Professional Documents
Culture Documents
Scott Selikoff
1
Topics of Discussion: Part II
l Oh, HKDD, where did you go?
l The Software/SOFTWARE Keys
l What about CSLID’s???
l Searching the Registry for Settings
l Regedit Shortcuts!
l Regmon and Filemon
l The Microsoft Keys
l Other Strange Facts
l Closing
2
Examples:
l Key:
/HKLM/Software/Adobe/Photoshop
l Value: “Version”
l Data: 5.5
3
Data Types
l String Data – Most often used. Contained
in “”
l Binary Data – Hexadecimal Strings (in sets
of two).
Example: DA 9D 92 A0
l DWORD Data – 4-Byte Hexadecimal
sequences.
Example: 0x39902000
4
Differences from the Older system
l All programs are in one registry as
opposed to each program having its
own .ini file.
l The registry is made up of the two
files system.dat and user.dat
l The registry OFTEN CONTAINS
POINTERS TO OTHER SECTIONS OF
ITSELF. (will return to this)
5
Other Useful Information II
l Windows keeps 2 copies of your registry,
its current one and the last one your
computer successfully started with. Used
when restarted the computer hangs.
6
Major Pointers
l HKCR à HKLM/Software/CLASSES
l HKCU à HKU/<user id>
l HKLM à system.dat
l HKU à user.dat
l HKCC à HKLM/Config/000<#>
l HKDD à Machine Itself
7
Examples:
l Keys .txt and .doc might both point to key
txtfile.
l Key txtfile might point to something else.
l Eventually you get a final key which has
shell command directives. When you right
click on an icon, those directives that you
can do (like the ability to play a music file
or open a word document) are all listed in
this final reference key.
8
HKLM Important Subkeys I
l A subkey of /Config produces HKCC
l /SOFTWARE/CLASSES produces HKCR
l /Enum (Win95/Win98)– Library of all
hardware components EVER USED by a
computer.
l /Network – Small subkey that handles
basic login function to the computer
9
HKCU – The Current User Key
l = section of the user.dat
l Like HKLM in many ways but is only
refers to the user currently logged in.
l Comes from one of the
HKEY_USERS subkeys.
l /HKEY_USERS/.default = Default
User configuration
10
END OF PART I
lGet some
food/drink!
11
The Software/SOFTWARE Keys
l HKLM/SOFTWARE
l HKCU/Software
l Caps do not matter (different versions of
windows, for some reason or another,
capitalize HKLM/SOFTWARE, others do
not).
l 95% of all program settings (if in the
registry at all) are found here.
l As stated earlier, HKLM/Software pertains
to machine info, HKCU/Software to user
info.
12
Example:
l /Adobe Photoshop is a subkey of
HKLM/Adobe
l BUT. Other keys in /Adobe are created:
/Adobe Gamma (a coloring utility) is also
installed.
l Even though Adobe Gamma should be
able to stand by itself (because it is next
to Photoshop and not under it) it is really a
part of the main Photoshop application.
13
Program Type #1
l They actually follow structure and
put all of their general settings in
HKLM and all their user specific
settings in HKCU.
l About 10% of all applications do this.
More should.
Program Type #2
l All settings in HKLM –or– all settings
in HKCU.
l This is weird condition for programs
not wanting to conform to the MS
hierarchy.
l 10% of Applications do this
14
Program Type #3
l NO SETTINGS IN REGISTRY –or– they
may seem like Program Type #1 or #2 but
their keys are extremely short and there
are very few if any actually stored settings
in the registry.
l Settings kept in program specific files.
Most often .ini files in the C:\windows
directory or their own program directory.
l Settings could be almost anywhere
l 80% of all non-MS programs are of this
type.
15
What are CLSID’s?
l {849t589uis – 38uskgdg}… uh!
l They are class identifiers (or GUID’s
– (Globally Unique Identifiers)
l Point to a Windows Object
l Specific to each computer –
randomly generated for objects
16
How are they used?
l Each object is assigned by the machine a
CLSID (guaranteed by windows never to
be identical to another CLSID).
l The CLSID is used (instead of the object
type/name) throughout the registry. Most
often used in the HKCR key.
l A program that encounters a CLSID while
using the registry, uses the list in
HKCR\CLSID to decode what to do with
the object.
More on CLSID
l Right now if a key contains CLSID, DO
NOT COPY IT. It is unique to the machine
and would be useless on another
machine.
l In the future we MIGHT be able to get
around this by decoding the CLSID’s
ourselves, then re-encoding them on the
clients new machine. This feature is really
not that important (my opinion).
17
Searching the Registry for Settings I
18
Searching the Registry for Settings III
Regedit Shortcuts!
l F3 – Search.
l F5 – Refresh – Used if you recently
installed/deleted a program
19
Regmon and Filemon
l I advocate against relying on Regmon.
There is a structure and pattern to
Settings in the registry. Regmon is too
random for my tastes.
l I recommend analyzing where you think
the registry will keep it settings for an
application, then test with
a) exporting/importing those sections
of the registry
b) Regmon
20
Filemon
l I like this one. Very useful.
l Often 3rd Party Applications can put
their settings almost anywhere and
Filemon can really help you out.
l Also, I recommend doing searches
for files on your computer modified
in the last hour to help locate
configuration files.
21
Other Strange Facts
l 1. Binary data is stored as strings.
Example: Data like “0” or “1” is binary but
its type will be String.
l 2. The datatype “Binary Data” stores
hexadecimal data… anyone confused?
l 3. Hexadecimal data is presented in
reverse couples.
For example: A0 B2 would really be
the number B2A0. (within the couples they
are in correct order)
Closing
l There are many more details not
covered today.
l Questions? Feel free to ask me.
l Reference: “The Windows ’98
Registry: A Survival Guide for Users”
by John Woram
22