The system registry is a global repository of information. A machine's OS and applications read from and store configuration information in this repository. Microsoft introduced the registry in Windows 95. Windows 3.1 had a system file called reg.dat that was a systemwide database that contained information about all the OLE objects registered on a given machine. Microsoft expanded the reg.dat file into the registry.
This column is the first in a series that will guide you through the jungle of keys and values in the registry. I won't teach you how to hack the system—just where to search for the information that you or your applications need. If you access the registry for read-only purposes, all is fine. Otherwise, keep your attention at the highest level because the registry is a delicate data structure in which inconsistencies can cause serious damage to the entire Windows system.
In this registry series, I'll describe the registry's layout in terms of the files that form it and in terms of the data organization. I'll examine the registry's content and give insights about how to back it up. In this first installment, I discuss the registry's internal structure and the tools you need to work in it.
The Registry Tool Chest
The tools you need to work in the registry depend on the tasks you want to perform. To read and write registry content, you need an interactive graphical tool or a scriptable object model. To search the registry for a certain piece of data, an interactive graphical tool is best. Windows OSs offer two interactive graphical tools: regedit and regedt32. Regedit, which is called the Registry Editor, is available on all Windows systems. Regedt32, which is called the Win32 Registry Editor, is available only on Windows 2000 and Windows NT. Both registry editors let you search, read, and write registry contents.
If you know exactly what to read or write in the registry and you want to perform that task programmatically, you can take advantage of a scriptable object model. To write a script that manipulates the registry, you can either use the registry editors' declarative language or leverage the simple, yet effective, set of methods that the Windows Script Host (WSH) object model provides. Before you can use WSH or the registry editors, you first need to understand the registry's structure.
The Registry's Structure
Microsoft used a hierarchical layout that resembles a tree to organize all the information in the registry. The registry has several main nodes, or hives. Each hive contains an unlimited number of subnodes, or keys, and elements. Each element represents a leaf value, or entry. An entry consists of a name and some numeric or string content. Registry entries have a data type that is part of a fixed set. In general, the data types in the fixed set evaluate to numbers or strings.
The registry contains two basic types of information: user-specific settings and machine-specific settings. These settings can apply to both Windows and user applications. In addition, the registry contains information about the Windows system, including static data (e.g., data about installed drivers) and dynamic and volatile data (e.g., data about loaded drivers).
As Figure 1 shows, the main registry hives are
- HKEY_CLASSES_ROOT. This hive contains information about registered objects and classes, including COM components, documents, and types of objects (e.g., folders, printers, drives).
- HKEY_CURRENT_USER. This hive contains configuration information about a single user. Although HKEY_CURRENT_USER is a subset of the HKEY_USERS hive, it appears on the same level as HKEY_USERS because HKEY_CURRENT_USER is a virtual hive. Virtual hives simplify access to subsets of large hives.
- HKEY_LOCAL_MACHINE. This hive represents the machine as a whole and stores all its hardware and software settings.
- HKEY_USERS. This hive contains information about all users.
- HKEY_CURRENT_CONFIG. A subset of HKEY_LOCAL_MACHINE, this hive contains configuration information about the current configuration of the machine. Like HKEY_CURRENT_USER, HKEY_CURRENT_CONFIG is a virtual hive.
For backward compatibility with the Windows 3.1 reg.dat file, each hive can have one unnamed entry plus any number of named entries. Microsoft retained this unique unnamed entry because in Windows 3.1, hives had just one entry. Consequently, that entry had no name and was commonly referred to as the hive's default value.
In Win95 and later, the unique unnamed entry in the registry continues to be called the default entry. The registry editors use the display name of (Default) for this entry. Like all other entries, the default entry has a data type.
The Registry Editor
Figure 1 shows the Registry Editor for a Win2K machine. (This tool's UI is slightly different on other versions of Windows.) The left pane contains a treeview that lists all the main hives. If you select a hive in the left pane, the right pane contains all the entries available for that hive. The Registry Editor lets you edit, rename, and delete hives and entries. However, you can't delete the default entry.
The Registry Editor also lets you perform searches with the Find command. You can search for hives or keys with a certain name, or you can scan the stored data for a match to a whole or partial string. The Registry Editor's Find command works similarly to Microsoft Word's Find command.
Other interesting commands in the Registry Editor are Import Registry File and Export Registry File. The Registry Editor can export portions of the registry tree in a text-based file format called the REG format. This format provides a description of all the hives and their entries. The REG file format also works with importing. When you import a valid REG file to the Registry Editor, the program makes sure all the described nodes exist with the specified entries and content. To import a REG file, you can either use the Import Registry File command in the menu or specify the filename on the command line. In addition, because REG files are registered with the Registry Editor at the shell level, you can double-click any REG file in Windows Explorer to submit the file's content to the Registry Editor.
Figure 2 illustrates the typical content of a REG file for the HKEY_CLASSES_ROOT\.txt branch on a Win2K machine. The first line in Figure 2 is a header. Square brackets enclose each hive's name. The hive's entry-value pairs appear after the name. Double quotes enclose the entry names and values. The at (@) sign identifies an unnamed entry. Pathnames need a double backslash to differentiate them from registry hives.
In Win2K, the Registry Editor has an additional capability: a menu that lists all your favorites hives for faster access. However, the Win2K's Registry Editor reopens on the same key you had open last, which might not be too helpful.
The Win32 Registry Editor
Figure 3 shows the Win32 Registry Editor, a tool available only on Win2K and NT machines. The Win32 Registry Editor's Registry menu provides the Save Key and Restore commands. These commands offer the same functionality as the Import Registry File and Export Registry File commands in the Registry Editor. However, the Win32 Registry Editor doesn't support the REG format, so you must save and restore files in a binary format.
The Win32 Registry Editor's File menu provides the Save Subtree As command, which creates a text file like the one that Figure 4, page 13, shows. For the keys, the file gives the date and time of the last write, which can be useful for logging purposes.
If you need to create new values, the Win32 Registry Editor gives you more alternatives than the Registry Editor. With the Win32 Registry Editor, you can create entries of any data type; with the Registry Editor, you can create only entries of the string, 32-bit number, or binary data type.
The most important difference between the two registry editors is that the Win32 Registry Editor has a Security menu and can show permissions on a per-user basis, whereas the Registry Editor doesn't. The system registry is subject to security restrictions; using the Win32 Registry Editor, you can set permissions for each hive in the overall tree. However, you can't set permissions on a single entry, which means all the entries in a given key will have the same read and write permissions for a certain user or group of users. You can decide whether all the children inherit the key's permissions.
Neither registry editor can help you when you want to programmatically read or write to the registry. Instead, you can use VBScript and WSH to take advantage of the methods that the WScript.Shell object exposes. First, you need to use the CreateObject method to create an instance of the WScript.Shell object with code such as
Then you can use the object's three methods: RegRead, RegDelete, and RegWrite.
To read an entry in the registry, you use RegRead. This method takes one argument: the name of the entry to read. If you want to read the hive's default entry, you put a backslash at the end of the hive name. The code in Listing 1 gives an example of how to read the registry. This code reads the registered name and organization of the owner of the Windows software on the local machine.
To delete a registry entry or hive, you use RegDelete. This method also takes one argument: the name of the entry or hive to delete. Under Win2K and NT, RegDelete deletes a hive only if it's empty—that is, it doesn't contain keys. Under Win9x, the deletion works recursively and RegDelete automatically deletes any child keys. A node is considered empty only if it doesn't contain child hives, no matter how many leaf values it contains.
To write to the registry, you use the RegWrite method, which takes three arguments. The first argument specifies the registry entry to write to. If you want to write to the default entry, you put a final backslash after the key name. The second argument is the value to write. The optional final argument is a string denoting the value's data type. If you omit this argument, the method defaults to REG_SZ (i.e., a string).
The code in Listing 2 gives an example of how to write to the registry. This code replaces the existing text for the infotip (i.e., text that provides information at the shell level) that appears for the My Computer icon under Win2K and Win98. If you're running NT or Win95, this code will work only if you've installed Microsoft Internet Explorer (IE) 4.0 or later with the Active Desktop update. (For information about this update, see "Customizing the Windows 2000 Active Desktop," August 2000.)
A string containing two environment variables—%USERNAME% and %COMPUTERNAME%—replaces the existing text. These variables represent the machine's user and name, respectively. More important, the script changes the data type to REG_EXPAND_SZ, which informs the shell that elements in the string need expansion. Figure 5 shows the results from running the code in Listing 2.
As I just mentioned, Listing 2 changes the data type to REG_EXPAND_SZ. I'll discuss this data type and the others next month.