Windows Registry

An introduction to registry editor

What is the Windows Registry?

A hierarchical database of computer system settings, hardware configurations, and user preferences. The Windows Registry stores:
Software settings Windows configuration settings User profiles Password Hashes and account settings

Registry Terminology
The registry is created when windows boots using data from several files Each file stores one or more hives Each hive is made up of keys and subkeys Each key has one or more values and value data

Windows Registry
Hives are a logical group of keys, subkeys and values
HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS

1) 2) 3) 4)

5)

HKEY_CURRENT_CONFIG

Windows Registry Hives

HKEY_CLASSES_ROOT (HKCR)- Contains information about file types, filename extensions, and other details related to files
It tells Windows how to handle different file types, and controls basic interface options like double-clicking and context menus.

Windows Registry Hives

HKEY_CURRENT_USER (HKCU) - Contains configuration information about the setup of the person currently logged into Windows
It controls the desktop, as well as Windows specific appearance and behavior for that individual user, including screen colors and the arrangement of the desktop

It also manages the connections to the network and to devices like digital cameras or printers.

Windows Registry Hives

HKEY_LOCAL_MACHINE (HKLM)- Contains information about the computer itself, as well as the operating system
It includes specific details about all hardware, including the keyboard, printer ports, and storage devices It also has information about security settings, installed software, system startup, drivers, and other services, like the ability to automatically connect to wireless networks.

Windows Registry Hives

HKEY_USERS (HKU)- Contains information about every user profile on the system

HKEY_CURRENT_CONFIG (HKCC)- Contains information about the systems current hardware setup, in the same way that HKEY_CURRENT_USER contains information about whoevers logged into the system at the moment. It has details like the type of hard disk installed in your PC.

Windows Registry

A list of active hives is listed in the registry itself at

HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\hivelist

Windows Registry Files

The following table lists the standard hives and their supporting files:
Registry hive HKEY_CURRENT_CONFIG HKEY_CURRENT_USER HKEY_LOCAL_MACHINE\SAM HKEY_LOCAL_MACHINE\Security HKEY_LOCAL_MACHINE\Software HKEY_LOCAL_MACHINE\System

Supporting files
System, System.alt, System.log, System.sav Ntuser.dat, Ntuser.dat.log Sam, Sam.log, Sam.sav Security, Security.log, Security.sav Software, Software.log, Software.sav System, System.alt, System.log, System.sav

HKEY_USERS\.DEFAULT

Default, Default.log, Default.sav

These files are located in %systemroot%\System32\Config and at %userprofile%\Username

Windows Registry Files

The following table lists the registry files extensions and what they mean:
.alt A backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file.

.log A transaction log of changes to the keys and value entries in the hive.

.sav

Copies of the hive files as they looked at the end of the text-mode stage in Setup.

Windows Registry

Values names have data assigned to them

The data type can be:

String
Binary DWORD Multi-String Expandable String

Windows Registry Data Types

Data type String
A string consists of plain readable text. String values are the most common values used in the Registry All string values are indicated by an AB icon, which makes sense since the data type is readable text

There are 3 types of STRING: REG_SZ, REG_EXPAND_SZ and REG_MULTI_SZ

Windows Registry Data Types

Data type String (REG_SZ)
This is the main type of string data used in the registry "YES" or "NO" are common Reg_SZ values, as are command line strings such as "C:\Program Files\Outlook Express" or even phrases or complete sentences (like error messages) A string can also consist of numbers. Colors, for example, are usually stated numerically in the registry Examples of numeric string values are at HKEY_CURRENT_USER\Control Panel\Colors

Windows Registry Data Types

Data type Expandable String (REG_EXPAND_SZ)
This is an "expandable" string value holding a variable. Example: %SystemRoot% and %UserName% are variables that are used to indicate the System folder and the name of the logged in user. Windows will replace (or EXPAND) the variable with the full path when the command is called. By using a variable, you do not need to know the drive letter the user has Windows installed on.

Windows Registry Data Types

Data type: Multi - String (REG_MULTI_SZ)
A multiple string array type made up of characters and numbers - used for entering more than one value, each one separated by a NULL character. Example: This multi string value consists of 4 entries: eqnclass.dll,CoInstallClass spxcoins.dll,SpxClassCoInstaller dgsetup.dll,DigiMultiPortCoInstaller dgrpsetu.dll,DigiMultiPortCoInstaller Note: Due to the NULL character being used to separate values, entering these from the keyboard can be difficult. It is often easier to copy and existing multi-string and edit it.

Windows Registry Data Types

Data type Binary (REG_BINARY)
Binary is used most commonly with hardware and configuration settings. The data is usually displayed in hex format

Windows Registry Data Types

Data type DWORD (REG_DWORD)
Dword data types also consist of binary data, but two points distinguish them from binary types. 1. The binary data that can be entered is limited to 32 bits (4 bytes) in length. 2. The binary data can be entered in hexadecimal or decimal format.

Editing the Windows Registry

Windows comes with a utility called Regedit for editing the registry data:

You can start regedit by going to the Start button, Choosing Run and then entering regedit

Editing the Windows Registry

The Regedit Edit menu for creating, renaming and searching the registry data:

From the Edit menu, you can create new keys, subkeys, values and data. You can also: Modify the permissions to registry elements Search for keys, subkeys, values and data

Editing the Windows Registry

The Regedit File menu for importing and exporting the registry data:

From the File menu, you can import one or many registry keys, subkeys, values and data. You can also: Export registry data for backup or copying to another computer Load a Hive file from another computer or user that is not logged in.

Editing the Windows Registry

As an example edit, here is how to change the settings for Internet Explorer so that pop-up windows are allowed from all websites in the *.ncsu.edu domain: The objective is to create a value and data in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow

Editing the Windows Registry

The objective is to create a value and data in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow First double click on keys in the HKEY_LOCAL_MACHINE hive until you get to the Microsoft key:

Editing the Windows Registry

The objective is to create a value and data in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow Then create keys for Internet Explorer, New Windows and Allow

Editing the Windows Registry

The objective is to create a value and data in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow\*.ncsu.edu"="*.ncsu.edu" Then create a String Value called *.ncsu.edu

Editing the Windows Registry

The objective is to create a value and data in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow\*.ncsu.edu"="*.ncsu.edu" Then enter data of *.ncsu.edu

Editing the Windows Registry

The objective is to create a value and data in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow\*.ncsu.edu"="*.ncsu.edu" Then enter data of *.ncsu.edu

Editing the Windows Registry

As a second example edit, here is how to change the settings for Remote Desktop so it uses a different port than the default, 3389: The objective is to alter a data value at this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP-Tcp\PortNumber

The objective is to alter a data value at this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDPTcp\PortNumber

Backing Up the Windows Registry

Since this key already exists, make a backup of the current values using the File | Export menu. Enter a name for the backup like RDP-orig

Editing the Windows Registry

The objective is to alter a data value at this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP-Tcp\PortNumber Double click on PortNumber and select Decimal

Editing the Windows Registry

The objective is to alter a data value at this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP-Tcp\PortNumber Enter a new number, like 3903

Editing the Windows Registry

Note: For this change to work, also change the PortNumber in this key: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp

This will change RDP to use port 3903 instead of 3389.

Next change the firewall to allow the connections to the new port.

Editing the Windows Registry

Next change the firewall to allow the connections to the new port, 3903. You could use the Windows Firewall configuration tool, but as you might expect, the firewall settings are stored in the registry at these keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\StandardProfile HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\DomainProfile

Editing the Windows Registry

Create a port exception for port TCP 3903:
In Regedit, goto this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\StandardProfile\GloballyOpenPorts\List Create a string value named 3903:TCP

Editing the Windows Registry

Create a port exception for port TCP 3903:
In Regedit, goto this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\StandardProfile\GloballyOpenPorts\List Enter value data of 3903:TCP:*:Enabled:Remote Desktop

Editing the Windows Registry

- Modify the Windows Firewall configuration settings for both the Standard Profile at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\StandardProfile

- And the Domain Profile at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\DomainProfile

-These edits will work with Windows XP and Windows Vista

Importing and Exporting Windows Registry Data

-When you export data with the File | Export option, the data from the selected key or subkey is written to a file with a .reg extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Domai nProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Domai nProfile\GloballyOpenPorts]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Domai nProfile\GloballyOpenPorts\List] "21264:TCP"="21264:TCP:152.1.7.0/255.255.255.0:Enabled:Trend Micro OfficeScan Listener" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa rdProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa rdProfile\GloballyOpenPorts] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa rdProfile\GloballyOpenPorts\List] "21264:TCP"="21264:TCP:152.1.7.0/255.255.255.0:Enabled:Trend Micro OfficeScan Listener

Example .reg file to update the Windows Firewall for Officescan

Editing the Windows Registry using .REG files

When you double click or import a .reg file, the settings in the file are copied into the registry keys named in the file. Registry keys and sub keys are created using the tree structure described in the .reg file. The values listed in the .reg file are created and assigned the data given in the .reg file.

If the keys or values with the same names already exist, they are replaced with the information in the .reg file.
If the keys already exist, the values in the .reg file are merged with those in the registry

Editing the Windows Registry using .REG files

It is possible to delete keys or values by placing a minus sign in front of the key name or equal sign:

[-HKEY_LOCAL_MACHINE\Software\Test]
HKEY_LOCAL_MACHINE\Software\Test "TestValue"=If a key in a .reg file is preceeded by a minus sign, the key, its' sub-keys, and Value Names are deleted If a ValueName=- line is presetn in a .reg file, the Value Name is deleted To rename a key or value using a .reg file, first delete the item and then add the data with a new name

To rename a key or value using regedit, select the item, right click and choose rename
To avoid the Are you sure? prompt when importing, use the /s option in your script: regedit /s test.reg Export the registry with this command: regedit /e full.reg would export the full registry to the full.reg file. To export individual registry keys: regedit /e software.reg "HKEY_LOCAL_MACHINE\Software"

Searching the Windows Registry

If you need to find occurences of a particular string in registry key names, values or data, Use the Edit | Find menu of regedit.exe:

The search will start from the highlighted position and go downward in the registry window You may need to select My Computer to search through all hives

Searching the Windows Registry

If you need to replace all occurrences of a registry string with another string, you may be able to accomplish this by: Exporting the keys to a .REG file Search and replace the strings in the text file with a text editor Import the .REG file.

There are also third party utilities to do this such as Registry Toolkit from https://www.funduc.com Registry Search + Replace (also from funduc.com) Beware that there are lots Registry Cleaner type programs that are trojans

Searching the Windows Registry

Finding settings in the Windows Registry can be difficult due to the fact that there is no standard naming convention for registry keys, values and data The website jsiinc.com was a good online resource for finding what registry keys control a setting You may find search engine results that refer to jsiinc.com. These are usually very helpful The JSI website is still available on the internet archive site, web.archive.org The Microsoft knowledge base is also a good source for clues about what registry keys do

Registry Permissions
Like files and directories, Registry keys have security permissions to control who can view, alter and delete registry data

You can view/change the permissions for a key by selecting the key and using the Edit | Permissions menu

Registry Permissions
The general permissions are Read, Full Control and Special Permissions These Special Permissions can be configured using the advanced button: Permission QV Query Value SV Set Value CS Create Subkey ES Enumerate Subkeys NT Notify DE Delete WD Write DAC CL Create Link WO Write Owner RC Read Control Definition
allows assigned user or group to read the settings of a value entry located in the Registry

allows assigned user or group to set the value of a value entry located in the subkey allows assigned user or group to create a subkey located in this selected subkey. allows assigned user or group to identify all the subkeys in the selected subkey. allows assigned user or group to receive audit notifications from this subkey. allows assigned user or group the right to delete the subkey. allows assigned user or group the right to read the discretionary access control list for the selected subkey. allows assigned user or group to create a symbolic link to this subkey. allows assigned user or group the right to take ownership of the subkey. allows assigned user or group the right to read the access control list

When a key is created, it inherits its permissions from its parent key As with file and directories, it is possible set the permissions of a key different from its parent key and to break the inheritance of permissions if needed. Values do not have permissions only keys and subkeys have permissions

Registry Permissions
Since password hashes and other security data is stored in the SAM hive, keys in the SAM hive have special permissions You must run regedit as the SYSTEM user to view the SAM hive: Start a SYSTEM shell with: at 22:08 /interactive c:\windows\regedit.exe Where 22:08 is a time a minute or more in the future and Windows is installed at c:\windows At the time specified in the command, regedit will run and you will be able to see the SAM information on the computer

Registry Permissions

Notice the Administrator has no access, only the SYSTEM user is supposed to read SAM information

Useful Registry Edits

Here are some things you can change with Registry edits:
Alter the DNS Cache time from the default of 1 Day to 30 minutes [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters] "MaxCacheTtl"=dword:00000708

Turn on file name completion in the DOS window

[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor] "CompletionChar"=dword:00000009 "EnableExtensions"=dword:00000001 "PathCompletionChar"=dword:00000040 Disable Dynamic DNS in the TCP/IP Parameters [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DisableDynamicUpdate"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DisableReverseAddressRegistrations"=dword:00000001

Useful Registry Edits

Here are some things you can change with Registry edits:

Find a list of programs that run at startup in these Run keys

HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKCU\Software\Microsoft\Windows\CurrentVersion\Load HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\Load The values of these keys and others that control startup programs are listed on the Startup tab of the msconfig utility. However, you can not change them from that program. If you see a path not found or file not found error at login, it maybe because one of the Run key values has the wrong filename or directory. This can be corrected with Regedit.

Useful Registry Edits

Here are some things you can change with Registry edits: The uninstall path for applications is stored at: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall If you are having trouble getting the uninstalled to run, perhaps because a drive letter changed or a directory name changed, you can fix the problem by editing the path in the Uninstall key.

Useful Registry Edits

Here are some things you can change with Registry edits:
Windows can synchronize time with the government NIST time server

Enter the name of the time server in the following key: HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProvider\NtpClient\NtpServer = hostname, 0x1

Registry Forensics
The registry stores all kinds of information about how Windows is being used and what a user is doing when logged in. The registry stores:
List of terms entered into the Windows File Search tool History of command entered in the Start | Run menu choice History of mapped drives History of mounted USB devices (cameras, flash drives, printers) Recent file lists for Microsoft Word, Excel, Powerpoint, Access, and Wordpad URLs typed into Internet Explorer, Windows Media Player and Firefox Internet Explorer saved passwords and URL pairs List of wireless network used Other information listed at: http://windowsxp.mvps.org/RegistryMRU.htm The registry also stores a list of all applications run on the computer and a count of how many times each was launched. This includes applications run by double-clicking on a document, shortcut or Control Panel Applet. Along with the cound mentioned above, the registry stores the last time the application was run. Using this information, it is possible to see what program was launched, when it was launched and how many times it was launched. For a list of registry keys and how to read them, see: http://www.forensicswiki.org/wiki/Windows_Registry

Loading Offline Registry Hives

The Windows Registry is stored in several files located in the Windows folders and in users profile space

There are also backups of the registry in Windows restore points located in the \System Volume Information Folder

Registry backups have the word _REGISTRY_ in the file name These hive files can be loaded into regedit

Loading Offline Registry Hives

Here is how to load a hive from a file: Run regedit and select the HKEY_LOCAL_MACHINE hive to activate the LOAD HIVE menu

After selecting Load Hive browse to the hive file and open it

When prompted for a Key Name, enter something to describe the hive

Loading Offline Registry Hives

Here an ntuser.dat file has been loaded with the Key Name default-user:

The hive will show up in regedit under the HKEY_LOCAL_MACHINE hive If you make changes to the loaded hive and want to save them: Select the Key Name of the loaded hive (default-user in the example above)

Choose File | Unload Hive

Registry Backup Tools

There are several ways to backup the registry:

One way is to copy the files (SAM, Security, Software, System and Default) from the \Windows\system32\config directory These cannot be copied when Windows is running, but can be copied from Recovery Console
A second way to make a registry backup is to manually create a Windows restore point

To create a restore point in Windows XP: 1. 2. 3. 4. Click Start, click Run, type %SystemRoot%\system32\restore\rstrui.exe, and then click OK. On the Welcome to System Restore page, click Create a restore point, and then click Next . On the Create a Restore Point page, type a name for the restore point and then click Create After the restore point has been created, click Close.

Registry Backup Tools

To restore the registry in Windows XP:
1. 2. Click Start, click Run, type %SystemRoot%\System32\Restore\Rstrui.exe, and then click OK. On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next .

1.

On the Select a Restore Point page, click the system checkpoint. In the On this list select the restore point area, click an entry that is named "Guided Help (Registry Backup)," and then click Next. If a System Restore message appears that lists configuration changes that System Restore will make, click OK.
On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration and then restarts the computer. Log on to the computer. When the System Restore confirmation page appears, click OK.

Registry Backup Tools

To backup the registry in Windows Vista using a restore point: 1. 2. Click Start, type systempropertiesprotection in the Start Search box, and then press ENTER. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow. Wait for Windows to search for available disks and most recent restore points. In the System Properties dialog box, on the System Protection tab, click Create Type a name for the restore point and then click Create. After the restore point has been created successfully, click OK two times.

3.

4. 5.

Note If System Restore is turned off, click to select the local disk, click Apply and then click Create.

Registry Backup Tools

To restore the registry in Windows Vista using a restore point:
1. Click Start, type systempropertiesprotection in the Start Search box, and then press ENTER.

2.

If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
In the System Properties dialog box, on the System Protection tab, click System Restore, In the System Restore dialog box select Choose a different restore point, and then click Next Select the restore point that you want to use, and then click Next. Confirm your restore point, and then click Finish System restore restores the selected Windows Vista configuration and then restarts the computer.

3. 4. 5. 6.

7.

Log on to the computer. When the System Restore confirmation page appears, click OK.

Registry Backup Tools

There are several ways to backup the registry: Another is to make a System state backup and then restore it to an Alternate location

Registry Backup Tools

When you restore the System state backup, you can restore to the running system (this is the default) or to an alternate location. If you want to edit or view the registry copy, restore to an alternate location:

Note: There is a copy of the registry from the last System state backup in \Windows\Repair