The Windows Registry is a central storage for settings in Windows, and also a popular target of hacks to enable/disable obscure features. But how does it work? Where does it store all the data? What options are available in it? In this post I plan to go through the internals of the registry.
Overview
The registry is a hierarchical key-value storage system, that keeps its elements in a tree-like structure, much like a file system. The values have data types so not only strings but integers and binary data can be stored as well.
The “folders” in the registry are called keys. This is unlike other key-value stores, like Redis, where key refers to the id of a value. The actual key-value pairs inside these folders are called name-data pairs. For example, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
is a key, and the name ProgramFilesDir
under this key holds the path to the “Program Files” folder. This strange naming has historical reasons: in the original version of the registry (in Windows 3.1) keys could store only a single value. This naming scheme was kept for backward-compatibility. It is also the reason why each key has a ‘default’ value.
Data types
One advantage of the registry over simple ini files is that it can store typed data, and possibly binary data. Some of the more important datatypes:
ID | Symbolic Name | Description |
---|---|---|
0 | REG_NONE | No type |
1 | REG_SZ | A string |
2 | REG_EXPAND_SZ | An expandable string: can contain environment variables that are substituted |
3 | REG_BINRAY | Binary data |
4 | REG_DWORD | A 32 bit integer (double word) |
6 | REG_LINK | Symbolic link to another registry key |
7 | REG_MULTI_SZ | An array of strings, strings are separated by the NUL character |
11 | REG_QWORD | A 64-bit integer (quad word) |
There are other types available, the full list is available here.
Hives
The registry is not stored as a single file on disk but as multiple files, each representing one subtree of the full registry. For example, HKEY_CURRENT_USER
is stored in %user_home%\ntuser.dat
. These files are called hives. However, hives and root keys do not have a one-to-one correspondence. Check the next section on how each root key is actually stored.
You can list the available hives in the registry itself: they are stored under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
. It lists all the hives with the locations they are mounted at.
The hive files use a binary dataformat. The basic element in the file is the cell. A cell can be a key, a value (with name and data), a list of keys or a list of values. Then a key cell points to a list-of-keys cell to represent its subkeys and to a list-of-values cell to represent the values under the key.
Windows also keep transaction logs for each hive. They have the same name as the hive, with an additional .log1 or .log2 suffix. These files ensure that if the computer crashes while the registry is edited, no data is lost. Why are there two log files? If the system stops while .log1 is written, the new data will be added to .log2. This serves as a double protection mechanism against crashes.
Root keys
Root keys are the top level keys in the database, their name all start with HKEY. In general, HKEY_LOCAL_MACHINE
keeps the computer level settings, while HKEY_CURRENT_USER
has the settings for the current user. When a program wants to access a certain setting it should first look into HKEY_CURRENT_USER
then search HKEY_LOCAL_MACHINE
for the key.
HKEY_LOCAL_MACHINE
This key stores the computer level settings that are not specific to any users. The SAM, SECURITY, SOFTWARE and SYSTEM subkeys are stored in the folder %windir%\system32\config
, each in a different file. The HARDWARE key is not stored on disk: it is generated during startup and kept entirely in memory. The BCD00000000 key is a virtual mapping of the BCD database (Boot Configuration Data, where the bootloader keeps the information on the available operating systems).
The applications should place their settings in the SOFTWARE subkey, under a key named Vendor\ApplicationName
.
HKEY_USERS
The user specific settings. Users are referred by the Security Identifiers (SID), it is a long string looking something like S-15-20-…. Usually only the current user is loaded, plus some additional virtual users used for LAN file sharing and SharePoint. Each user has two subkeys: one that is named after the SID of the user, and another that has _CLASSES
appended to it. The latter contains information about registered applications, file types and OLE class IDs. The other contains all the additional user-level settings. Similarly to HKEY_LOCAL_MACHINE, programs should store their settings in Software\Vendor\ApplicationName
. The keys are stored in the %user_home%\ntuser.dat
and %user_home%\AppData\Local\Microsoft\Windows\usrclass.dat
hives.
HKEY_CURRENT_USER
This is simply a pointer to the current user’s key in HKEY_USERS.
HKEY_CLASSES_ROOT
This key contains all information about file associations and registered COM components. While it is not stored directly on disk, it is neither a simple pointer to another key. Instead it merges the user level component information stored in HKEY_USER\current_user_sid_CLASSES
and the system level information in HKLM\Software\Classes
. If a key occurs in both places, the user-level value takes precedence.
HKEY_CURRENT_CONFIG
Contains information used by Windows during startup. It is a Pointer to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current
.