore. Check the System State box. In the “Restore Files to” box, select Original Location. In the Tools menu, select Options, and click on “Always replace the file on my computer”, then on OK. (If you don’t do this, you will be asked for a confirmation for each and every file during the restore process.) Click “Start Restore”. You will get a warning that says: “Restoring System State will always overwrite current System State unless restoring to an alternative location”; click OK. to overwrite. Click OK in the Confirm Restore dialog box. The
restore operation will start showing you the progress of the restore. When it completes, click Close and accept the prompt to restart the computer. Searching the Registry You can search the Registry by choosing "Find" from the Edit menu, or pressing Ctrl+F.
It is quite easy to search the Registry for items that might apply to a particular aspect of Windows or your installed software that you want to change. However, it can also be time-consuming - especially if you have an older, slow computer. It can be misleading as well, since you may not be sure what the references you find in the Registry actually do, so be cautious. In the "Find What" field, type in what you're looking for and, in the "Look At" section, check off whether you want to search the Keys, Value Names, or Value Data, or any combination of these. If it finds an instance, you may want to check to see if there are any further references. Under the File menu, select Find Next, or just hit the F3 key. Editing the Registry Modifying the registry can potentially make Windows unbootable. Be careful! Always make a backup of the registry before making changes. To edit a registry value, first navigate the tree until the value is displayed . For example, we have navigated to the registry value that controls the delay before a menu pops up.
To edit a value, double click on its name. If you are following this example, go ahead and change the MenuShowDelay value from 100 to 0. After making this change, like most changes made in the registry, you will need to reboot. After rebooting, all menus should pop up noticeably faster. Removing Entries • • •
Navigate to the key or value that you wish to delete. Make sure the key or value is selected. Right-click on the name of the key or value, then select Delete. Or, press the Delete key.
Adding to the Registry
• • • • •
Navigate to the parent key where you wish to add a value. Right click on the key name, and open the "New" submenu. Choose the type of data you wish to add. Enter the name of the value. Edit the value by double clicking on its name. It may be necessary to reboot to make the change take effect.
How to recover from a corrupted registry that prevents Windows XP from starting When you try to start or restart your Windows XP-based computer, you may receive one of the following error messages: Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SOFTWARE Stop: c0000218 {Registry File Failure} The registry cannot load the hive (file): \SystemRoot\System32\Config\SOFTWARE or its log or alternate System error: Lsass.exe When trying to update a password the return status indicates that the value provided as the current password is not correct. Part one In part one, you start the Recovery Console, create a temporary folder, back up the existing registry files to a new location, delete the registry files at their existing location, and then copy the registry files from the repair folder to the System32\Config folder. When you have finished this procedure, a registry is created that you can use to start Windows XP. This registry was created and saved during the initial setup of Windows XP. Therefore any changes and settings that occurred after the Setup program was finished are lost. To complete part one, follow these steps: 1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer. Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so. 2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console. 3. If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.
4. When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER. 5. At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line: md tmp copy c:\windows\system32\config\system c:\windows\tmp\system.bak copy c:\windows\system32\config\software c:\windows\tmp\software.bak copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak copy c:\windows\system32\config\security c:\windows\tmp\security.bak copy c:\windows\system32\config\default c:\windows\tmp\default.bak delete delete delete delete delete copy copy copy copy copy
c:\windows\system32\config\system c:\windows\system32\config\software c:\windows\system32\config\sam c:\windows\system32\config\security c:\windows\system32\config\default
c:\windows\repair\system c:\windows\system32\config\system c:\windows\repair\software c:\windows\system32\config\software c:\windows\repair\sam c:\windows\system32\config\sam c:\windows\repair\security c:\windows\system32\config\security c:\windows\repair\default c:\windows\system32\config\default
6. Type exit to quit Recovery Console. Your computer will restart. Note This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location. If you have access to another computer, to save time, you can copy the text in step five, and then create a text file called "Regcopy1.txt" (for example). To use this file, run the following command when you start in Recovery Console: batch regcopy1.txt With the batch command in Recovery Console, you can process all the commands in a text file sequentially. When you use the batch command, you do not have to manually type as many commands. Part two To complete the procedure described in this section, you must be logged on as an administrator, or an administrative user (a user who has an account in the Administrators group). If you are using Windows XP Home Edition, you can log on as an administrative user. If you log on as an administrator, you must first start Windows XP Home Edition in Safe mode. To start the Windows XP Home Edition computer in Safe mode, follow these steps.
Note Print these instructions before you continue. You cannot view these instructions after you restart the computer in Safe Mode. If you use the NTFS file system, also print the instructions from Knowledge Base article KB309531. Step 7 contains a reference to the article. 1. Click Start, click Shut Down (or click Turn Off Computer), click Restart, and then click OK (or click Restart). 2. Press the F8 key. On a computer that is configured to start to multiple operating systems, you can press F8 when you see the Startup menu. 3. Use the arrow keys to select the appropriate Safe mode option, and then press ENTER. 4. If you have a dual-boot or multiple-boot system, use the arrow keys to select the installation that you want to access, and then press ENTER. In part two, you copy the registry files from their backed up location by using System Restore. This folder is not available in Recovery Console and is generally not visible during typical usage. Before you start this procedure, you must change several settings to make the folder visible: 1. 2. 3. 4.
Start Windows Explorer. On the Tools menu, click Folder options. Click the View tab. Under Hidden files and folders, click to select Show hidden files and folders, and then click to clear the Hide protected operating system files (Recommended) check box. 5. Click Yes when the dialog box that confirms that you want to display these files appears. 6. Double-click the drive where you installed Windows XP to display a list of the folders. If is important to click the correct drive. 7. Open the System Volume Information folder. This folder is unavailable and appears dimmed because it is set as a super-hidden folder. Note This folder contains one or more _restore {GUID} folders such as "_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}". 8. Open a folder that was not created at the current time. You may have to click Details on the View menu to see when these folders were created. There may be one or more folders starting with "RPx under this folder. These are restore points. 9. Open one of these folders to locate a Snapshot subfolder. The following path is an example of a folder path to the Snapshot folder: C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EBA81BE6EE3ED8}\RP1\Snapshot
10.From the Snapshot folder, copy the following files to the C:\Windows\Tmp folder: o _REGISTRY_USER_.DEFAULT o _REGISTRY_MACHINE_SECURITY o _REGISTRY_MACHINE_SOFTWARE o _REGISTRY_MACHINE_SYSTEM o _REGISTRY_MACHINE_SAM 11.Rename the files in the C:\Windows\Tmp folder as follows: o Rename _REGISTRY_USER_.DEFAULT to DEFAULT o Rename _REGISTRY_MACHINE_SECURITY to SECURITY o Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE o Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM o Rename _REGISTRY_MACHINE_SAM to SAM These files are the backed up registry files from System Restore. Because you used the registry file that the Setup program created, this registry does not know that these restore points exist and are available. A new folder is created with a new GUID under System Volume Information and a restore point is created that includes a copy of the registry files that were copied during part one. Therefore, it is important not to use the most current folder, especially if the time stamp on the folder is the same as the current time. The current system configuration is not aware of the previous restore points. You must have a previous copy of the registry from a previous restore point to make the previous restore points available again. The registry files that were copied to the Tmp folder in the C:\Windows folder are moved to make sure that the files are available under Recovery Console. You must use these files to replace the registry files currently in the C:\Windows\System32\Config folder. By default, Recovery Console has limited folder access and cannot copy files from the System Volume folder. Part Three In part three, you delete the existing registry files, and then copy the System Restore Registry files to the C:\Windows\System32\Config folder: 1. Start Recovery Console. 2. At the command prompt, type the following lines, pressing ENTER after you type each line: del c:\windows\system32\config\sam del c:\windows\system32\config\security del c:\windows\system32\config\software
del c:\windows\system32\config\default del c:\windows\system32\config\system copy c:\windows\tmp\software c:\windows\system32\config\software copy c:\windows\tmp\system c:\windows\system32\config\system copy c:\windows\tmp\sam c:\windows\system32\config\sam copy c:\windows\tmp\security c:\windows\system32\config\security copy c:\windows\tmp\default c:\windows\system32\config\default Note Some of these command lines may be wrapped for readability. 3. Type exit to quit Recovery Console. Your computer restarts. Note This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location. If you have access to another computer, to save time, you can copy the text in step two, and then create a text file called "Regcopy2.txt" (for example). To use this file, run the following command when you start in Recovery Console: batch regcopy2.txt Part Four 1. Click Start, and then click All Programs. 2. Click Accessories, and then click System Tools. 3. Click System Restore, and then click Restore to a previous RestorePoint.
How to gain access to the System Volume Information folder To gain access to the System Volume Information folder, use the steps in the appropriate section. Microsoft Windows XP Professional or Windows XP Home Edition Using the FAT32 File System 1. Click Start, and then click My Computer. 2. On the Tools menu, click Folder Options. 3. On the View tab, click Show hidden files and folders.
4. Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change. 5. Click OK. 6. Double-click the System Volume Information folder in the root folder to open it. Windows XP Professional using the NTFS File System on a Workgroup or Standalone Computer 1. 2. 3. 4. 5. 6. 7. 8. 9.
Click Start, and then click My Computer. On the Tools menu, click Folder Options. On the View tab, click Show hidden files and folders. Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change. Clear the Use simple file sharing (Recommended) check box. Click OK. Right-click the System Volume Information folder in the root folder, and then click Properties. Click the Security tab. Click Add, and then type the name of the user to whom you want to give access to the folder. Typically, this is the account with which you are logged on. Click OK, and then click OK again.
Double-click the System Volume Information folder in the root folder to open it. Using CACLS with Windows XP Home Edition Using the NTFS File System In Windows XP Home Edition with the NTFS file system, you can also use the Cacls tool, which is a command-line tool, to display or modify file or folder access control lists (ACLs). For more information about the Cacls tool, including usage and switches, search the Help and Support Center for "cacls." 1. Click Start, click Run, type cmd, and then click OK. 2. Make sure that you are in the root folder of the partition for which you want to gain access to the System Volume Information folder. For example, to gain access the C:\System Volume Information folder, make sure that you are in the root folder of drive C (at a "C:\" prompt). 3. Type the following line, and then press ENTER: cacls "driveletter:\System Volume Information" /E /G username:F Make sure to type the quotation marks as indicated. This command adds the specified user to the folder with Full Control permissions. 4. Double-click the System Volume Information folder in the root folder to open it. 5. If you need to remove the permissions after troubleshooting, type the following line at a command prompt:
cacls "driveletter:\System Volume Information" /E /R username This command removes all permissions for the specified user.
The following steps also work if you restart the computer to Safe mode because simple file sharing is automatically turned off when you run the computer in Safe mode. 1. Open My Computer, right-click the System Volume Information folder, and then click Properties. 2. Click the Security tab. 3. Click Add, and then type the name of the user to whom you want to give access to the folder. Typically, this is the account with which you are logged on. 4. Click OK, and then click OK again. 5. Double-click the System Volume Information folder to open it.
Related Documents
Registry Windows
November 2019 26
Windows Registry
May 2020 15
Windows Xp Registry Tweaks
May 2020 19
What Is Windows Registry
April 2020 12
Hacking Windows Registry
November 2019 18