Deeper into the Windows Registry

admin

Deeper into the Windows Registry

[size=13.008px]This article is work in progress so don't rely on it being completely correct. The format of some sections is likely to dramatically change to clarify and simplify the content. There will also be further work added to bring it up to Windows 8. I am publishing it now to give people the opportunity to ask questions and suggest improvements.

• What is the Windows registry?
• What activities change the Windows registry?
• How is the registry stored on disk?
• How is the registry stored in memory?
• How is the registry managed?
• How does Windows startup use the registry?
• Answers to some other common questions
  

What is the Windows Registry?The complete registry only exists in memory

[size=13.008px]The registry is commonly described as a hierarchical database. But you may not have realized two important facts:

• The registry database is only ever complete when loaded into your computer's memory.
• The registry is the sum of two parts, the data and the processes that create it and provide access to it.
  

Diagram 1 - Windows assembles the registry in memory

[size=13.008px]In other words, the registry hive files stored on your disk are not the complete registry. The complete registry is created during the startup process and assembled in memory.

[size=13.008px]This is so important so I'll repeat it. At the heart of the registry is a database that exists in two main forms:

• Some registry hives are stored on disk even when Windows is not running.
• All the registry hive structures only exist in memory. This includes a set of volatile hives that only exist when Windows is running.
  

The registry can only be accessed  through the Registry Configuration Manager

[size=13.008px]The other Windows components that allow the registry data to be accessed are in the Windows kernel. The Registry Configuration Manager is the most dedicated but other kernel components like the Object Manager provide further essential capabilities. These are discussed in more detail in How is the registry managed? but here's a preview so you can picture it.

Diagram 2 - Windows kernel components provide access to the registry

[size=13.008px]What this means is that when your computer is turned off the registry does not exist even though most of the registry data is stored on disk.

The beehive references started as a joke

[size=13.008px]In reading about the registry you may have noticed the references to hives, bees and cells. They are a long running joke. Apparently, one of the developers hated bees and another developer took the opportunity to introduce many references to bees. It is also relevant that the registry database is indexed using binary trees or B-trees (pronounced "Bee-trees"). That's why the primary database structures are called hives.

[size=13.008px]You can see registry database structure by running the registry editor, RegEdit. It shows one hierarchical tree but the Windows registry is not one big database file. The primary data structure is the hive of which there are several. Each hive is indentified by a root key which provides access to all sub-keys in the tree up to 512 levels deep.

Each hive has a root key

[size=13.008px]There are six pre-defined root keys which are used to access all other keys or sub-keys. In other words, the binary tree is traversed from the root downwards. So new keys are added through these root keys and all existing keys have to be found through the root keys. One disadvantage of this approach is that a problem with a higher key may prevent access to lower keys. In practice this does not occur very often.

[size=13.008px]The following table lists the root keys with the abbreviations that will be used in the remainder of this article.

Table 1 - Registry root keys
Root Key Abbreviation	Root Key Name	Component data is stored for
HKCC	HKEY_CURRENT_CONFIG	Current hardware
HKCR	HKEY_CLASSES_ROOT	Classes (types) of documents and registered applications
HKCU	HKEY_CURRENT_USER	Current logged-on user
HKLM	HKEY_LOCAL_MACHINE	The system hardware, software and security
HKPD	HKEY_PERFORMANCE_DATA	Performance data
HKU	HKEY_USERS	User profiles

Registry HKEYS are handle keys used to access the registry objects

[size=13.008px]As shown in Diagram 2, programs gain access to the registry by using the Registry Application Programming Interface (API) which provides a standard set of functions for the Windows sub-systems and application programs to access and update the Registry. This is how the Registry editor (RegEdit) and other utilities work. When a program uses the API to access the registry the Windows Object Manager will return a handle for the object identified by a key. That is why the "HKEY" in the root keys means "handle key".

[size=13.008px]Although the handles are valid in any registry they can be used differently in different versions of Windows. Also, some registry handles are not provided from the registry hives. HKPD, for example, is diverted by the API to the Windows performance management sub-systems. That is why you cannot find HKEY_PERFORMANCE_DATA when you use the Registry editor.

The registry structure is like a file storage structure

[size=13.008px]You may find it easier to relate to the registry terminology by referring to tree formats or file storage. The analogy of files is particularly apt because Windows used to be configured from .INI files. More particularly, the keys themselves use file-naming conventions. This is a handy feature because Windows can manage registry objects just like file objects. Registry hives have symbolic links which are like virtual paths mappings in file system. Registry subkeys also have owners and permissions just like directories and folders.

Table 2 - Relating to Registry terminology
Registry	Other trees	File storage
Hive	Tree	File-system
Key	Node	Directory or folder
Subkey	Subnode	Subdirectory or subfolder
Value	Key	File
Type	Type	File type
Data	Value	File content

[size=13.008px]Note that a key can contain subkeys or values. A subkey can have another subkey so key and subkey are usually interchangeable in the same way as directory and subdirectory or folder and subfolder. A key with no value can still store data in what is called the default value.

[size=13.008px]You might have noticed that I haven't explained what cells are here.  I mentioned them when discussing hives and bees. The reason that they aren't here is that cells are part of the in-memory structure for the hives and are not visible anywhere outside the kernel. They will only be explained if I add a section on the internal workings of the Registry Configuration Manager.

The registry is kernel-based for speed

[size=13.008px]The registry is an integral part of Windows so it is based in the Windows kernel for the best performance and access to the most important components of Windows.

The registry is designed to save space

[size=13.008px]The registry stores configuration settings in a hierarchy to minimise the size of the registry. System-wide settings are used first then the user settings are added on top. This means that the user settings only have to store those settings that differ from the default. The user settings then supercede the equivalent system-wide settings.

[size=13.008px]The same applies for programs and hardware. Programs normally have settings for the system, e.g. installed components, and settings for each user, e.g. recently-opened files. Likewise multiple hardware profiles can be used.

[size=13.008px]Another advantage of only storing differences from the system or default settings is that different users can easily use the same computer with the same system configuration. They only need the settings in their profile to customize the system to suit them.

[size=13.008px]The minimized size of the user settings also makes it easier to transmit those settings when you are roaming and log onto a different computer on the same local area network (LAN) or wide area network (WAN).

[tr][/tr]

Diagram 3 - User settings override system-wide settings
Specific differences		User-specific differences e.g. HKCU\User SID System-specific difference e.g. HKCU\Software\Classes
Defaults	User defaults e.g. HKU\.default System-wide defaults e.g. HKLM\Software\Classes

[size=13.008px]Diagram 3 is oversimplified. Just remember that the differences usually override the defaul settings. An example of system-wide default is the user profile defaults found in HKU\.default which are superceded by per user settings in HKCU\user account SID.

Some of the registry complexity is to maintain backward compatibility

[size=13.008px]Originally Windows 3.1 only had the REG.DAT file. Windows 95 to ME and NT had the SYSTEM.DAT and USER.DAT. Every major release of Windows introduces further complexity to the files and the internal structure. So some hives are retained purely for backwards compatibility. This leaves us with three main categories of hive:

• Windows 9x (and 3.1) software classes to maintain compatibility with 16-bit applications, OLE and the Component Object Model (COM) for developing applications.
• Windows 2000 has Standard hives which are maintained to alllow users to roam with a standard configuration. Windows 2000 largely moved to the current registry files.
• Windows latest versions.
  

[size=13.008px]Further complicating this are other major changes:

• The emulation of Windows 32-bit on Windows 64 (WOW64) to allow 32-bit and 64-bit registry entries to coexist in the registry
• The introduction of the .NET Framework and web-based software which is superceding the old COM framework.
  

What activities change the Windows Registry?Windows installs and upgrades

[size=13.008px]Windows setup copies a prototype version of the Registry from the install media.

Diagram 4 - Setup uses a prototype registry to setup Windows

[size=13.008px]OEM versions of Windows can have a customized prototype which can invalidate standard recovery methods if a Windows install fails. This was an issue with Windows XP but I'm unsure if it still applies given the registry improvements in Vista.

[size=13.008px]If you have an option to upgrade then Windows installs the new registry formats and then copies or converts the existing keys as appropriate.

Diagram 5 - Windows upgrades merge the existing registry hives into the prototype

[size=13.008px]The Custom install option is an indirect upgrade because your data is copied out to another disk and then applied after the new install.

Windows startup

[size=13.008px]The Windows startup sequence is quite complex so it is discussed separately in How does Windows startup use the registry?.

[size=13.008px]The first steps of startup are designed to determine the configuration needed to load Windows. But initially the Windows Kernel and the registry are not loaded. So the Boot Configuration Data (BCD) is loaded from its file. Once the Windows Loader is started then the hardware abstraction layer and the kernel image are loaded before the Registry API is available. The System hive is loaded into physical memory to determine the relevant control set to be used to configure Windows properly. The registry is then assembled and from that point further startup processes are accessing the registry and making changes. These changes are made whether there are any further changes to the computer configuration or any problems that may develop.

User logon

[size=13.008px]When a user logs on, Windows loads hives that are specific to that user. These contain settings that differ from the defaults. How does Windows startup use the registry? also provides further details for this.

Device driver changes

[size=13.008px]When we install (or uninstall) drivers this changes the registry. We may not even notice this happening because new hardware is normally recognized automatically by Plug and Play so the correct drivers can be loaded without our intervention.

Applications changes

[size=13.008px]Installing or uninstalling applications is a major source of changes after the initial install of Windows. This almost always involves user intervention.

User interaction primarily with programs

[size=13.008px]We also have interactions with our application programs and Windows components. These programs modify the registry in many ways and the changes can be to system-wide settings as well as user-specific settings.

Diagram 6 - The registry is changed by driver and application changes or simply using a program

How is the Registry stored on disk?The Registry files are stored in several locations

[size=13.008px]The following table lists all the Windows directories where Registry data files can be found. The files are effectively snapshots of most but not all of the Registry hives. Table 3 summarises the main file locations. If you look on your disk, you will see that there are further sub-directories in each of these directories.

Table 3 - Registry hive file locations
File Location	Example file location	File name	Description
%UserProfile%	C:\Users\Username\	NTUser.dat	User profile configuration
%SystemRoot%\System32\Config\	C:\Windows\System32\Config\	Components Default SAM Security Software System	System configuration
%SystemRoot%\ServiceProfiles\LocalService %SystemRoot%\ServiceProfiles\LocalService	C:\Windows\ServiceProfiles\LocalService C:\Windows\ServiceProfiles\LocalService	NTUser.dat	User profile configurations used by Windows
%SystemDrive%\Boot or %SystemDrive%\EFI\Microsoft\Boot	C:\Boot\ or C:\EFI\Microsoft\Boot	BCD	Boot Configuration Data
%UserProfile% %SystemRoot%\System32\Config\ %SystemRoot%\System32\Config\Txr etc	C:\Users\Username\ C:\Windows\System32\Config\ C:\Windows\System32\Config\Txr etc		Transaction Registry files can be found in the main registry hive folders.

There are several types of Registry file

[size=13.008px]The primary registry files usually have no file extension (except for NTUser.dat) but there are other files that do. They attach the extension to the entire filename including the original extension. Table 4 indicates most of those file types.

Table 4 - Other files
File Extension	Example filenames	Purpose
none	System NTUser.dat	Hive backup created by the Configuration Manager
ALT	System.alt	Backup for the System key created by the Configuration Manager
BLF	NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf	TxR transaction files1
LOG, LOGn	System.log, System.log1, etc NTUser.dat.log, NTUser.dat.log1, etc	Transaction log of the key and value changes created by the Configuration Manager
REGTRANS-MS	NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec} .TMContainer00000000000000000001 .regtrans-ms	TxR transaction files1
REG	no standard names	REGistration entry files are created by RegEdit and other programs
SAV	System.sav	WIndows Vista and 7 initial SYSTEM install file. Windows 2000, XP, 2003 backup copy of the system configuration at the end the text-mode startup before the graphic-mode startup began. If graphics-mode fails the restart loads the .sav file to skip text-mode.

[size=13.008px]1 Since Vista, the Transactional Registry (TxR) performs transactional updates that are managed by the Windows kernel-mode Transaction Manager (TM). This provides for atomic transactions where all updates are made together or not at all. The Transaction Manager uses the Common Logging File System and stores registry files in the %SystemRoot%\System32\Config\ (e.g. C:\Windows\System32\Config\) folder and the Txr subfolder as well as the other registry folders.

How is the registry stored in memory?In-memory Registry hives

[size=13.008px]The registry hives in memory have the same data as the hive file data structures. However the data structure and indexing are different. As I said earlier, these hives form the complete registry because some hives do not exist on disk.

[size=13.008px]The hives for each user account utilise the Security ID (SID) as the unique identifier. Such variable key names are indicated in italics in Table 5. The list of profiles is stored in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Profilelist.

Table 5 - Registry hives
Hive key	Format	Links	Hive description
HKCC	volatile pre-2000	Symbolic for 9x	Current hardware profile which only includes the differences from the standard configurations. HKCC is a symbolic key to the current hardware profile under HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles.
HKCR	volatile pre-2000	Symbolic for 3.1	Primarily for backward compatibility with 16-bit Windows, ie back to Windows 3.1. Stores types (or classes) of documents and registered applications. HKCR is a symbolic key to HKLM\SOFTWARE \Classes (the default settings) and HKCU\Software\Classes (settings for the current user which takes priority over the default settings), combining them into one view.
HKCU\User account SID	2000 standard	Symbolic for 9x	The preferences of the current (logged-in) user. This configuration is designed to roam with the user.
HKLM\BCD00000000			Since Vista, Boot Configuration Data for which there is not a hive. NB: Use BCDedit.exe and not RegEdit.exe to edit the BCD.
HKLM\Components
HKLM\Hardware	volatile		Hardware data created during the boot/startup process.
HKLM\SAM	2000 standard		SAM=Security Accounts Manager. This is usually empty unless you've been authorized to access another system. Then it will be linked to another SAM database.
HKLM\Security	2000 standard		This is usually empty unless you've been authorized to access another system. Then it will be linked to other security policies.
HKLM\Software			The largest part of the registry. Software settings updated by applications. Primarily set by the software applications apart from Windows settings.
HKLM\System			System configuration
HKU\.Default	2000 standard		Defaults for all user accounts on the computer. User accounts only store the differences from this profile. If group policies are set then this is copied to HKCU
HKU\User account SID			User accounts
HKU\User account SID_Classes			Classes for the user account
HKU\Local Service account SID			Pre-defined account used by Windows to run services on your PC with minimum privileges. Used for example if a login process is not found. Unused since Vista.
HKU\Network Service account SID			Pre-defined account used by Windows to run services on your PC with minimum privileges. Used for example if a login process is not found. Unused since Vista.

[size=13.008px]You might have noticed that HKLM does not appear by itself in Table 5 above. That is because it is a placeholder with no corresponding physical hive. HKLM is the same for every user on the computer. But it does contain the keys for the other hives that make up the computer configuration.

[size=13.008px]Differences between the hives

[size=13.008px]Apart from the obvious differences in configuration data, there are three main differences between the various Registry hives:

• Some are symbolic links (also called aliases and clones) that point to other hives.
• Some are volatile and are not permanently stored on disk.
• Some retain compatibility with earlier versions of Windows, e.g. the Standard hives that remain unchanged since Windows 2000.
  

[size=13.008px]Symbolic keys

[size=13.008px]Symbolic keys are also called alias or clone links. They redirect the Registry Configuration Manager to another key. In other words they provide a different view of the same data. They function in a similar manner to Windows shortcuts. Any changes to the real keys are cloned to the symbolic keys but not vice versa. This also means that they are not copies.

[size=13.008px]For example, HKCR is a symbolic link to HKLM\SOFTWARE \Classes (the default settings) and HKCU\Software\Classes (settings for the current user), combining them into one view. Any data contained in HKCU overrides any data contained in HKLM. Therefore any change in HKCR is always "cloned" into HKCU.

Volatile hives

[size=13.008px]The volatile hives are either created from different information or are different views of information contained in the Registry files:

• HKCR is a symbolic key to HKLM\SOFTWARE \Classes (the default settings) and HKCU\Software\Classes (settings for the current user which takes priority over the default settings), combining them into one view.
• HKCC is a symbolic key to the current hardware profile under HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles.
• HKLM\Hardware is created at startup.
  

Standard versus Latest hive formats

[size=13.008px]Latest hives have the most up-to-date format whereas Standard hives retain a format that is compatible with Windows 2000. That means in a mixed Windows computing environment the settings can be used on computers running different versions of Windows and users can roam all those computers.

[size=13.008px]The Standard hives that remain compatible with Windows 2000 are:

• HKCU
• HKLM\SAM
• HKLM\Security
• HKU\.DEFAULT
  

[size=13.008px]Normally HKLM\SAM and HKLM\Security are empty unless a user is authorised to use another computer.

How is the Registry managed?The kernel-mode Configuration Manager manages the registry

[size=13.008px]The kernel-mode Configuration Manager is the primary component of the Windows Kernel Image that manages the Registry. It works with several Kernel components such as the Object Manager which handles resource management for Kernel subsystems and the Transaction Manager which ensures transactions are completed or reversed if they partially complete.

[size=13.008px]The Object Manager integrates Registry hive keys into the Kernel namespace. As I said earlier, Registry keys use Windows file-naming conventions. The Object Manager knows that a name beginning with "Registry" should be handed to the Configuration Manager.

The Configuration Manager manages changes to the Registry Hive

[size=13.008px]When handed an object by the Object Manager, the Configuration Manager searches the hive tree for the key.

[size=13.008px]The example in Diagram 6 indicates the two forms of the registry keys. The Regedit and API form = HKLM\SYSTEM\CurrentControlSet is translated by Win32 or Win64 to the object namespace form = \Registry\Machine\System\ CurrentControlSet then passed onto the Configuration Manager as \Machine\System\ CurrentControlSet.

Diagram 6 - The Registry Configuration Manager manages access to and changes of the registry hives

The Configuration Manager writes non-volatile hive changes to the hive files

[size=13.008px]The Transaction Manager, as mentioned already, handles atomic updates of the Registry hive files ensuring that related changes are completed together or rolled-back together if there is an error. You will notice that I have left the Transaction Manager out of the following diagram to keep it simple with the emphasis on the Configuration Manager managing the changes. There is also a registry cache for writes to disk. Writes to hives in memory are made immediately whereas writes to the disk files are grouped together and written in batches.

Diagram 7 - The Registry Configuration Manager manages changes of the registry hives

How does Windows startup use the registry?A quick overview

[size=13.008px]When you boot your computer and start Windows there are several processes that involve the registry. I've summarized them in this diagram. The main points are that:

• A BCD hive is created in memory but it is not loaded from the hive files. Instead the BCD is loaded from the BCD files stored on disk.
• The SYSTEM hive is usually a smallish hive because it has to fit into about half the available physical memory during startup. The WIndows Boot Manager temporarily loads the SYSTEM hive into physical memory so Windows can startup before loading the Kernel Image. The Kernel  includes the remaining registry components and supporting systems including virtual memory and the Registry API which are used to load the rest of the hives.
• Windows Logon also loads user hives. For example, HKCU is loaded when logon is succesful. NB This diagram will be updated to reflect that during a later update.
  

Diagram 8 - Windows startup processes use the registry

More detail on Windows startup steps

[size=13.008px]I have removed the table containing the startup sequence and how it relates to the registry. I am preparing a separate article on the Windows startup sequence which this article will link to.

Answers to some other common questionsWhat is the maximum size of a registry element?

[size=13.008px]It is interesting that a registry value can store up to 1MB but a separate file is recommended if it is more than 1 or 2 KB.

What is the maximum size of a registry hive?

[size=13.008px]The original Windows 3.1 registry was a single-node flat file REG.DAT. The System registry hive was introduced for Windows 95.

Table 7 - Registry size limits
Windows Version	Registry size	System registry size
Windows 3.1	16KB	na
Windows 9x
Windows ME	16MB
Windows NT 4	~154MB
Windows 2000	~296MB ~ 80% of the paged pool	12MB
Windows XP	~376MB ~ 80% of the paged pool	200MB
Windows Vista, 7,  8	2GB ~ half physical memory1 ~75% of the paged pool	400MB x86 1.5GB x64 ~ half physical memory

[size=13.008px]1 The System hive has a maximum size of half physical memory because it is loaded during startup before the paging file is available.

How much of the Registry can be loaded into memory?

[size=13.008px]Normally the entire registry should be loaded into memory. If it is not then it will be paged to disk and your PC will run noticeably slower.