The Registry
T
he registry is the core repository of configuration infor-
mation in Windows 2000, storing information about the
operating system, applications, and user environment on
standalone workstations and member servers (non-domain
controllers).
The Purpose of the Registry
Early versions of the Windows operating system family, such
as Windows 3.x, stored most of their configuration informa-
tion in initialization, or
.ini
files. These files were text files
containing various sections that stored settings for a variety
of properties such as device drivers, application and docu-
ment associations, user environment settings, and so on.
Windows applications used
.ini
files as well to store their
configuration settings. Even today in Windows 2000 and appli-
cations,
.ini
files are still a widely used mechanism for stor-
ing user, application, and operating system settings. A quick
search of your hard drive for
.ini
files will illustrate that fact.
Although they provide a simple means of storing and retriev-
ing settings,
.ini
files offer some disadvantages, particularly

Structure
The Registry Editors
Securing the Registry
✦✦✦✦
4667-8 ch18.f.qc 5/15/00 2:07 PM Page 689
690
Part V ✦ Availability Management
unlike Windows NT, it no longer stores domain user and computer accounts or
information related to “network” objects; this job now belongs to the Active
Directory, as explained in Chapter 2 and the chapters in Part III.
When you promote a member server to a domain controller, all registry settings
that also apply to a domain controller server, such as the desktop settings, are
absorbed into Active Directory. But when you demote the server, the original reg-
istry settings are not restored, and you are returned to a clean registry. (The demo-
tion wizard even asks you for a new Administrator password because the original
account is lost.) Keep this in mind when you demote a domain controller, because
Active Directory can easily outgrow the host machine it was originally installed on.
The following list explains some of the ways certain components make use of the
registry:
✦ Setup: When you install Windows 2000, Setup builds the registry based on
your selections (or automated selections) during installation. Setup also mod-
ifies the registry when you add or remove hardware from the system.
✦ Application setup: The Setup program for an application typically will modify
the registry to store the application’s settings at installation. It also will typi-
cally read the registry to determine which components, if any, are already
installed.
✦ Applications: Most applications that store their settings in the registry modify
those settings during program startup, shutdown, or general operation to store
changes made to application settings both by the application or the user.
✦ Ntdetect: The

istry backup, and others.
The registry is in many ways the “brain” of the Windows 2000 OS. Nearly everything
the OS does is affected by or affects the registry. For that reason, it’s important to
not only understand the registry’s function and how to modify it, but also how to
protect it from catastrophe or unauthorized access. The following sections explain
the structure of the registry and how to manage it.
The Registry Structure
The registry forms a hierarchical (tree) database with five primary branches called
subtrees. A subtree can contain keys, which function as containers within the sub-
tree for subkeys and values. Subkeys are sub-branches within a key. Values are the
individual settings within a key or subkey. Perhaps the best way to understand the
registry structure is to view it through one of the Registry Editors, as shown in
Figure 18-1. (You’ll find detailed information about the Registry Editors later in this
chapter.)
Figure 18-1: The Registry Editors show the structure of the registry — a hierarchical
tree, with each subtree serving as a primary branch.
4667-8 ch18.f.qc 5/15/00 2:08 PM Page 691
692
Part V ✦ Availability Management
There are two physical subtrees in the Windows 2000 registry: HKEY_LOCAL_
MACHINE and HKEY_USERS, the former containing system- and hardware-related
settings and the latter containing user-related settings. These two physical subtrees
are divided into the five logical subtrees you see in the Registry Editors. Organizing
the registry into five logical subtrees makes it easier to navigate and understand
the logical structure of the registry. The five logical subtrees are as follows:
✦ HKEY_LOCAL_MACHINE: This subtree, often abbreviated as HKLM, stores
settings that apply to the local machine, defining hardware and operating sys-
tem settings that are the same regardless of which user is logged on. The set-
tings in HKLM, for example, define device drivers, memory, installed
hardware, and startup properties.

systemroot\System32\Config
. This file serves as a
transaction log for modifications to the hive registry file.
4667-8 ch18.f.qc 5/15/00 2:08 PM Page 692
693
Chapter 18 ✦ The Registry
✦ A repair (backup) file, located in
systemroot\System32\Repair
. This is a
backup copy of the registry file.
Table 18-1 lists the registry hives and their corresponding file names.
Table 18-1
Registry Hive Files
Hive Files
HKEY_LOCAL_MACHINE\SAM Sam and Sam.log
HKEY_LOCAL_MACHINE\SECURITY Security and Security.log
HKEY_LOCAL_MACHINE\SOFTWARE Software and Software.log
HKEY_LOCAL_MACHINE\SYSTEM System and System.alt
HKEY_CURRENT_CONFIG System and System.log
HKEY_CURRENT_USER Ntuser.dat and Ntuser.dat.log
HKEY_USERS\DEFAULT Default and Default.log
With the exception of
Ntuser.dat
and
Ntuser.data.log
, the hive files are stored
in
systemroot\System32\Config
. The
Ntuser.dat

5. Upon successful completion of the write operation, the first sector is modified
to indicate successful completion (clean).
4667-8 ch18.f.qc 5/15/00 2:08 PM Page 693
694
Part V ✦ Availability Management
When Windows 2000 reads the hive files to construct the registry, it checks the sta-
tus of each file. If the system failed during a previous registry update operation, the
registry file will still be marked as dirty. In that situation, Windows 2000 attempts to
recover the registry file using the log file. The changes identified in the log file are
applied to the registry file, and if successful, the file is marked as clean.
The SYSTEM hive behaves a little differently from the others in terms of fault toler-
ance. The
systemroot\System32\Config
folder includes a file named
System.alt
,
which is a clean copy of the current System registry file. After a successful modifica-
tion of the System file, it is copied to
System.alt
for use as a backup. If a problem
occurs with the System hive file during boot, Windows 2000 switches to
System.alt
.
Having a backup of the registry is critical to being able to recover a failed system.
Although Windows 2000 provides fault-tolerant management of the registry hive
files, you should employ some additional procedures to ensure a valid, working
copy of the registry. See the section “Backing Up and Securing the Registry” later
in this chapter for detailed information. You’ll also find coverage of backup proce-
dures in Chapter 17.
Registry Hive Files

HKEY_CURRENT_USER
As explained previously, the HKCU key is an alias for the KHC\SID key, where SID is
the SID for the current local user. In other words, HKCU points to the registry key in
HKU where the currently logged-on user’s registry data is stored. It contains the fol-
lowing subkeys:
✦ AppEvents: This key contains data about application and event associations
such as sounds associated to specific events. Use the Sounds and Multimedia
object in the Control Panel to modify settings in this key.
✦ Console: This key contains data that defines the appearance and behavior of
the Windows 2000 command console (command prompt) and character-mode
applications. Use the application or command console’s Control menu to
define settings in this key.
✦ Control Panel: This key contains data normally set through the Control Panel
applets.
✦ Environment: This key contains environment variable assignments for the
current user.
✦ Identities: This key contains user-specific identity information such as last
user ID, last user name, and software-related identity settings for Outlook
Express, the address book, and so on.
✦ Keyboard Layout: This key stores information about the user’s keyboard
layout and key mapping for international settings. Use the Regional Options
object in the Control Panel to modify these settings.
✦ Network: This key stores data about the user’s network connections.
✦ Printers: This key stores data about the user’s printer connections.
✦ RemoteAccess: This key stores data about the user’s Internet profile and
dial-up connection settings.
✦ Software: This key stores data about the user’s installed applications.
✦ UNICODE Program Groups: This key stores data about the user’s UNICODE
Program Groups and is usually empty unless the system has migrated to
Windows 2000 from an original Windows 3.1 installation (unlikely in most

types currently defined and used by the system:
✦ REG_BINARY: This data type stores the data in raw binary format, one value
per entry. The Registry Editors display this data type using hexadecimal format.
✦ REG_DWORD: This data type stores data as a four-byte number, one value
per entry. The Registry Editors can display this data type in binary, hexadeci-
mal, or decimal formats.
✦ REG_EXPAND_SZ: This is a variable-length string that includes variables
expanded when the data is read by a program, service, and so on. The vari-
ables are represented by % signs, and an example is the use of the %system-
root% variable to identify the root location of the Windows 2000 folder, such
as a path entry to a file stored in
systemroot\System32
. One value is
allowed per entry.
✦ REG_MULTI_SZ: This data type stores multiple string values in a single entry.
String values within an item are separated by spaces, commas, or other such
delimiters.
4667-8 ch18.f.qc 5/15/00 2:08 PM Page 696