Developer(s) | Microsoft |
---|---|
Initial release | April 6, 1992 with Windows 3.1 |
Operating system | Microsoft Windows |
Platform | IA-32, x86-64 and ARM (and historically DEC Alpha, Itanium, MIPS, and PowerPC) |
Included with | Microsoft Windows |
Type | Hierarchical database |
License | Proprietary |
Website | learn |
The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.
In other words, the registry or Windows Registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating systems. For example, when a program is installed, a new subkey containing settings such as a program's location, its version, and how to start the program, are all added to the Windows Registry.
When introduced with Windows 3.1, the Windows Registry primarily stored configuration information for COM-based components. Windows 95 and Windows NT extended its use to rationalize and centralize the information in the profusion of INI files, which held the configurations for individual programs, and were stored at various locations. [1] [2] It is not a requirement for Windows applications to use the Windows Registry. For example, .NET Framework applications use XML files for configuration, while portable applications usually keep their configuration files with their executables.
Prior to the Windows Registry, .INI files stored each program's settings as a text file or binary file, often located in a shared location that did not provide user-specific settings in a multi-user scenario. By contrast, the Windows Registry stores all application settings in one logical repository (but a number of discrete files) and in a standardized form. According to Microsoft, this offers several advantages over .INI files. [2] [3] Since file parsing is done much more efficiently with a binary format, it may be read from or written to more quickly than a text INI file. Furthermore, strongly typed data can be stored in the registry, as opposed to the text information stored in .INI files. This is a benefit when editing keys manually using regedit.exe
, the built-in Windows Registry Editor. Because user-based registry settings are loaded from a user-specific path rather than from a read-only system location, the registry allows multiple users to share the same machine, and also allows programs to work for less privileged users. Backup and restoration is also simplified as the registry can be accessed over a network connection for remote management/support, including from scripts, using the standard set of APIs, as long as the Remote Registry service is running and firewall rules permit this.
Because the registry is a database, it offers improved system integrity with features such as atomic updates. If two processes attempt to update the same registry value at the same time, one process's change will precede the other's and the overall consistency of the data will be maintained. Where changes are made to .INI files, such race conditions can result in inconsistent data that does not match either attempted update. Windows Vista and later operating systems provide transactional updates to the registry by means of the Kernel Transaction Manager, extending the atomicity guarantees across multiple key or value changes with traditional commit–abort semantics. (Note however that NTFS provides such support for the file system as well, so the same guarantees could, in theory, be obtained with traditional configuration files.)
The registry contains two basic elements: keys and values. Registry keys are container objects similar to folders. Registry values are non-container objects similar to files. Keys may contain values and subkeys. Keys are referenced with a syntax similar to Windows' path names, using backslashes to indicate levels of hierarchy. Keys must have a case insensitive name without backslashes.
The hierarchy of registry keys can only be accessed from a known root key handle (which is anonymous but whose effective value is a constant numeric handle) that is mapped to the content of a registry key preloaded by the kernel from a stored "hive", or to the content of a subkey within another root key, or mapped to a registered service or DLL that provides access to its contained subkeys and values.
E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows refers to the subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of the HKEY_LOCAL_MACHINE root key.
There are seven predefined root keys, traditionally named according to their constant handles defined in the Win32 API, or by synonymous abbreviations (depending on applications): [4]
Like other files and services in Windows, all registry keys may be restricted by access control lists (ACLs), depending on user privileges, or on security tokens acquired by applications, or on system security policies enforced by the system (these restrictions may be predefined by the system itself, and configured by local system administrators or by domain administrators). Different users, programs, services or remote systems may only see some parts of the hierarchy or distinct hierarchies from the same root keys.
Registry values are name/data pairs stored within keys. Registry values are referenced separately from registry keys. Each registry value stored in a registry key has a unique name whose letter case is not significant. The Windows API functions that query and manipulate registry values take value names separately from the key path or handle that identifies the parent key. Registry values may contain backslashes in their names, but doing so makes them difficult to distinguish from their key paths when using some legacy Windows Registry API functions (whose usage is deprecated in Win32).
The terminology is somewhat misleading, as each registry key is similar to an associative array, where standard terminology would refer to the name part of each registry value as a "key". The terms are a holdout from the 16-bit registry in Windows 3, in which registry keys could not contain arbitrary name/data pairs, but rather contained only one unnamed value (which had to be a string). In this sense, the Windows 3 registry was like a single associative array, in which the keys (in the sense of both 'registry key' and 'associative array key') formed a hierarchy, and the registry values were all strings. When the 32-bit registry was created, so was the additional capability of creating multiple named values per key, and the meanings of the names were somewhat distorted. [6] For compatibility with the previous behavior, each registry key may have a "default" value, whose name is the empty string.
Each value can store arbitrary data with variable length and encoding, but which is associated with a symbolic type (defined as a numeric constant) defining how to parse this data. The standard types are: [7]
Type ID | Symbolic type name | Meaning and encoding of the data stored in the registry value |
---|---|---|
0 | REG_NONE | No type (the stored value, if any) |
1 | REG_SZ | A string value, normally stored and exposed in UTF-16LE (when using the Unicode version of Win32 API functions), usually terminated by a NUL character |
2 | REG_EXPAND_SZ | An "expandable" string value that can contain environment variables, normally stored and exposed in UTF-16LE, usually terminated by a NUL character |
3 | REG_BINARY | Binary data (any arbitrary data) |
4 | REG_DWORD / REG_DWORD_LITTLE_ENDIAN | A DWORD value, a 32-bit unsigned integer (numbers between 0 and 4,294,967,295 [232 – 1]) (little-endian) |
5 | REG_DWORD_BIG_ENDIAN | A DWORD value, a 32-bit unsigned integer (numbers between 0 and 4,294,967,295 [232 – 1]) (big-endian) |
6 | REG_LINK | A symbolic link (UNICODE) to another registry key, specifying a root key and the path to the target key |
7 | REG_MULTI_SZ | A multi-string value, which is an ordered list of non-empty strings, normally stored and exposed in Unicode, each one terminated by a null character, the list being normally terminated by a second null character. [8] |
8 | REG_RESOURCE_LIST | A resource list (used by the Plug-n-Play hardware enumeration and configuration) |
9 | REG_FULL_RESOURCE_DESCRIPTOR | A resource descriptor (used by the Plug-n-Play hardware enumeration and configuration) |
10 | REG_RESOURCE_REQUIREMENTS_LIST | A resource requirements list (used by the Plug-n-Play hardware enumeration and configuration) |
11 | REG_QWORD / REG_QWORD_LITTLE_ENDIAN | A QWORD value, a 64-bit integer (either big- or little-endian, or unspecified) (introduced in Windows 2000) [9] |
The keys at the root level of the hierarchical database are generally named by their Windows API definitions, which all begin "HKEY". [2] They are frequently abbreviated to a three- or four-letter short name starting with "HK" (e.g. HKCU and HKLM). Technically, they are predefined handles (with known constant values) to specific keys that are either maintained in memory, or stored in hive files stored in the local filesystem and loaded by the system kernel at boot time and then shared (with various access rights) between all processes running on the local system, or loaded and mapped in all processes started in a user session when the user logs on the system.
The HKEY_LOCAL_MACHINE (local machine-specific configuration data) and HKEY_CURRENT_USER (user-specific configuration data) nodes have a similar structure to each other; user applications typically look up their settings by first checking for them in "HKEY_CURRENT_USER\Software\Vendor's name\Application's name\Version\Setting name", and if the setting is not found, look instead in the same location under the HKEY_LOCAL_MACHINE key. However, the converse may apply for administrator-enforced policy settings where HKLM may take precedence over HKCU. The Windows Logo Program has specific requirements for where different types of user data may be stored, and that the concept of least privilege be followed so that administrator-level access is not required to use an application. [lower-alpha 1] [10]
Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are specific to the local computer. [11]
The key located by HKLM is actually not stored on disk, but maintained in memory by the system kernel in order to map all the other subkeys. Applications cannot create any additional subkeys. On Windows NT, this key contains four subkeys, "SAM", "SECURITY", "SYSTEM", and "SOFTWARE", that are loaded at boot time within their respective files located in the %SystemRoot%\System32\config\ folder. A fifth subkey, "HARDWARE", is volatile and is created dynamically, and as such is not stored in a file (it exposes a view of all the currently detected Plug-and-Play devices). On Windows Vista and above, a sixth and seventh subkey, "COMPONENTS" and "BCD", are mapped in memory by the kernel on-demand and loaded from %SystemRoot%\System32\config\COMPONENTS or from boot configuration data, \boot\BCD on the system partition.
Even though the registry presents itself as an integrated hierarchical database, branches of the registry are actually stored in a number of disk files called hives. [17] (The word hive constitutes an in-joke.) [18]
Some hives are volatile and are not stored on disk at all. An example of this is the hive of the branch starting at HKLM\HARDWARE. This hive records information about system hardware and is created each time the system boots and performs hardware detection.
Individual settings for users on a system are stored in a hive (disk file) per user. During user login, the system loads the user hive under the HKEY_USERS key and sets the HKCU (HKEY_CURRENT_USER) symbolic reference to point to the current user. This allows applications to store/retrieve settings for the current user implicitly under the HKCU key.
Not all hives are loaded at any one time. At boot time, only a minimal set of hives are loaded, and after that, hives are loaded as the operating system initializes and as users log in or whenever a hive is explicitly loaded by an application.
The registry is physically stored in several files, which are generally obfuscated from the user-mode APIs used to manipulate the data inside the registry. Depending upon the version of Windows, there will be different files and different locations for these files, but they are all on the local machine. The location for system registry files in Windows NT is %SystemRoot%\System32\config\
; the user-specific HKEY_CURRENT_USER user registry hive is stored in Ntuser.dat
inside the user profile. There is one of these per user; if a user has a roaming profile, then this file will be copied to and from a server at logout and login respectively. A second user-specific registry file named UsrClass.dat contains COM registry entries and does not roam by default.
Windows NT systems store the registry in a binary file format which can be exported, loaded and unloaded by the Registry Editor in these operating systems. The following system registry files are stored in %SystemRoot%\System32\config\
:
Sam
– HKEY_LOCAL_MACHINE\SAMSecurity
– HKEY_LOCAL_MACHINE\SECURITYSoftware
– HKEY_LOCAL_MACHINE\SOFTWARESystem
– HKEY_LOCAL_MACHINE\SYSTEMDefault
– HKEY_USERS\.DEFAULTUserdiff
– Not associated with a hive. Used only when upgrading operating systems. [19] The following file is stored in each user's profile folder:
%USERPROFILE%\Ntuser.dat
– HKEY_USERS\<User SID> (linked to by HKEY_CURRENT_USER)For Windows 2000, Server 2003 and Windows XP, the following additional user-specific file is used for file associations and COM information:
%USERPROFILE%\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat
(path is localized) – HKEY_USERS\<User SID>_Classes (HKEY_CURRENT_USER\Software\Classes)For Windows Vista and later, the path was changed to:
%USERPROFILE%\AppData\Local\Microsoft\Windows\Usrclass.dat
(path is not localized) alias %LocalAppData%\Microsoft\Windows\Usrclass.dat
– HKEY_USERS\<User SID>_Classes (HKEY_CURRENT_USER\Software\Classes)Windows 2000 keeps an alternate copy of the registry hives (.ALT) and attempts to switch to it when corruption is detected. [20] Windows XP and Windows Server 2003 do not maintain a System.alt
hive because NTLDR on those versions of Windows can process the System.log
file to bring up to date a System hive that has become inconsistent during a shutdown or crash. In addition, the %SystemRoot%\Repair
folder contains a copy of the system's registry hives that were created after installation and the first successful startup of Windows.
Each registry data file has an associated file with a ".log" extension that acts as a transaction log that is used to ensure that any interrupted updates can be completed upon next startup. [21] Internally, Registry files are split into 4 kB "bins" that contain collections of "cells". [21]
The registry files are stored in the %WINDIR%
directory under the names USER.DAT
and SYSTEM.DAT
with the addition of CLASSES.DAT
in Windows ME. Also, each user profile (if profiles are enabled) has its own USER.DAT
file which is located in the user's profile directory in %WINDIR%\Profiles\<Username>\
.
The only registry file is called REG.DAT
and it is stored in the %WINDIR%
directory.
To access the registry files, the device needs to be set in a special mode using either:
If any of the above methods worked, the device's registry files can be found in the following location:
{Phone}\EFIESP\Windows\System32\config
The registry contains important configuration information for the operating system, for installed applications as well as individual settings for each user and application. A careless change to the operating system configuration in the registry could cause irreversible damage, so it is usually only installer programs which perform changes to the registry database during installation/configuration and removal. If a user wants to edit the registry manually, Microsoft recommends that a backup of the registry be performed before the change. [22] When a program is removed from control panel, it may not be completely removed and, in case of errors or glitches caused by references to missing programs, the user might have to manually check inside directories such as program files. After this, the user might need to manually remove any reference to the uninstalled program in the registry. This is usually done by using RegEdit.exe. [23] Editing the registry is sometimes necessary when working around Windows-specific issues e.g. problems when logging onto a domain can be resolved by editing the registry. [24]
Windows Registry can be edited manually using programs such as RegEdit.exe, although these tools do not expose some of the registry's metadata such as the last modified date.
The registry editor for the 3.1/95 series of operating systems is RegEdit.exe and for Windows NT it is RegEdt32.exe; the functionalities are merged in Windows XP. Optional and third-party tools similar to RegEdit.exe are available for many Windows CE versions.
Registry Editor allows users to perform the following functions:
REG
files, exporting data in the binary hive format.REG
files.REG
files (also known as Registration entries) are text-based human-readable files for exporting and importing portions of the registry using an INI-based syntax. On Windows 2000 and later, they contain the string Windows Registry Editor Version 5.00 at the beginning, while on Windows 9x and NT 4.0 systems, they contain the string REGEDIT4. [26] Windows 2000 and later REG files are Unicode-based, while on Windows 9x and NT 4.0 systems, they are ANSI-based. [ citation needed ] Windows 9x format .REG
files are compatible with Windows 2000 and later. [26] The Registry Editor on Windows on these systems also supports exporting .REG
files in Windows 9x/NT format.[ citation needed ] Data is stored in .REG
files using the following syntax: [26]
[<Hivename>\<Keyname>\<Subkeyname>]"Value name"=<Value type>:<Value data>
The Default Value of a key can be edited by using "@" instead of "Value Name":
[<Hivename>\<Keyname>\<Subkeyname>]@=<Value type>:<Value data>
String values do not require a <Value type> (see example), but backslashes ('\') need to be written as a double-backslash ('\\'), and quotes ('"') as backslash-quote ('\"').
For example, to add the values "Value A", "Value B", "Value C", "Value D", "Value E", "Value F", "Value G", "Value H", "Value I", "Value J", "Value K", "Value L", and "Value M" to the HKLM\SOFTWARE\Foobar key:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Foobar]"Value A"="<String value data with escape characters>""Value B"=hex:<Binary data (as comma-delimited list of hexadecimal values)>"Value C"=dword:<DWORD value integer>"Value D"=hex(0):<REG_NONE (as comma-delimited list of hexadecimal values)>"Value E"=hex(1):<REG_SZ (as comma-delimited list of hexadecimal values representing a UTF-16LE NUL-terminated string)>"Value F"=hex(2):<Expandable string value data (as comma-delimited list of hexadecimal values representing a UTF-16LE NUL-terminated string)>"Value G"=hex(3):<Binary data (as comma-delimited list of hexadecimal values)> ; equal to "Value B""Value H"=hex(4):<DWORD value (as comma-delimited list of 4 hexadecimal values, in little endian byte order)>"Value I"=hex(5):<DWORD value (as comma-delimited list of 4 hexadecimal values, in big endian byte order)>"Value J"=hex(7):<Multi-string value data (as comma-delimited list of hexadecimal values representing UTF-16LE NUL-terminated strings)>"Value K"=hex(8):<REG_RESOURCE_LIST (as comma-delimited list of hexadecimal values)>"Value L"=hex(a):<REG_RESOURCE_REQUIREMENTS_LIST (as comma-delimited list of hexadecimal values)>"Value M"=hex(b):<QWORD value (as comma-delimited list of 8 hexadecimal values, in little endian byte order)>
Data from .REG
files can be added/merged with the registry by double-clicking these files or using the /s switch in the command line. REG
files can also be used to remove registry data.
To remove a key (and all subkeys, values and data), the key name must be preceded by a minus sign ("-"). [26]
For example, to remove the HKLM\SOFTWARE\Foobar key (and all subkeys, values and data),
[-HKEY_LOCAL_MACHINE\SOFTWARE\Foobar]
To remove a value (and its data), the values to be removed must have a minus sign ("-") after the equal sign ("="). [26]
For example, to remove only the "Value A" and "Value B" values (and their data) from the HKLM\SOFTWARE\Foobar key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Foobar]"Value A"=-"Value B"=-
To remove only the Default value of the key HKLM\SOFTWARE\Foobar (and its data):
[HKEY_LOCAL_MACHINE\SOFTWARE\Foobar]@=-
Lines beginning with a semicolon are considered comments:
; This is a comment. This can be placed in any part of a .reg file[HKEY_LOCAL_MACHINE\SOFTWARE\Foobar]"Value"="Example string"
Windows group policies can change registry keys for a number of machines or individual users based on policies. When a policy first takes effect for a machine or for an individual user of a machine, the registry settings specified as part of the policy are applied to the machine or user settings.
Windows will also look for updated policies and apply them periodically, typically every 90 minutes. [27]
Through its scope a policy defines to which machines and users the policy is to be applied. Whether a machine or user is within the scope of a policy or not is defined by a set of rules which can filter on the location of the machine or user account in organizational directory, specific users or machine accounts or security groups. More advanced rules can be set up using Windows Management Instrumentation expressions. Such rules can filter on properties such as computer vendor name, CPU architecture, installed software, or networks connected to.
For instance, the administrator can create a policy with one set of registry settings for machines in the accounting department and policy with another (lock-down) set of registry settings for kiosk terminals in the visitors area. When a machine is moved from one scope to another (e.g., changing its name or moving it to another organizational unit), the correct policy is automatically applied. When a policy is changed it is automatically re-applied to all machines currently in its scope.
The policy is edited through a number of administrative templates which provides a user interface for picking and changing settings. The set of administrative templates is extensible and software packages which support such remote administration can register their own templates.
Developer(s) | Microsoft |
---|---|
Operating system | Microsoft Windows |
Type | Command |
License | Proprietary commercial software |
Website | docs |
The registry can be manipulated in a number of ways from the command line. The Reg.exe
and RegIni.exe
utility tools are included in Windows XP and later versions of Windows. Alternative locations for legacy versions of Windows include the Resource Kit CDs or the original Installation CD of Windows.
Also, a .REG
file can be imported from the command line with the following command:
RegEdit.exe /s file
The /s means the file will be silent merged to the registry. If the /s
parameter is omitted the user will be asked to confirm the operation. In Windows 98, Windows 95 and at least some configurations of Windows XP the /s
switch also causes RegEdit.exe
to ignore the setting in the registry that allows administrators to disable it. When using the /s
switch RegEdit.exe
does not return an appropriate return code if the operation fails, unlike Reg.exe
which does.
RegEdit.exe /e file
exports the whole registry in V5 format to a UNICODE .REG
file, while any of
RegEdit.exe /e file HKEY_CLASSES_ROOT[\<key>] RegEdit.exe /e file HKEY_CURRENT_CONFIG[\<key>] RegEdit.exe /e file HKEY_CURRENT_USER[\<key>] RegEdit.exe /e file HKEY_LOCAL_MACHINE[\<key>] RegEdit.exe /e file HKEY_USERS[\<key>]
export the specified (sub)key (which has to be enclosed in quotes if it contains spaces) only.
RegEdit.exe /a file
exports the whole registry in V4 format to an ANSI .REG
file.
RegEdit.exe /a file<key>
exports the specified (sub)key (which has to be enclosed in quotes if it contains spaces) only.
It is also possible to use Reg.exe
. Here is a sample to display the value of the registry value Version:
Reg.exe QUERY HKLM\Software\Microsoft\ResKit /v Version
Other command line options include a VBScript or JScript together with CScript, WMI or WMIC.exe
and Windows PowerShell.
Registry permissions can be manipulated through the command line using RegIni.exe
and the SubInACL.exe
tool. For example, the permissions on the HKEY_LOCAL_MACHINE\SOFTWARE key can be displayed using:
SubInACL.exe /keyreg HKEY_LOCAL_MACHINE\SOFTWARE /display
Windows PowerShell comes with a registry provider which presents the registry as a location type similar to the file system. The same commands used to manipulate files and directories in the file system can be used to manipulate keys and values of the registry. [28]
Also like the file system, PowerShell uses the concept of a current location which defines the context on which commands by default operate. The Get-ChildItem
(also available through the aliases ls
, dir
or gci
) retrieves the child keys of the current location. By using the Set-Location
(or the alias cd
) command the user can change the current location to another key of the registry. [28] Commands which rename items, remove items, create new items or set content of items or properties can be used to rename keys, remove keys or entire sub-trees or change values.
Through PowerShell scripts files, an administrator can prepare scripts which, when executed, make changes to the registry. Such scripts can be distributed to administrators who can execute them on individual machines. The PowerShell Registry provider supports transactions, i.e. multiple changes to the registry can be bundled into a single atomic transaction. An atomic transaction ensures that either all of the changes are committed to the database, or if the script fails, none of the changes are committed to the database. [28] [29]
The registry can be edited through the APIs of the Advanced Windows 32 Base API Library (advapi32.dll). [30] List of registry API functions:
Many programming languages offer built-in runtime library functions or classes that wrap the underlying Windows APIs and thereby enable programs to store settings in the registry (e.g. Microsoft.Win32.Registry
in VB.NET and C#, or TRegistry
in Delphi and Free Pascal). COM-enabled applications like Visual Basic 6 can use the WSH WScript.Shell
object. Another way is to use the Windows Resource Kit Tool, Reg.exe
by executing it from code, [31] although this is considered poor programming practice.
Similarly, scripting languages such as Perl (with Win32::TieRegistry
), Python (with winreg), TCL (which comes bundled with the registry package), [32] Windows Powershell and Windows Scripting Host also enable registry editing from scripts.
The offreg.dll [33] available from the Windows Driver Kit offers a set of APIs for the creation and manipulation of currently not loaded registry hives similar to those provided by advapi32.dll.
It is also possible to edit the registry (hives) of an offline system from Windows PE or Linux (in the latter case using open source tools).
Prior to the introduction of registration-free COM, developers were encouraged to add initialization code to in-process and out-of-process binaries to perform the registry configuration required for that object to work. For in-process binaries such as .DLL and .OCX files, the modules typically exported a function called DllInstall() [34] that could be called by installation programs or invoked manually with utilities like Regsvr32.exe; [35] out-of-process binaries typically support the commandline arguments /Regserver and /Unregserver that created or deleted the required registry settings. [36] COM applications that break because of DLL Hell issues can commonly be repaired with RegSvr32.exe or the /RegServer switch without having to re-invoke installation programs. [37]
Windows exposes APIs that allows user-mode applications to register to receive a notification event if a particular registry key is changed. [38] APIs are also available to allow kernel-mode applications to filter and modify registry calls made by other applications. [39]
Windows also supports remote access to the registry of another computer via the RegConnectRegistry
function [40] if the Remote Registry service is running, correctly configured and its network traffic is not firewalled. [41]
Each key in the registry of Windows NT versions can have an associated security descriptor. The security descriptor contains an access control list (ACL) that describes which user groups or individual users are granted or denied access permissions. The set of registry permissions include 10 rights/permissions which can be explicitly allowed or denied to a user or a group of users.
Permission | Description |
---|---|
Query Value | The right to read the registry key value. |
Set Value | The right to write a new value |
Create Subkey | The right to create subkeys. |
Enumerate Subkeys | Allow the enumeration of subkeys. |
Notify | The right to request change notifications for registry keys or subkeys. |
Create Link | Reserved by the operating system. |
Delete | The right to delete a key. |
Write DACL | The right to modify permissions of the container's DACL. |
Write Owner | The right to modify the container's owner. |
Read Control | The right to read the DACL. |
As with other securable objects in the operating system, individual access control entries (ACE) on the security descriptor can be explicit or inherited from a parent object. [42]
Windows Resource Protection is a feature of Windows Vista and later versions of Windows that uses security to deny Administrators and the system WRITE access to some sensitive keys to protect the integrity of the system from malware and accidental modification. [43]
Special ACEs on the security descriptor can also implement mandatory integrity control for the registry key and subkeys. A process running at a lower integrity level cannot write, change or delete a registry key/value, even if the account of the process has otherwise been granted access through the ACL. For instance, Internet Explorer running in Protected Mode can read medium and low integrity registry keys/values of the currently logged on user, but it can only modify low integrity keys. [44]
Outside security, registry keys cannot be deleted or edited due to other causes. Registry keys containing NUL characters cannot be deleted with standard registry editors and require a special utility for deletion, such as RegDelNull. [45] [46]
Different editions of Windows have supported a number of different methods to back up and restore the registry over the years, some of which are now deprecated:
HKLM\SYSTEM\CurrentControlSet
key, which stores hardware and device driver information.%Windir%\Sysbckup
Scanreg.exe can also run from MS-DOS. [48] RDISK.EXE
, a utility to back up and restore the entire registry. [49] Windows 2000 and later versions of Windows use Group Policy to enforce registry settings through a registry-specific client extension in the Group Policy processing engine. [52] Policy may be applied locally to a single computer using gpedit.msc
or to multiple users and computers in a domain using gpmc.msc
.
With Windows 95, Windows 98, Windows ME and Windows NT 4.0, administrators can use a special file to be merged into the registry, called a policy file (POLICY.POL
). The policy file allows administrators to prevent non-administrator users from changing registry settings like, for instance, the security level of Internet Explorer and the desktop background wallpaper. The policy file is primarily used in a business with a large number of computers where the business needs to be protected from rogue or careless users.
The default extension for the policy file is .POL
. The policy file filters the settings it enforces by user and by group (a "group" is a defined set of users). To do that the policy file merges into the registry, preventing users from circumventing it by simply changing back the settings. The policy file is usually distributed through a LAN, but can be placed on the local computer.
The policy file is created by a free tool by Microsoft that goes by the filename poledit.exe
for Windows 95/Windows 98 and with a computer management module for Windows NT. The editor requires administrative permissions to be run on systems that uses permissions. The editor can also directly change the current registry settings of the local computer and if the remote registry service is installed and started on another computer it can also change the registry on that computer. The policy editor loads the settings it can change from .ADM
files, of which one is included, that contains the settings the Windows shell provides. The .ADM
file is plain text and supports easy localisation by allowing all the strings to be stored in one place.
Windows NT kernels support redirection of INI file-related APIs into a virtual file in a registry location such as HKEY_CURRENT_USER using a feature called "InifileMapping". [53] This functionality was introduced to allow legacy applications written for 16-bit versions of Windows to be able to run under Windows NT platforms on which the System folder is no longer considered an appropriate location for user-specific data or configuration. Non-compliant 32-bit applications can also be redirected in this manner, even though the feature was originally intended for 16-bit applications.
Windows Vista introduced limited registry virtualization, whereby poorly written applications that do not respect the principle of least privilege and instead try to write user data to a read-only system location (such as the HKEY_LOCAL_MACHINE hive), are silently redirected to a more appropriate location, without changing the application itself.
Similarly, application virtualization redirects all of an application's invalid registry operations to a location such as a file. Used together with file virtualization, this allows applications to run on a machine without being installed on it.
Low integrity processes may also use registry virtualization. For example, Internet Explorer 7 or 8 running in "Protected Mode" on Windows Vista and above will automatically redirect registry writes by ActiveX controls to a sandboxed location in order to frustrate some classes of security exploits.
The Application Compatibility Toolkit [54] provides shims that can transparently redirect HKEY_LOCAL_MACHINE or HKEY_CLASSES_ROOT Registry operations to HKEY_CURRENT_USER to address "LUA" bugs that cause applications not to work for users with insufficient rights.
Critics labeled the registry in Windows 95 a single point of failure, because re-installation of the operating system was required if the registry became corrupt. However, Windows NT uses transaction logs to protect against corruption during updates. Current versions of Windows use two levels of log files to ensure integrity even in the case of power failure or similar catastrophic events during database updates. [55] Even in the case of a non-recoverable error, Windows can repair or re-initialize damaged registry entries during system boot. [55]
This section needs additional citations for verification .(November 2010) |
In Windows, use of the registry for storing program data is a matter of developer's discretion. Microsoft provides programming interfaces for storing data in XML files (via MSXML) or database files (via SQL Server Compact) which developers can use instead. Developers are also free to use non-Microsoft alternatives or develop their own proprietary data stores.
In contrast to Windows Registry's binary-based database model, some other operating systems use separate plain-text files for daemon and application configuration, but group these configurations together for ease of management.
/etc/
and its subdirectories, or sometimes in /usr/local/etc/
. Per-user information (information that would be roughly equivalent to that in HKEY_CURRENT_USER) is stored in hidden directories and files (that start with a period/full stop) within the user's home directory. However XDG-compliant applications should refer to the environment variables defined in the Base Directory specification. [56] /Library/
folder, whereas per-user configuration files are stored in the corresponding ~/Library/
folder in the user's home directory, and configuration files set by the system are in /System/Library/
. Within these respective directories, an application typically stores a property list file in the Preferences/
sub-directory./etc/objrepos
.The following table shows other difficulties or limitations caused by using .INI files that are overcome by using the Registry.
{{cite book}}
: CS1 maint: multiple names: authors list (link)NTLDR is the boot loader for all releases of Windows NT operating system from 1993 with the release of Windows NT 3.1 up until Windows XP and Windows Server 2003. From Windows Vista onwards it was replaced by the BOOTMGR bootloader. NTLDR is typically run from the primary storage device, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.
In computing, configuration files are files used to configure the parameters and initial settings for some computer programs or applications, server processes and operating system settings.
The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.
Control Panel is a component of Microsoft Windows that provides the ability to view and change system settings. It consists of a set of applets that include adding or removing hardware and software, controlling user accounts, changing accessibility options, and accessing networking settings. Additional applets are provided by third parties, such as audio and video drivers, VPN tools, input devices, and networking tools.
AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted.
AutoPlay, a feature introduced in Windows 98, examines newly discovered removable media and devices and, based on content such as pictures, music or video files, launches an appropriate application to play or display the content. It is closely related to the AutoRun operating system feature. AutoPlay was created in order to simplify the use of peripheral devices – MP3 players, memory cards, USB storage devices and others – by automatically starting the software needed to access and view the content on these devices. AutoPlay can be enhanced by AutoPlay-compatible software and hardware. It can be configured by the user to associate favourite applications with AutoPlay events and actions.
System Restore is a feature in Microsoft Windows that allows the user to revert their computer's state to that of a previous point in time, which can be used to recover from system malfunctions or other problems. First included in Windows Me, it has been included in all following desktop versions of Windows released since, excluding Windows Server. In Windows 10, System Restore is turned off by default and must be enabled by users in order to function. This does not affect personal files such as documents, music, pictures, and videos.
In computing, SUBST
is a command on the DOS, IBM OS/2, Microsoft Windows and ReactOS operating systems used for substituting paths on physical and logical drives as virtual drives.
As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.
ntoskrnl.exe, also known as the kernel image, contains the kernel and executive layers of the Microsoft Windows NT kernel, and is responsible for hardware abstraction, process handling, and memory management. In addition to the kernel and executive layers, it contains the cache manager, security reference monitor, memory manager, scheduler (Dispatcher), and blue screen of death.
In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life, and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed without affecting the security attributes of objects that refer to the principal.
The Session Manager Subsystem, or smss.exe
, is a component of the Microsoft Windows NT family of operating systems, starting in Windows NT 3.1. It is executed during the startup process of those operating systems.
The Windows Boot Manager (BOOTMGR
) is the bootloader provided by Microsoft for Windows NT versions starting with Windows Vista and Windows Server 2008. It is the first program launched by the BIOS or UEFI of the computer and is responsible for loading the rest of Windows. It replaced the NTLDR present in older versions of Windows.
A roaming user profile is a file synchronization concept in the Windows NT family of operating systems that allows users with a computer joined to a Windows domain to log on to any computer on the same domain and access their documents and have a consistent desktop experience, such as applications remembering toolbar positions and preferences, or the desktop appearance staying the same, while keeping all related files stored locally, to not continuously depend on a fast and reliable network connection to a file server.
System Policy Editor is a graphical tool provided with Windows 95, Windows NT 4.0, and Windows 98. System policies are made up from a set of registry entries that control the computer resources available to a user or group of users. These registry entries can be applied to individual users, groups of users, or to anybody logging on to a particular computer.
Microsoft Windows profile refers to the user profile that is used by the Microsoft Windows operating system to represent the characteristics of the user.
The Windows 9x series of operating systems refers to a series of Microsoft Windows operating systems produced from 1995 to 2000. They are based on the Windows 95 kernel which is a monolithic kernel. The basic code is similar in function to MS-DOS. They are 16-/32-bit hybrids and require support from MS-DOS to operate.
In computing, ftype
is a command-line utility on Microsoft Windows that is used to display or change the link between a file type and an executable program.
Service Control Manager (SCM) is a special system process under the Windows NT family of operating systems, which starts, stops and interacts with Windows service processes. It is located in the %SystemRoot%\System32\services.exe
executable. Service processes interact with SCM through a well-defined API, and the same API is used internally by the interactive Windows service management tools such as the MMC snap-in Services.msc
and the command-line Service Control utility sc.exe
. Terminating this file is used as a method of causing the Blue Screen of Death.
Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.