Windows Registry Editor

%By Edu%
Introduction
The registry is a database that stores all the Operational System configuration and informations. The Registry Editor Tool is located by default in the System folder. The 16bits Windows95,98,ME Registry Tool (application) is called Regedit.exe while 32-bits Windows NT4,2000,XP,2003 have both Regedit.exe and Regedt32.exe applications. The files that composes the registry in Windows 95/98/ME are system.dat and user.dat. On Windows NT/2000/XP/2003 the files are SOFTWARE, SYSTEM, SECURITY , SAM.

Main
To open your Registry Editor Tool go to Start Run and type regedit without the quotes. The Regedit window will appear and you will see a main element that is My computer . When you double click it you will see the Registry ROOT KEYS They have a 'folder icon' and they are like directories. There are 5 RootKeys. PS: Windows 95 and 98 have a 6th RootKey called HKEY_DYN_DATA A table is available below with the RootKeys names and a basic description for each of them.

ROOT KEY HKEY_LOCAL_MACHINE HKEY_CURRENT_USER

Description Contains specific configuration information of the computer. (Valid for any user) Contains the base of configuration information for the current logged-on User. Screen, colors, Control Panel and folders configurations are stored here. These informations are called User Profile Contains the bases of all users profile on the computer. HKEY_CURRENT_USER is a sub-key of HKEY_USERS It is a sub-key of HKEY_LOCAL_MACHINE\SOFTWARE. The informations stored here guarantees that the correct program will be executed when

HKEY_USERS

HKEY_CLASSES_ROOT

you open a file using the Windows Explorer HKEY_CURRENT_CONFIG Contains information about the hardware profile used by the local computer in the system startup (Windows 95,98,98SE Only) Contains configuration informations that are stored in RAM and statistics gathered for many network components currently in use on the computer. The information in this key is newly created on every Windows startup.

HKEY_DYN_DATA

Those RootKeys above have some keys with sub-keys (left side of the Registry Panel). The keys and sub-keys contains values of a valid type and with some data (right side of the Registry Panel). These values contains information such as strings and numbers. Some numbers have a specific meaning that will affect the Windows configuration depending on what it was set to. The Windows 9x/ME Registry editor seems to only fully read REG_SZ , REG_DWORD and REG_BINARY value types. It doesnt display the type in the Regedit window, only the value names and its respective datas. The following table provides a quick description of the value types and their properties.
Type REG_BINARY Description

Usually hardware-specific data stored in hexadecimal format, as viewed from regedt32.exe. By default, it will be displayed in hex, but the editor can use either binary or hex display. Usually service- or devicerelated data. The value is numeric, four bytes long, and viewed as hex data, but can be edited as binary, decimal, or hex. To avoid headaches, I also edit it as hex lest I confuse myself. This data is stored as a 32-bit value. The data is weighted with the highest-ordered byte first. Terminated fixed-length text (Unicode) string. These and

REG_DWORD

REG_DWORD_BIG_ENDIAN

REG_SZ

other SZ datatypes are given String editors by the registry editor to administer the values.
REG_MULTI_SZ

Multiple data listings, represented by text. These values can be separated by spaces, commas, or other delimiters. A data string whose data length may change. An example is the folder path to a file or directory for application and environmental variable support. Linked data stored in Unicode format. When viewed, gives information such as hardware DMA, IRQ, and memory address length. Data is displayed in hex and can be edited using byte, word, or dword format. Regedit.exe gives only a binary editor with hex representation of the data, without regard to specific application of the data. When values are not given as to datatype by an application, or the data is encrypted so that Server 2003 is unable to determine the value type. regedt32.exe displays basic type hardware resourcesinterface type and bus number Related to Hardware or Driver. The value data is represented in hex format. It displays a requirements list that contains elements such as Alternative List , Resource List , Descriptor, Device Type

REG_EXPAND_SZ

REG_LINK

REG_FULL_RESOURCE_DESCRIPTOR

REG_NONE

REG_RESOURCE_LIST

REG_RESOURCE_REQUIREMENTS_LIST

REG_QWORD

Just like REG_DWORD value type. The only difference is that REG_DWORD is a 32-bit number and REG_QWORD is a 64-bit number.

You can edit Registry values to fit your needs, or modify some configuration but it is extremely important that you know what exactly you are doing, what will be the effects on the Operating System. It is highly recommended that before editing the registry you do a complete backup of it. To do this right click on the first element, that is 'My Computer', and then click on 'Export'. All the information existent on your Registry will be saved in a .REG file that can be edited with notepad and executed by double-clicking on it. Notice that .REG files are Registry scripts that edits the registry. Editing the registry means that it can add, rename or delete keys, modify, add or delete a value. To delete a key on the registry, right click on the desired key and click 'delete' To add a new subkey, right click on the main key you want to create it on and click 'new key'. You can set up a name for this key. eg: create a key called 'abc' on the 'Software' key of HKEY_CURRENT_USER root key. Double click on my computer, then double click the Root key HKEY_CURRENT_USER, then double click the key Software and you will see its subkeys and values on the right side of the Registry Panel. Now right click on 'Software', click 'new' then click 'key' and rename it to ABC . Suppose now you want to add a string value type of REG_SZ called '123' and value data as 'windows' Right click on the 'ABC' key, click on 'new', then click on value of the sequence. a REG_SZ value type will appear on the right side of the Registry screen. Rename it to '123' and press enter. Now double click this value and type 'windows' on the "value data" field . Press enter and you are done. Now lets add a REG_BINARY value type called 'Bin' to the 'ABC' key and value data 43; Right click the 'ABC' key, click 'New', then click 'Binary value'. Rename this value to 'BIN' Now double click the 'BIN' value and type '43' on the "value data" field. Notice this field is big and when you type something it is automatically converted to hexadecimal, appearing as a decimal value on the center of the "value data" field and appearing as a hexadecimal value on the right side. at the left side there is 4 numbers. These 4 numbers appears on each line, depending on the numbers of lines took to write the value data. It begins with '0000' in the first line; 0008 in the second line; '0010' on the third and so on. REG_BINARY values can be in Hexadecimal or in bytes. It is possible to add a Registry key to Favorites so that you can open it very fast without having to open the RootKey, then the sub-key, the the other sub-key and so on. To do this, on your Regedit window, go to they desired key and click it once; Now , on the top of the Regedit window, click Favorites and click Add to Favorites. A small window will show up displaying the name of the key on the white field. You can rename it to whatever you want and click OK. For example you can add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services to Favorites and name it NT_SERVICES. When you need to quickly access this key, you click Favorites then select NT_SERVICES. You will be instantly brought to the Services key. It is possible to delete these Favorites as well.

REGEDIT.EXE and REGEDT32.EXE Applications . Whats the

difference???
REGEDIT.EXE application when run can view and edit keys and values on the registry of NT based systems but only partially cause it is intended for 16-bit Windows. Only REGDT32.exe application can fully edit the registry and it is intended to 32-bit Windows. On Windows NT and 2000 if you use REGEDIT.EXE to edit REG_EXPAND_SZ and REG_MULTI_SZ value types you will have problems cause the value will become a normal REG_SZ type and therefore will not perform the expected action. Also it is not possible to edit Security in the registry keys. On Windows XP and 2003 REGEDT32.EXE is only a small tool to open REGEDIT.EXE application. Fortunately REGEDIT.EXE application on XP and 2003 can fully edit the registry.

Permissions & Restrictions

Its also possible to set up access permissions on Windows 2000,XP,2003 for Rootkeys and sub-keys. To do this, right click on a registry root key or sub key and click on "Permissions". A new window will appear. There you can select what users can access or modify on an specific root key or sub-key and their access rights. Users with administrator privileges have, by default, full access; That means, read, write, delete any key or value. Restricted users can only read. They can write or delete some specific keys or values, generally related only to that user itself. Some keys in the registry cannot be even read by restricted users. You can customize those settings: A list of existing groups and users of the local computer will be available. You can customize what users can have full access to, or restrict access, depending on your needs, by selecting what kind of access a specific user will have to the selected key to set the permissions. You can select, for example, only the read right on that key. Supposing this user is called 1, and you have users 1,2,3 everyone with admin privileges, when you set up this restriction, only User 1 will be able to only read . users 2,3 will have full access. You can also do this to a registry sub-key. The procedure is the same. Also you can restrict specifc user(s) to view a root key or a sub key. This means that the user wont be able even to open that selected key. if that user tries to open that key, an 'Access denied' error message will show up. Registry Permissions/Restrictions in general are important when you have more than one person accessing the computer, or when the computer is inside a LAN that has many users accessing it and the computer has important data.

Remote Registry
There is a service in Windows 2000,XP,2003 called Remote Registry. By default this service is enabled and automatically starts on every Windows boot. Its like a Registry server intended to receive remote connections of computers of the same network. To connect to a computer running The Remote Registry service, in your Regedit window click File , then click Connect Network Registry. A small window titled Select Computer will show up. You will have 3 basic fields: First one is titled Select this kind of object. Below this it is written Computer. The second field is titled From this location. Below it is written GROUP. The third field is titled Type the object name to be selected. Below this there is an empty field where you

are supposed to type a valid Computer Name or IP address. Supposing inside your network you have a computer called Comp1 and IP address = 192.168.5.5 . You can type Comp1 or 192.168.5.5 in this field. Click OK. If all was right you should get a Logon Prompt. As this service by default is designed for a main security user (Windows XP and maybe 2003, I didnt test on 2000 but should be identical) you can type there the Name of this user that is NT AUTHORITY\NetworkService, click OK and after few seconds be connected to the remote computer. (NT AUTHORITY is the domain name and NetworkService is the user name; Domain Name was specified since NT AUTHORITY is not the default domain name.) You can also login with any other valid User Name existent in the target computer. After connected to the remote computers Registry you will see the computer name or IP address depending on which of them you have specified. 2 Root Keys will be available for edition : HKEY_LOCAL_MACHINE and HKEY_USERS\s-1-5-xx where xx is the number related to the Username you logged on to the remote computer. To disconnect click on File then click Disconnect Network Registry.

Importing to the Registry

Besides those things you can do, it is also possible to edit the Registry using scripts, and applications written in most programming language such as C++, Java, Fortran, Visual Basic, Delphi, Asm, etc The scripts could be the default Registry script file (.REG files), VBScript, Javascript, etc In this tutorial we will only discuss the default Registry Script (.REG files) . With the .REG scripting you can basically add values to the Registry, delete values, delete keys, add keys and modify values data. This type of Script begins with a title being the Version of the Windows Registry . For Newer Windows, it is usually Windows Registry Editor Version 5.00. But if you want a script that is compatible with ANY Windows version, including 95,98,ME,NT4 you can change this title to REGEDIT4 . Notice that it is very important that you write the title exactly as it appears. If you, for example, type regedit4 it wont be recognized by Windows and errors will happen. Same thing goes to version 5. If you type windows registry editor version 5.00 you will run into errors as well. The structure of this script is the following: ----------------------------------REG Script ------------------------------------------------------------Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\MySoft1] @=MySoft1 default value Value1=3 Type=dword:00000001 Environment Variable=hex(0):40,01,00,00,0f,00 Key=hex: 20,04,00,00,0f,00,70,00,50,00 RelativePath=hex(2):63,00,3a,00,5c,00,6d,00,79,00,73,00,6f,00,66,00,\ 74,00,31,00,5c,00,73,00,6f,00,66,00,74,00,2e,00,65,00,78,00,65,00,00,00 Applications=hex(7):61,00,62,00,63,00,20,00,64,00,65,00,66,00,20,00,\

67,00,68,00,69,00,20,00,6a,00,6b,00,6c,00,00,00,00,00 MainType=hex(5):40,01,00 [HKEY_LOCAL_MACHINE\SOFTWARE\MySoft1\Preferences] AlwaysRunMaximized=dword:00000001 -----------------------------End of REG Script---------------------------------------------------------Notice that REG scripts begin with the Version information of the Registry Editor. If you try to import REG scripts that begins with Windows Registry Editor Version 5.00 to a Windows 95,98,ME or NT4 Registry, you will get an error. In order to overcome this you can start the script with REGEDIT4 instead. This one is intended to any Windows version, including recent ones like XP Service Pack2 and Windows2003. The second line of the script is in blank, just to let it more organized. Next line you have the Registry path between brackets [ ]. Notice that if you forget those brackets the script wont do what it was supposed to. In the line below it there is a @ (with no quotes), an equal signal after it, and MySoft1 default value (between quotes). The @ means the default value. Every key that you create will contain this default value, and usually contains no data. If no data specified you will see this: (Value not defined). The equal signal must exist to separate values and its datas. The value name in this case is Default , type REG_SZ with data being MySoft1 default value. The same thing goes to the line below: The value name is Value1, type is REG_SZ and value data is 3. Notice that any value except the Default Value ( @) must appear between quotes. When you have value types different from REG_SZ, the respective data will appear without the quotes. Notice that the other values data (REG_DWORD,REG_BINARY,REG_EXPAND_SZ,etc) appear without the quotes. Notice that the other values datas, except the REG_DWORD and REG_SZ types, begins with hex: or hex(z): , Where z is a number between 5 and 9, and this will be the determinant of the value type. z could also be 0 or 2, or could have no value between the brackets (eg: hex:00,12,00 or hex(2):00,01,00) and also could be a or b. Below there is a table with these values for z and the resulting value type.

HEX(z):
Hex: Hex(0): Hex(1): Hex(2): Hex(3): Hex(4):

Resulting Value Type

REG_BINARY PS: this is the same as Hex(3): REG_NONE REG_SZ PS: Not recommend to use this specific hex(1): due to generate data that is not correctly interpreted by the Registry and therefore will appear as weird symbols. REG_EXPAND_SZ REG_BINARY PS: this is the same as Hex: REG_DWORD PS: Not recommend to use this specific hex(4): due to generate data that is not correctly interpreted by the Registry and therefore will appear as invalid dword value. Simply use dword: instead REG_DWORD_BIG_ENDIAN REG_LINK REG_MULTI_SZ

Hex(5): Hex(6): Hex(7):

Hex(8): REG_RESOURCE_LIST Hex(9): REG_FULL_RESOURCE_DESCRIPTOR Hex(a): REG_RESOURCE_REQUIREMENTS_LIST Hex(b): REG_QWORD th line as you can see is in blank (for organization purposes) and just below there is The 14 another Registry path that is just the same as the 1st one in line3, but there is a subkey for Mysoft1 called Preferences, and a value type of REG_DWORD called AlwaysRunMaximized with data as 1 (in dword 0x00000001). This is not just an information, this has a meaning. The meaning is 1. And 1 means True. 0 means false. Well so we can figure out that MySoft1 program Window is configured to run always in always maximized. Some programs also stores configuration such as User password in the registry, but encrypted and it is usually a REG_BINARY value type. The REG script below will delete a value from the registry and then, an entire key, including subkeys and values. -----------------------------------------REG Script------------------------------------------------------REGEDIT4 [HKEY_CURRENT_USER\Software\Soft123] type=[-HKEY_CURRENT_USER\Software\Soft123456] -------------------------------------End of REG Script-------------------------------------------------Notice the above script is able to run in any Windows version, not only in 2000/XP/2003. (due to beginning with REGEDIT4). The firs script will only be able to run on 2000/XP/2003, unless you change the title (Windows Registry Edition Version 5.00) to REGEDIT4 . To delete a value it is used a minus signal after the equal signal of an specific value, in our case the value is type. To delete a key in the registry, we simply have to put a minus signal before the key path. This will delete the last key specified in the path (in the case Soft123456) and all its sub-keys and values. None of the 2 scripts described above contained value types of REG_LINK, REG_RESOURCE_REQUIREMENTS_LIST, REG_RESOURCE_LIST, REG_FULL_RESOURCE_DESCRIPTOR, because these are related to Hardware information and configuration , very few used, except by the Hardwares itself by the time they are installed. REG_NONE and REG_QWORD types are also very few used. The first one happens when the Registry cannot interpret the data (sometimes because it is encrypted) and therefore cannot establish the value type. The second one is a 64-bit value generally used to store information about hardware stuff.

Exporting from the Registry

To export a desired key from the registry, you simply have to right-click that key and select Export. A new window prompting where to save the key will show up. Where you see filename, you type the name you want for the file to store the informations about the key.

In the Save as type field, you can select Registry Files (*.reg) , txt file, registry ramification files or Win9x/ NT4 Registry files (*.reg) .Depending on what you will do with the REG file, you will select one of those options. If its just for studying/analising purposes, then you can save it as a normal txt file. Lets suppose this file will have informations about NT Services (nt services are only intended for the nt systems and therefore wont work in Windows 95,98,ME) then the best is saving it as Registry Files (*.reg) . But supposing the REG file contains informations about a software for example, and this software is able to run in any Windows version. Then its better to save it as Win9x/ NT4 Registry files (*.reg), because this way the file can be imported to the Registry of any Windows. Just bellow this, in the bottom of the window, you can see the Export Interval section, and below the complete registry path to the key you will be exporting. If you double click a REG file you will be prompted with a message Are you sure you want to import the information contained in file.reg to the Registry?. (Supposing file.reg is the file you want to import to the registry). If you click No the operation will be canceled, if you click yes, and the REG file is valid and correct you will get a message saying the information on the file.reg was successfully added to the registry.

Editing the Registry via Command Line

We have already seen it is possible to edit the Registry manually and using scripts. It is also possible to edit it using the Windows Command Prompt (COMMAND.COM in any Windows version and CMD.EXE in Win NT4/2000/XP/2003). The REGEDIT.EXE tool has a GUI part and a command line part. REGEDIT.EXE command line syntax:

Command
REGEDIT /E REGEDIT /I REGEDIT /S REGEDIT /D REGEDIT /L:System REGEDIT /R:User REGEDIT /C

Effect

Exports keys and values from the Registry to a .REG file Imports a .REG file to the Registry. Before writing to the registry a Confirmation prompt will appear asking if you really want to import the fi to the registry Imports a .REG file to the Registry in silent mode. No confirmation promp Deletes a key from the registry. (Win9x only) Specify the location of System.dat to use (Win9x only) Specify the location of User.dat to use. (Win9x only) Compress the Registry. (Only works on Win98)

Below it will be shown usage examples for the above commands. REGEDIT /E c:\file1.reg HKEY_LOCAL_MACHINE\SOFTWARE\Some Program This will export the registry key Some Program located in HKEY_LOCAL_MACHINE\SOFTWARE to a file called file1.reg in c:\ REGEDIT /I c:\file2.reg

This will import the informations in file2.reg to the Registry. A confirmation prompt will show up. REGEDIT /S c:\file3.reg This will silently import the informations in file3.reg to the Registry. No confirmations prompts The above commands are the most used ones and works on all Windows versions. The /L:System and /R:User parameters are optionals, only works on Win9x and comes before all the other parameters . Example: REGEDIT [/L:System | /R:User] /S c:\file1.reg . This will silently import the informations in file1.reg to the Registry, specifying the location of System.dat and User.dat to use. REGEDIT /D is few used and only works on Win9x . It is intended to remove a key from the Registry. Example : REGEDIT /D HKEY_LOCAL_MACHINE\SOFTWARE\Soft1 This will delete the key Soft1 located in HKEY_LOCAL_MACHINE\SOFTWARE from the Registry. REGEDIT /C will compress the Registry. It is intended to work only on Win98. The usage: REGEDIT /C [filename] Windows XP and 2003 comes with a command line tool to edit the Registry and its called REG.EXE .By default Windows NT4 and 2000 dont have this tool, but its available in the Windows Resource Kit Tools package and can be freely downloaded from Microsoft.com or simply copied, along the application Regini.exe, from Windows XP or 2003. Below there is a table with the REG.EXE commands and their effects.

Command
REG REG REG REG REG REG REG REG REG QUERY ADD DELETE COPY SAVE RESTORE LOAD UNLOAD COMPARE

Effects
Queries a Registry key or value by its given name. Adds a key or value to the Registry Deletes a key or value from the Registry Copies subkeys and values from a key to another. Saves a Registry section to a file. Restores a file to substitute a Registry key. Loads a file in a Registry key. Unloads a Registry Section Compares values and sub-keys from a key with the respective values and sub-keys of another key Exports/Loads a file in a Registry key. Imports a file to the Registry.

REG EXPORT REG IMPORT

REG.EXE makes it possible to write Registry RootKeys by its short name as showed below

HKEY_LOCAL_MACHINE = HKLM HKEY_CURRENT_USER = HKCU HKEY_USERS = HKU HKEY_CLASSES_ROOT = HKCR HKEY_CURRENT_CONFIG = HKCC Below it is available some examples of the usage of the commands listed in the above table. REG QUERY HKLM\SOFTWARE\Soft1 /v Config This will display the registry value of Config REG QUERY HKLM\SOFTWARE Displays all the values and sub-keys of the key Software REG ADD HKCU\Software\Mysoft2 Adds a key called Mysoft2 to the Registry. REG ADD HKLM\Software\War /v Types /t REG_DWORD /d 1 /f Adds a key called War (in case it doesnt exist yet) and a value called Types with type of REG_DWORD to the Registry. If /t is omitted the value will be type REG_SZ. The /f parameter is to force the action that is being taken with no confirmation prompts. REG DELETE HKLM\SOFTWARE\MySoft1 /f Deletes the key Mysoft1 and all its sub-keys and values with no confirmation prompts. REG DELETE HKLM\SOFTWARE\MySoft3 /v path /f Deletes the value path located in Mysoft3 key with no confirmation prompts. REG COPY HKCU\SOFTWARE\Soft1 HKCU\SOFTWARE\Soft1_Backup /f Copies all the sub-keys and values of Soft1 key to the Soft1_Backup key without confirmation. REG SAVE HKLM\System\CurrentControlSet\Services c:\Services_Backup.TXT Saves the Registry Section Services in the file Services_Backup.TXT located in C:\ REG RESTORE HKLM\System\CurrentControlSet\Services c:\Services_Backup.TXT Restores the file Services_Backup.TXT to substitute the Registry key Services. REG LOAD HKLM\System c:\hklm_System.TXT Loads the file hklm_System.TXT in the registry key HKLM\System . REG UNLOAD HKCU\Software Unloads the Software section in the RootKey HKCU . REG COMPARE HKCU\Software\MySoft2\System1 HKCU\Software\MySoft2\System2 Compares all the values under the key System1 with System2 REG COMPARE HKCU\Software\MySoft2\System1 HKCU\Software\MySoft2\System2 /v Path Compares the the value of Path in the keys System1 and System2. REG COMPARE HKCU\Software\MySoft1 HKCU\Software\MySoft2\ /s Compares

all the values and sub-keys in the keys MySoft1 and MySoft2. Return Codes: 1 = Success, the compared result is identical. 2 = Failure. 3 = Success, the compared result is different. REG EXPORT This is exactly the same as the REG LOAD command. REG IMPORT c:\file.reg Imports the file.reg located in c:\ to the Registry.

Final Notes
Notice that 'REG.EXE' application is a command line tool that is intended for Windows NT4,2000,XP,2003 but it is built-in only in XP and 2003. The 'REGEDIT.EXE' application has a GUI (graphical user interface) and some command line parameters. The REGEDT32.EXE application is only present on 32-bit Windows Operational Systems such as Windows NT4,2000,XP,2003. Remember to ALWAYS make a complete backup before editing the Registry as well as editing any other kind of configurations, files, important informations, etc. This article will show, explain and detail some things related to the Windows Registry and you will probably learn some cool things from it, but it will NOT , in any way make you become an Expert; There is lots and lots of other tricky things you can do with this cute little tool called Regedit, such as editing information and configurations of softwares and services, set up specific restrictions to the Registry itself or to any other Software, change the OS look, visual effects and some graphical related stuff, among other things and you will have to look deep inside and understand the meaning of some common used value datas. Tip: Look deep inside REG_DWORD values data and you will learn a lot and better understand the options and configurations that were set up in your Windows. Finally, I hope you have enjoyed

---------------*END*----------------Author: Eduardo Contact1: edubp2002@hotmail.com (MSN) Contact2: 147367087 (ICQ)