Registry Presentation I

Scott Selikoff

Topics of Discussion: Part I

l What is what? Keys vs. Data vs. Values
l Data Types
l Old System of Windows
l Top Level: The HKEY’s!
l The Root Key
l The HKLM Key – The Machine Key
l The HKCU Key – The User Key

1
Topics of Discussion: Part II
l Oh, HKDD, where did you go?
l The Software/SOFTWARE Keys
l What about CSLID’s???
l Searching the Registry for Settings
l Regedit Shortcuts!
l Regmon and Filemon
l The Microsoft Keys
l Other Strange Facts
l Closing

Keys vs. Data vs. Values

l Keys = Folders
l Value = Label or field for actual Data
(called Name in Regedit)
l Data = Actual Information we are storing.
l Subkey = Any key that appears below
another key. Often every key you are
working with is a subkey of another key
(the term subkey is almost
interchangeable with term key)

2
Examples:
l Key:
/HKLM/Software/Adobe/Photoshop

l Value: “Version”

l Data: 5.5

More about basic Structure

l Keys and Values are set by the
program and are usually identical
from computer to computer so long
as the version and the OS are the
same (some exceptions).
l Data is usually specific to
computers: directories, registration
numbers, settings, etc

3
Data Types
l String Data – Most often used. Contained
in “”
l Binary Data – Hexadecimal Strings (in sets
of two).
Example: DA 9D 92 A0
l DWORD Data – 4-Byte Hexadecimal
sequences.
Example: 0x39902000

Old System of Windows

l Windows mostly used .ini files.
l Problem: Users figured how to edit them
too easily. Also, not always very
organized (I disagree). Windows decided
to create a giant structure called the
Registry. Basically, they are identical in
idea to .ini files with some important
exceptions.
l SIDE NOTE: In my opinion, the registry literally
designed to be extremely complicated to
discourage users from tampering.

4
Differences from the Older system
l All programs are in one registry as
opposed to each program having its
own .ini file.
l The registry is made up of the two
files system.dat and user.dat
l The registry OFTEN CONTAINS
POINTERS TO OTHER SECTIONS OF
ITSELF. (will return to this)

Other Useful Information I

l It is recreated every time the computer
starts (yes, “that’s what taking so long,”
every time you bootup)
l VERY, VERY self-repairing. If you try to
delete most things they will find there way
back someway or another (small things).
l Newer versions of windows often delete
.ini files and/or references in
win.ini/system.ini and insert them into the
registry automatically

5
Other Useful Information II
l Windows keeps 2 copies of your registry,
its current one and the last one your
computer successfully started with. Used
when restarted the computer hangs.

Top Level: The HKEY’s!

l 6 Major HKEY (Header) Keys (folders, get
used to calling them keys).
l Only 2 you will ever need to work with.
Also, really only 2 actual keys.
l The 6 Keys:
HKEY_CLASSES_ROOT (HKCS)
*HKEY_CURRENT_USER (HKCU)
*HKEY_LOCAL_MACHINE (HKLM)
HKEY_USERS (HKU)
HKEY_CURRENT_CONFIG (HKCC)
HKEY_DYN_DATA (HKDD)

6
Major Pointers
l HKCR à HKLM/Software/CLASSES
l HKCU à HKU/<user id>
l HKLM à system.dat
l HKU à user.dat
l HKCC à HKLM/Config/000<#>
l HKDD à Machine Itself

The Root Key: Let’s get it out of the way!

l Its really just the

HKLM/SOFTWARE/CLASSES key
l Controls how Windows handles data
files.
l References to itself over and over
again.
l CLSID’s discussed later.

7
Examples:
l Keys .txt and .doc might both point to key
txtfile.
l Key txtfile might point to something else.
l Eventually you get a final key which has
shell command directives. When you right
click on an icon, those directives that you
can do (like the ability to play a music file
or open a word document) are all listed in
this final reference key.

HKLM – The Machine Key

l = system.dat

l Stores all Generic machine related

info.

l Has many important subkeys

8
HKLM Important Subkeys I
l A subkey of /Config produces HKCC
l /SOFTWARE/CLASSES produces HKCR
l /Enum (Win95/Win98)– Library of all
hardware components EVER USED by a
computer.
l /Network – Small subkey that handles
basic login function to the computer

HKLM Important Subkeys II

l ***/Hardware – Not used much in
Win95/Win98, but replaces Enum in
WinNT and 2000***
l SOFTWARE – Contains all Software
information that is set independent
of the user (more to come on this)

9
HKCU – The Current User Key
l = section of the user.dat
l Like HKLM in many ways but is only
refers to the user currently logged in.
l Comes from one of the
HKEY_USERS subkeys.
l /HKEY_USERS/.default = Default
User configuration

HKCU Important Subkeys

l /Software – Same as the
HKLM/Software key only tailored to
the User
l /AppEvents/Schemes – May contain
important program settings
l /Control Panel – All control panel
settings.

10
END OF PART I

lGet some
food/drink!

Oh, HKDD, where did you go?

l HKEY_DYN_DATA
l Win95/Win98 – Using all the library of
HKLM/Enum, it constructs a hardware
configuration based on what is currently
running on the machine. Uses its own
special ID Numbers.
l Deleted along with Enum and sorted to
HKLM/Hardware in WinNT and 2000.
l NEVER MODIFY THIS KEY EVER.

11
The Software/SOFTWARE Keys
l HKLM/SOFTWARE
l HKCU/Software
l Caps do not matter (different versions of
windows, for some reason or another,
capitalize HKLM/SOFTWARE, others do
not).
l 95% of all program settings (if in the
registry at all) are found here.
l As stated earlier, HKLM/Software pertains
to machine info, HKCU/Software to user
info.

Software Keys – Structure

l From the Software Key, the subkeys are
company names. Examples: Microsoft,
Symantec, etc.
l Subkeys of the Company Keys are
programs/utilities.
l Program keys are not always real
programs, more often they are keys for
helper applications to a real program
contained with the same company key.

12
Example:
l /Adobe Photoshop is a subkey of
HKLM/Adobe
l BUT. Other keys in /Adobe are created:
/Adobe Gamma (a coloring utility) is also
installed.
l Even though Adobe Gamma should be
able to stand by itself (because it is next
to Photoshop and not under it) it is really a
part of the main Photoshop application.

More About Software Keys

l What I have described is the
traditional structure: Now, what
really happens?

13
Program Type #1
l They actually follow structure and
put all of their general settings in
HKLM and all their user specific
settings in HKCU.
l About 10% of all applications do this.
More should.

Program Type #2
l All settings in HKLM –or– all settings
in HKCU.
l This is weird condition for programs
not wanting to conform to the MS
hierarchy.
l 10% of Applications do this

14
Program Type #3
l NO SETTINGS IN REGISTRY –or– they
may seem like Program Type #1 or #2 but
their keys are extremely short and there
are very few if any actually stored settings
in the registry.
l Settings kept in program specific files.
Most often .ini files in the C:\windows
directory or their own program directory.
l Settings could be almost anywhere
l 80% of all non-MS programs are of this
type.

Program Type #4 (MS)

l Disadvantage: The Microsoft
Applications rarely ever put settings
in places you can find them easily.
l Advantage: They are usually
completely contained in the registry.
l More on this later.

15
What are CLSID’s?
l {849t589uis – 38uskgdg}… uh!
l They are class identifiers (or GUID’s
– (Globally Unique Identifiers)
l Point to a Windows Object
l Specific to each computer –
randomly generated for objects

The HKCR/CLSID Key

l The Key HKCR/CLSID contains subkeys
that are basically a list of every CLSID on
the computer.
l Each subkey of HKCR/CLSID contains a
Data field which briefly tells what it points
to.
l Each subkey may also contain additional
subkeys which give you more information
about the program (not required).

16
How are they used?
l Each object is assigned by the machine a
CLSID (guaranteed by windows never to
be identical to another CLSID).
l The CLSID is used (instead of the object
type/name) throughout the registry. Most
often used in the HKCR key.
l A program that encounters a CLSID while
using the registry, uses the list in
HKCR\CLSID to decode what to do with
the object.

More on CLSID
l Right now if a key contains CLSID, DO
NOT COPY IT. It is unique to the machine
and would be useless on another
machine.
l In the future we MIGHT be able to get
around this by decoding the CLSID’s
ourselves, then re-encoding them on the
clients new machine. This feature is really
not that important (my opinion).

17
Searching the Registry for Settings I

l Only Search HKLM and HKCU (the others

are repeats of these 2).
l Skip the HKLM\CLASSES (HKCR) key. It
EXTREMELY rare (actually impossible) to
find any settings information in this key so
when searching and you encounter it, go
back up, shrink it, skip it, then continue.
l Ignore the Start Menu (contained in HKCU)
l Ignore keys that contain CLSID’s

Searching the Registry for Settings II

l Ignore keys used by other programs.

Examples: The Windows Explorer
key has a subkey that contains a list of
recently used programs, obviously that
is not a settings key.
Avoid 3rd Party Applications Keys
that come from other 3rd Party
Applications. For example, chances
are if you find a reference for
Photoshop under Winzip, it is not vital.

18
Searching the Registry for Settings III

l Ignore Gibberish (Gibberish can be

distinguished by it’s keys, not its
value/data).

l Ignore anything in:

HKLM\Software\Microsoft\Windows
\CurrentVersion\Uninstall

Regedit Shortcuts!
l F3 – Search.
l F5 – Refresh – Used if you recently
installed/deleted a program

19
Regmon and Filemon
l I advocate against relying on Regmon.
There is a structure and pattern to
Settings in the registry. Regmon is too
random for my tastes.
l I recommend analyzing where you think
the registry will keep it settings for an
application, then test with
a) exporting/importing those sections
of the registry
b) Regmon

Other Reasons for Why I Don’t Support Regmon

l Too much guesswork

l You may not be getting all settings used,
finding ALL of them can be difficult
l Takes more time; in the end the results
will be the same except you will have lost
precious time doing using regmon
l Difficulty: You need to be quite
comfortable with the registry.

20
Filemon
l I like this one. Very useful.
l Often 3rd Party Applications can put
their settings almost anywhere and
Filemon can really help you out.
l Also, I recommend doing searches
for files on your computer modified
in the last hour to help locate
configuration files.

The Microsoft Keys

l Often MS applications are more
complicated and touch many more keys
then 3 rd party applications are likely to do.
l HKLM/Software/Microsoft/Windows
contains many windows settings. It is
possible almost any program you
research may have a setting or two
somewhere in this key.

21
Other Strange Facts
l 1. Binary data is stored as strings.
Example: Data like “0” or “1” is binary but
its type will be String.
l 2. The datatype “Binary Data” stores
hexadecimal data… anyone confused?
l 3. Hexadecimal data is presented in
reverse couples.
For example: A0 B2 would really be
the number B2A0. (within the couples they
are in correct order)

Closing
l There are many more details not
covered today.
l Questions? Feel free to ask me.
l Reference: “The Windows ’98
Registry: A Survival Guide for Users”
by John Woram

22