Altering the Windows NT Configuration Database
Can Be Very Useful--And Very Dangerous

Registry Secrets
Every Windows NT system uses a central, secure repository called the Registry to uniquely describe a specific system installation, including installed applications, the system security policy, and user-specific operating environments. This database describes in detail all installed hardware components and associated configuration information, the version number of each installed system module, and information unique to add-on applications. The Registry also contains a complete description of the graphical desktop and network connections for each user who has logged on to the system interactively.

The Registry is populated by a variety of system modules, starting at boot time, and is added to or modified by the configuration tools accessed via the Control Panel, NT Setup, User Manager, and other administrative utilities, third-party configuration disks, and software installation procedures. While NT has many graphical applets that automatically record configuration information in the Registry, there are many occasions when you must manually edit the Registry. You can modify it directly through the Registry Editor, a special editor that works with the format and layout of the configuration database.

Design Goals
The Registry is the implementation of several important design goals for NT. First, the design team wanted to centralize all configuration information, while accommodating the data and storage needs of system components. The Registry replaces the complex and fragmented collection of initialization and configuration files used in Windows 3.1 with a central database, and it provides all the data required to describe and operate a specific workstation or server.

Second, the developers wanted to provide discretionary access control to local and remote configuration data. You can protect each key in the Registry with an Access Control List (ACL), which allows selected users to modify the contents of the Registry and grant to others read-only access to that data. Clearly, it is a great improvement over the publicly accessible .INI files of previous Windows platforms.

Third, because NT is a multi-user system, it must record and preserve security and graphical desktop information on an individual basis. The Registry contains a permanent record of per-user, per-application, per-machine configuration information.

And fourth, the developers wanted to provide a single API to access configuration data. This API permits Microsoft and other vendors to use the Registry to validate hardware and software information, register applications in a standard way, and provide a central data store for asynchronous system components. From the Registry you can determine in a matter of minutes all the hardware components installed on a local or remote system, the BIOS revision levels for motherboards and video adapters, the number and type of SCSI adapters, the devices installed on each adapter, and the IRQ, address, and DMA-channel assignments for specific components. On the software side, you can see installed applications and system configuration data set by various NT applets. You also have access to and the ability to customize the desktop environment for every user with an account on the system. Through careful and prudent use of the Registry Editor, you can, for example, fine-tune network parameters, log Remote Access Services (RAS) and FTP connections, and clear up line-printer and post-office problems.

The Registry Editor
Once you have installed Windows NT Workstation or Windows NT Server, the Registry's values are normally correct for the local hardware and software. While the standard tools do a reasonable job of maintaining configuration information, there are many entries for which no GUI exists. In this case, you must directly edit the configuration database to adjust the system configuration. Those who use the Microsoft Knowledge Base regularly are familiar with the number of fixes that you can make only by manually editing a cryptic value in the Registry database. When you must directly modify Registry keys and values--trust me--use the Registry Editor

.

The full pathname for the Registry Editor is %systemroot%\system32\ REGEDT32.EXE, where %systemroot% normally defaults to "winnt." If you use a different name for your system root, be sure to specify it correctly when you invoke the Registry Editor. It is not loaded as an icon at installation. There are three ways to start the 32-bit Registry Editor:

  • Run it from the Program Manager file, the Run menu.
  • Locate it in the File Manager, and double-click on the executable.
  • Add it to the Administrative Tools program group.

There is another file, called REGEDT.EXE, that exists solely for compatibility with 16-bit Windows applications. Do not use that version to access the Registry; it can trash your system.

With the Registry Editor, you can load either a local or a remote Registry, providing you have a valid username and the necessary rights and permissions on the target system. This capability enables you to examine and modify configuration data on any system on the network; it's invaluable for troubleshooting and user support. Once the database is loaded, you can display, add, modify, and delete keys and values, protect keys with an ACL, modify user profiles, and audit the success or failure of nine types of access to selected keys.

For example, you can determine the BIOS level on your graphics adapter by displaying a specific field in the hardware section. You can configure an additional serial port by adding a key and several values in the active system ControlSet. Similarly, you can add a legal notice by adding a value to the Winlogon key. And you can replace the default NT Workstation or NT Server logo with your own bitmap by editing a field in the DEFAULT profile.

The first step in mastering the Registry is to understand the design and layout of the configuration database. Learning how to interpret the database, relate keys and values to specific hardware or software components, and modify or add keys and values is an essential survival skill for systems and network administrators and power users. Because the Registry contains data that is absolutely critical to system operation--data accessed by device drivers and client/server processes--great care must be taken when you modify it.

Incorrect changes made in key areas of the database can result in an unbootable system and force reinstallation, at which point you lose all of your system-specific customizations. The following warning is issued by Microsoft whenever you need to use a Registry modification procedure to correct a problem or customize the operating system:

Warning: Using Registry Editor incorrectly can cause system-wide problems and may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of the Registry Editor can be solved. Use this tool at your own risk.

What's in the Registry?
The Registry consists of literally thousands of individual data items that describe in great detail every aspect of a specific installation, from the hardware to valid users to customized logon messages and performance-monitoring profiles. These data items are organized into keys and optional values. Keys are grouped together in a meaningful way so that related information is easily accessed and cross-referenced.

Each area of the Registry has a standard set of keys which are common across all NT installations. Within these keys, system-specific values describe hardware components, operating-system components, and bootable configurations. Then the variations begin. For example, if a network card is installed, there are several entries that describe its hardware component type (e.g., NE2000, EtherExpress), IRQ and base address, loaded driver, and related network services. There are other entries that indicate the protocols that have been bound to the network driver for that card. Another common variation is the type of graphics adapter installed or the type and mode of a sound card or SCSI adapter.

If you compare one database to another, you'll find standard keys with significant value variations. Each hardware component causes multiple subkeys to be placed under the hardware, software, and ControlSet keys. If one system has many applications while another has only a couple, the system with many will have many more keys in the software section. Likewise, a primary or backup domain controller has many more entries than an NT Workstation, entries that describe server components and their operational parameters.

Registry Organization
The Registry is one large database, structured like a hierarchical file system. It is presented in four views, called subtrees (see Screen 1). These subtrees describe hardware and software configuration, security data, user-specific operating environments (profiles), the currently logged-on user, file associations, and application-specific Object Linking and Embedding (OLE) information. Each view has a name that begins with the string HKEY, which stands for "Handle to a Key." A handle is a programming construct used to access NT objects.

The Registry Editor displays the configuration database in much the same way that the File Manager displays directories and files. In the Registry, keys appear on the left side and values appear on the right. To see both keys and values, select View-->Tree and Data from the Registry Editor menu.

Like the File Manager, when a key has subkeys, it is displayed with a plus sign (+) on the folder. Double-clicking on the key expands it to the next lower level, at which point a lower key may also have a plus sign. You can continue expanding keys until a single path is 8 or 10 levels deep.

For example, the path-name HKEY_ MCURRENT_USER\Control Panel\ Desktop points to the values associated with desktop settings for the currently logged-on user. If you expand this key on your system with the Registry Editor, you will find settings for the Program Manager font and size, icon title size, screen-saver settings, wallpaper filename, and so on.

Registry Values
Each subtree contains multiple keys, and each key contains a "+" if you can expand it. When you highlight a key, any values associated with it appear in the window on the right. The value portion may be empty, or it may contain a line or lines, depending on the key you select. Values have three parts: a field name, a data type, and the number or string associated with it; the parts are separated by colons.

SID:REG_BINARY:01 05 00 00 00 00 00 05

InstallDate:REG_DWORD: 0x2e2d8e6c

SystemRoot:REG_SZ:E:\winnt

DumpFile:REG_EXPAND_SZ:%SystemRoot%\memory.dmp

PagingFiles:REG_MULTI_SZ:E:\ pagefile.sys 32 32 h:\pagefile.sys 43 94

There are two basic data types: numeric and string. Numeric data types are REG_BINARY or REG_DWORD and the data is displayed as binary or hex, depending on the value you examine. There are three string types: REG_SZ for a single variable-length string; REG_EXPAND_SZ for a string that contains embedded variables such as %SystemRoot%; and REG_MULTI_SZ for a variable-length string that contains embedded carriage returns.

Registry Views
HKEY_LOCAL_MACHINE is the location for hardware, software, and security information. This view is where you most often make changes to the Registry to correct problems with the current configuration or to customize a specific component or service.

HKEY_CLASSES_ROOT contains information on file associations and application-specific data for OLE. This subtree is actually a pointer to data contained in the HKEY_LOCAL_MACHINE\ Software\Classes key.

HKEY_USERS contains the default user profile (.DEFAULT) and a profile for the current interactive user stored under the user's Security Identifier (SID).

HKEY_CURRENT_USER contains a profile for the current interactive user. This tree is actually a pointer to information stored under HKEY_USERS\SID.

The most important subtree, HKEY_ LOCAL_MACHINE, contains five main keys: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM (see Screen 2). The HARDWARE key contains a detailed description of the installed hardware (e.g., motherboard, video adapter, SCSI adapters, serial ports, parallel ports, sound cards, network adapters, and so on). Data in the HARDWARE key is volatile and computed at boot time. When your hardware configuration changes, the changes are reflected in the HARDWARE key at the next boot.

The next two keys, SAM, which stands for Security Accounts Manager, and SECURITY have no visible information, as they point to security policies and user authentication information for the specific site. The keys and values in these two keys are created, modified, and removed with either the User Manager or the User Manager for Domains. The Registry Editor does not display this data.

The SOFTWARE key contains a list of file extensions and associated applications, one key for each application that follows the configuration database registration procedure, and one key for each loaded network driver. Many cryptic keys are added when you install OLE-compatible software packages. Third-party vendors are encouraged to use the Registry to record application-specific configuration information and OLE compliance in this section. This key also contains machine-specific configuration information for operating-system components, including the version of all key components in Windows NT.

The last key, SYSTEM, describes bootable and non-bootable configurations in a group of ControlSets, where each ControlSet represents a unique configuration. Within each ControlSet, two keys describe operating-system components and service data for that configuration. This key also records the configuration used to boot the running system (CurrentControlSet), along with any failed configurations and the LastKnownGood configuration. Finally, the Setup key records the command used to install NT and the boot disk and provides a list of the OEMSETUP files required to install hardware components.

What's It Good for?
One obvious use of the Registry is to check on the configuration of a specific hardware component, whether on a local or remote system. The HARDWARE key in HKEY_LOCAL_MACHINE records every installed device, identification information, and configuration details. The DESCRIPTION key contains motherboard and video adapter information; DEVICEMAP contains the device names for each installed component; and RESOURCEMAP relates the loaded drivers to the device names.

Screen 3 shows a system with two SCSI adapters, SCSI Ports 0 and 1. When you expand the port keys, you see the number of devices attached to each port and its SCSI ID. Highlighting the Logical Unit key displays the makes and models of the devices attached to the adapter. In screen 3, the device with SCSI ID 5 is a Toshiba CD-ROM 3401. Since SCSI adapters are normally configured with an ID of 7, highlighting this key will display the make and type of the adapter in use.

Another common Registry operation is making adjustments to existing components according to instructions in the NT Knowledge Base. Registry edits are issued on a regular basis to assist you in fine-tuning NT components, to activate logging for many operations, and for troubleshooting.

Most Registry modifications are made in one of two ways: You change a value already present for the key, or you add the value, including the field name, data type, and number or string. To modify an existing value, simply double-click on it to display a dialog containing the current number or string. Enter the new value, and click on OK. To add a new value, pick Edit-->Add value from the Registry Editor menu. Enter the value name, data type, and number or string, and click on OK. If you are unsure of the change you are making, click on Cancel, and start over. Remember, you can destroy part or all of the running configuration with an incorrect change.

Only the Beginning
I have barely touched the surface of what the Registry does. There are many ways in which it can help you administer and customize your Windows NT installation. Windows NT Magazine will explore the many different aspects of this essential component of NT in future issues. Just remember: If you hack at will in the Registry, you can permanently corrupt your system.