Windows Registry Structure And Function

by: Kenth Nasstrom

You can view the structure of the Windows Registry when you open it up with a Registry Editor utility like REGEDIT.EXE or REGEDT32.EXE.

If you’ve never opened the Registry before, you might be surprised and comforted by its familiar-looking layout. Its hierarchical data structure is much like the data structure you see everyday in Windows Explorer, except here the tree structure units are keys, subkeys, and values rather than directories, subdirectories, and files. But any intuitive understanding of the Registry’s content (for most people) ends right here, because the registry was designed more for the operating system and installed applications than for humans.

The Registry’s hierarchical data structure and central location allow Windows and hosted applications to quickly locate their configuration settings and default parameters, but these parameters have values in the Registry that are different from their internally-defined values used by the applications themselves. This can make altering application settings from within the Registry a grueling and tedious task, and this is why most changes to Registry data are more easily (and more safely) made by changing settings from within individual applications or system utilities.

A Closer Look at Registry Structure

The primary divisions of the Windows Registry are seen a list of 4-6 expandable folders, called root keys or subtrees, in the left pane of the Registry Editor window. These can be expanded to show the keys and subkeys, and these can be expanded in turn to show further subkeys below or their value entries listed on the right pane in Registry Editor. The Registry subtrees and a description of their contents are as follows:

• HKEY_LOCAL_MACHINE (HKLM): This root key (or subtree) contains configuration data specific to the local computer, including its hardware devices and operating system components. The information contained within HKLM is independent of the current user and applications or processes in use.

• HKEY_CLASSES_ROOT (HKCR): This root key contains the file-class, OLE, and COM object data. The keys, subkeys, and data within this subtree are linked to (and identical to) those contained in the HKEY_LOCAL_MACHINE\Software\Classes\ subtree.

• HKEY_CURRENT_CONFIG (HKCC): This root key is added to make current versions of Windows compatible with older Windows 95 applications. It is derived from HKLM\System\CurrentControlSet\HardwareProfiles\Current and contains configuration settings for all currently active hardware.

• HKEY_CURRENT_USER (HKCU): This root key contains profile information for the user currently logged in. Each time a user logs on, HKCU is rebuilt with that user’s profile data from HKEY_USERS.

• HKEY_USERS (HKU): This root key contains the default profile and the profiles of all users who have logged onto the computer.

• HKEY_DYN_DATA (HKDD): This root key is found only on Windows 95/98/ME. It is linked to HKEY_LOCAL_MACHINE and contains information about Plug and Play hardware components. HKDD , for use with the Plug-&-Play features of Windows, this section will change as devices are added and removed from the system.

The “HKEY_” at the beginning of each root key’s name indicates that the key is a unique identifier (or handle) that programs can use to access resources. Each of these root keys branches out, first into keys and then further into subkeys. At the end of these branches of keys and subkeys lay the Registry data, or value entries, corresponding to the data stored in the hive files. The Windows Registry can store several different value types, but the most common that you will see are binary, strings (text for humans), and DWORD (Boolean) values.

Registry Hives

Much of the information contained in the Registry is stored on the computer’s hard drive as a set of binary data files aptly named “hives”. The hives are permanent Registry components, serving as both supporting files from which Windows retrieves Registry data during system startup, and as backup files that the Registry writes to each time its supporting data is altered or changed through a process called flushing. Flushes are automatic and occur within a few seconds after changes are made to the Registry.