Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

4.3. Purposes of the Registry

If you remember back to earlier versions of Windows, you no doubt can recall the various INI files. The INI, or initialization, files provided basic parameter values for the operating system and Windows applications. The parameters in the various INI files, such as WIN.INI and SYSTEM.INI, were provided in a flat structure, with individual section headings followed by the parameters and their respective values. Any one of the users sitting at the computer could modify the settings in the INI files. The settings made to the INI files would be common to all users of the system.

Although the NT registry does away with the need for INI files in general, NT maintains a limited WIN.INI and a SYSTEM.INI for older Windows applications that cannot interpret registry values.

If you took all of your INI files and structured them into a set of nested databases, you essentially would have the registry.

Unlike INI files, which can be modified by using a text editor, the registry can be modified only through applets or registry editing tools. The two tools provided with Windows NT for modifying the registry are REGEDT32.EXE and REGEDIT.EXE.

When the registry is viewed through REGEDIT.EXE, it appears to be a single database. In reality, the registry is a collection of several files, each controlling the parameters for separate registry subtrees, as demonstrated in Figure 4.2. The five major subtrees include HKEY_LOCAL_MACHINE, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_USERS, and HKEY_CLASSES_ROOT.

Figure 4.2.  The registry viewed using REGEDT32.EXE.

Each of the various subtrees contains a set of hives, sometimes called keys and subkeys. The hives each provide the controls for subsections of the subtrees.

HKEY_LOCAL_MACHINE controls the areas of NT initialized during the boot process.

HKEY_LOCAL_MACHINE contains five hives: HARDWARE, SOFTWARE, SYSTEM, SECURITY, and SAM. The names of the hives, with the exception of HARDWARE, each correspond to files located in the \%SYSTEM_ROOT%\SYSTEM32\CONFIG directory.

Each hive, with the exception of HARDWARE, has two files with corresponding names: the registry file and the log file.

The HARDWARE key does not have a corresponding file, because it is built dynamically during the boot process. Hardware detection is performed by NTDETECT.COM on x86-based systems and provided by firmware on RISC-based computers. Figure 4.3 shows the information recorded in the HARDWARE key on the author’s machine.

Figure 4.3.  Identified hardware is recorded in the HARDWARE key.

Remember that the HARDWARE key is volatile. No file corresponds with the information held in the HARDWARE key.

The SOFTWARE hive contains the information used to control applications loaded on the system. Among the software that has settings in the registry is Windows NT itself.

The SYSTEM hive is the most critical to the proper operation of NT. The parameters assigned to services and drivers are recorded to and read from the SYSTEM hive.

A series of control sets are located within the SYSTEM hive. The SELECT key, as shown in Figure 4.4, handles the selection of the control set that is used by the system during the boot process. Whichever control set corresponds to the Current value is used in the boot process.

Figure 4.4.  The SELECT subkey shows the use of each control set.

In Figure 4.4, both the Current and Default values are set to 0x1; this means they both correspond to ControlSet001. Any changes made to service or device settings will be recorded in ControlSet001.

The LastKnownGood control set has a value of 0x2 (in this case) and therefore corresponds to ControlSet002. If the system does not start properly after modifying services or drivers, the LastKnownGood control set can be used to revert to the former settings.

After you have logged on, the settings used during that system boot are recorded into the LastKnownGood. This is true even if services or drivers fail to start. To boot using the LastKnownGood control set, simply press the spacebar after selecting NT as your operating system.

The HKEY_CURRENT_CONFIG key displays the information contained in the hardware profile used during boot. Don’t confuse this with the HARDWARE hive, which reflects the actual hardware configuration for the system.

Neither the SECURITY nor SAM hives can be directly modified. User Manager or User Manager for Domains is used to manage account information. The SECURITY hive controls system policies; for example, who has the right to log on as a service. The SAM (Security Account Manager) hive also includes user and group account information.

HKEY_CURRENT_USER displays the profile for the user who is currently logged on to the system locally. Changes that the user makes to areas of preference, such as colors and swapping mouse buttons, are recorded in the profile. The profile is contained in \%SystemRoot%\PROFILES\%USERNAME%\NTUSER.DAT and NTUSER.DAT.LOG. Each user who logs on locally to the machine will have a profile. Figure 4.5 shows the location of the profile that corresponds to the administrator on the author’s system.

Figure 4.5.  Preferential settings made by users can be stored in individual profiles. The NTUSER.DAT and NTUSER.DAT.LOG files in the Administrator directory represent the administrator’s profile.