Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


Return to article

New Ways to Mine the Registry
From the December 1997 Edition
of Windows IT Pro
December 01, 1997
Eric Pearce
Feature
InstantDoc #287
Windows IT Pro
 

Using nontraditional methods that improve safety and efficiency

Mining for fixes and workarounds in Windows NT can be a hazardous pursuit, especially when you are exploring the depths of the NT Registry. Microsoft is quick to point out the dangers of accessing the Registry. The company precedes many of the instructions that accompany NT with scary sounding warnings about how dangerous entering the realm of the Registry can be. But despite these warning signs, you can use some nontraditional methods to enter and explore the Registry in an efficient and relatively safe manner. These tools include bypassing the usual interactive mode of Registry editing, and instead involve editing the Registry from the command prompt, batch files, and Web browsers. These methods reduce the risk of damaging the Registry because they automate the process of making changes within the Registry.

For the most part, the applets in the Control Panel and the Administrative Tools in NT are front ends to the Registry. These tools organize system settings that have a similar context, such as user administration. However, under the surface the tools only add, delete, or modify values within the Registry. If you want to change a particular Registry setting that does not have a corresponding Control Panel applet or Administrative Tool to manipulate it, you have to use a Registry editor to reach the setting. You can also use NT's Registry editors to circumvent the Control Panel applets and Administrative Tools in the interest of speed and efficiency.

Accessing the Registry
Before you begin to explore the Registry, you need to know that you can easily trash your system by fooling around with Registry settings. Make sure you back up the Registry before you go further. If you are new to diving into the Registry, I also suggest that you run a practice drill and go through all the steps for recovering from a damaged Registry before you actually need to.

NT 4.0 includes two traditional tools for editing the Registry: Regedt32.exe, which has the old NT 3.x interface, and Regedit.exe, which looks similar to the Windows 95 Registry editor. You might assume you would only want to use Regedit with its newer interface, but you need both editors because each has features lacking in the other.

For example, Regedt32 is the better of the two editors for loading, editing, and unloading Registry hives (hives are disk files that contain sections of the Registry), while keeping the hive in a separate disk space from other sections of the Registry. Hives contain a top-level key and its subkeys or a subkey of a top-level key and all its subkeys.

Regedt32 creates a separate window for each top-level Registry key (HKEY_), whereas Regedit organizes all the top-level keys in one window under My Computer. Regedt32 has a read-only mode (click Options, Read Only Mode) that lets you browse the Registry without fear of accidentally changing something.

Regedt32 can display Registry changes in realtime (click Options, Auto Refresh), so you can watch the Registry change while another Registry editor or program accesses it. You have to select the location of the Registry being changed to observe the changes.

You use Regedt32 to administer the access control lists (ACLs) in NT's Registry. ACLs are analogous to directories in the NT file system (think of keys as directories and subkeys as subdirectories). You can use both Registry editors to edit the Registry remotely. Therefore, keep in mind that the ACL for a particular Registry key determines which users (local and remote) can access that key and how.

Regedit is better for searching for values, data, and key names. For example, if you want to find every place in the Registry where NT stores the computer name, Regedit is the best tool.

You can read in and write out Registry data files when you run Regedit from the command prompt. This feature makes Registry editing available from within batch files, Telnet sessions, and scripting languages.

If you use both Registry editors often, you will want to add shortcuts within the Administrative Tools menu to both editors. Table 1 presents a comparative list of each editor's features.

Registry Changes
Most edits you make to the Registry are one-time changes. You typically change a Registry entry once and reboot. For example, you may designate a specific NT server as a domain master browser by setting the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster to TRUE, and setting this value to FALSE on other NT servers.

However, other times you may want to toggle a Registry value to observe the effects. On these occasions, you want to use a systematic approach to editing the Registry that helps ensure safety and efficiency. A good example of this concept is turning on and off Point-to-Point Protocol (PPP) logging (for information on PPP logging, see Microsoft Knowledge Base article Q115929). If you are having trouble starting a Remote Access Service (RAS) session with a remote computer using PPP, you can log the entire PPP transaction to a file for analysis. The Microsoft Knowledge Base article describes how to change the Logging value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP key. The log file contains a record of each PPP packet sent or received during the RAS session. For example:

>PPP packet received at 05/15/1997 08:53:36:145

>Protocol = LCP, Type = Identification, Length = 0x33, Id = 0x1, Port = 1

>C0 21 0C 01 00 31 12 BE 11 A0 53 68 69 76 61 20 |.!...1....Shiva |

>4C 61 6E 52 6F 76 65 72 2F 38 45 2C 20 56 65 72 |LanRover/8E, Ver|

>73 69 6F 6E 20 34 2E 35 2E 34 20 39 37 2F 30 32 |sion 4.5.4 97/02 |

>2F 32 38 |/28 |

I frequently experiment with different PPP servers, and I use this feature a lot. I want PPP logging turned on only when I'm trying to resolve a PPP-related problem, and shut off at all other times. I quickly grew tired of starting a Registry editor, finding the right key, and changing the Logging value every time I wanted to turn logging on or off.

To automate this process, I use Regedit's import and export features. When you use the import feature, Regedit can read in data from a Registry data file (usually with a .reg extension) that you specify from the command prompt. Regedit can write out a selected Registry section to a Registry data file. When reading the Registry data file, Regedit replaces any existing keys or values with those from the data file and adds any keys or values that do not match an existing Registry entry. If your goal is to edit an existing key or value, the structure (i.e., the Registry's tree-like hierarchy, which includes keys, subkeys, and values for the configuration settings) of the Registry data within the file will have to exactly match the current Registry. Otherwise, NT will simply append and ignore the new entries. To ensure that the Registry data file is always in the correct format, use the export feature to generate the file. You can export the entire Registry or any selected subkey.



For the PPP logging example, NT turns logging on when you set the Logging value to 1 and turns logging off when you set this value to 0 (the default). Use the following steps to create two Registry data files, each with a different setting for the Logging value:

  1. Start Regedit.
  2. Select the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP key.
  3. Select Export Registry File from the Registry menu. This command writes out the selected key to a disk file. Choose a meaningful file name, such as Ppplogof.reg for PPP Logging Off.
  4. Use the Edit menu to change the Logging value from 0 to 1.
  5. Select Export Registry File from the Registry menu. This command writes out the new setting to a disk file. Choose another meaningful file name, such as Ppplogon.reg, for PPP Logging On.

The Ppplogon.reg file will contain a subset of the Registry. An excerpt from this file is as follows:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP]

"MaxConfigure"=dword:0000000a

"MaxTerminate"=dword:00000002

"MaxFailure"=dword:0000000a

"MaxReject"=dword:00000005

"NegotiateTime"=dword:00000096

"Logging"=dword:00000001

"RestartTimer"=dword:00000003

"ForceEncryptedPassword"=dword:00000002

"ForceEncryptedData"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\CBCP]

"Path"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,59,53,54,45,4d,33,32,

5c,52,41,53,43,42,43,50,2e,44,4c,4c,00

...

The only difference between this file and the Ppplogof.reg file is the setting (1 or 0) for the Logging value. If you don't know what the differences are, you can type FC at the command prompt to compare the files. You can use the /L switch with the FC command to compare the files in ASCII mode and use the /N switch to number each line during the comparison.

Now you have two Registry files that you can safely import into the Registry to toggle PPP logging on and off. You don't have to manually search for the right Registry key or worry about making typing mistakes in the Registry.

To turn logging on, use the Import Registry File option from the Registry menu on Ppplogon.reg. To turn logging off, use this same option on Ppplogof.reg.

An easier way to import changes into the Registry is to use NT Explorer to browse a directory for the .reg files, and double-click the files. As long as you have associated the .reg file type with Regedit.exe (i.e., so that Regedit opens when you double-click a file with a .reg extension), NT will import the file automatically. However, this approach can lead to a serious security concern. For example, someone can put data in a .reg file that would compromise your system or ruin data. You usually want to associate the .reg extension with a safer application, such as Notepad.

A better solution is to use NT's import and export features from the command prompt. You can toggle PPP logging from the command prompt using the Registry data files you have created. To turn PPP logging on, go to the command prompt and type

regedit /s ppplogon.reg

To turn PPP logging off, go to the command prompt and type

regedit /s ppplogof.reg

The /s switch suppresses the pop-up message saying that information in <filename> has been successfully entered into the Registry. You can even import the same .reg file multiple times without having to worry about damage, because you're overwriting only one value.

To confirm that the Registry files are doing the right thing, you can use Regedt32's Auto Refresh feature to watch the Registry changes take place in realtime.

  1. Start Regedt32.
  2. Make sure you select the Auto Refresh feature under the Options menu.
  3. Select the key you want to observe (e.g., HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP).
  4. Start a new command window.
  5. In the command window, run Regedit /s ppplogon.reg.
  6. Run Regedit /s ppplogof/reg.

As you run Regedit from the command prompt, Regedit32 will display the Logging value changing from 0 to 0x1 and back.

To further simplify the process, you can put the commands in batch files. For example, create a Ppplogon.bat file that contains regedit /s ppplogon.reg and a Ppplogof.bat file that contains regedit /s ppplogof.reg. Now all you have to do is type ppplogon or pplogof at the command prompt.



Editing the Registry on Multiple Computers
To make Registry changes to several computers across the network, you can use the System Policy Editor (SPE) to create policies that download to each computer as it logs on to the network. (For information on SPE, see Related Articles in Windows NT Magazine.) You can also use Regedit's import feature as a low-tech alternative to the SPE. For example, if you want to change a specific Registry setting on multiple computers, you can create a Registry data file with the new setting and import it on each computer you want to modify. In Clayton Johnson's, "Installing Applications Across the Network," April 1997, the author suggests that you use a share that anybody on the network can connect to and install optional software from. This approach requires that you visit each workstation and add a new value (AppInstallPath) to the Registry before the user can take advantage of the share. You can create a .reg file with the new value and place it on the share. The first time a workstation connects to the share, the user imports the Registry file, which enables the network installation feature on the user's computer.

For the example in Clayton Johnson's article, you need to add the AppInstallPath value to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion key. Following the instructions in the article, edit the Registry, add the value, and give it the path of the Apps.inf file. Then use Regedit to export the Registry key to a file. The file will look similar to the following:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]

"DevicePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,69,6e,66,00

"MediaPathUnexpanded"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,4d,65,64,

69,61,00

"ProgramFilesDir"="D:\\Program Files"

"CommonFilesDir"="D:\\Program Files\\Common Files"

"MediaPath"="D:\\WINNT\\Media"

"AppInstallPath"="\\\\server1\\winnt\\inf\\apps.inf"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths]

...

Using a text editor, remove everything from the file except REGEDIT4, the first key, and the AppInstallPath items. This step will leave you with just the following:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]

"AppInstallPath"="\\\\server1\\winnt\\inf\\apps.inf"

The file now contains only the new entry, so NT won't overwrite any existing entries when you import the file. The [HKEY...] line simply identifies the right location for the new entry.

Name this file something intuitive, such as Appinst.reg, and place it on the share you are using for software distribution. Create a batch file that runs Regedit on the .reg file. For example, Appinst.bat could contain regedit/s appinst.reg. Now when users want to enable their workstation for the network software installation, all they have to do is go to the network share and run Appinst. This approach is a vast improvement over visiting each workstation and editing the Registry by hand.

Registry Editing Over the Web
You can also use a Web browser to edit the Registry, but this practice can be risky. If someone maliciously or accidentally causes your Web browser to import a Registry file, that user can corrupt or compromise your system. Listing 1, page 178, shows HTML that uses links to the Registry scripts I created earlier.

After I created the HTML, I selected the Programs tab from Options under the View menu in Internet Explorer (IE) to designate Regedit as a viewer for .reg files. I set the action to be Open with the application command line set to C:\Winnt\Regedit.exe /s "%1". When you view the HTML file and double-click the link, the Web server downloads the .reg file to the Web browser, which runs Regedit on the file (%1). Screen 1 shows the HTLM page in IE. Obviously, this example is not the most sophisticated HTML front end to the Registry, but it demonstrates some powerful features.

Never leave your Web browser configured this way when you're browsing the Internet, but this method has possibilities for intranet use. For example, you can create a Web page that lets your remote NT users make Registry edits on their machines simply by going to your Web site, reading the instructions, and clicking a few buttons.

If you are administering NT computers in a complex production environment, you'll want to develop some tools for making Registry changes in a safe and efficient manner. You have several choices mining the NT Registry.








ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement