The HKEY_CURRENT_CONFIG hive contains information about the system's current configuration. This information is typically derived from
HKEY_LOCAL_MACHINE\System and HKEY_LOCAL_ MACHINE\Software, though HKEY_CURRENT_CONFIG does not contain all the information that is contained in the source keys.
Note Users migrating from Windows 95/98/Me take note: As I noted in Chapter 1, the HKEY_DYN_DATA hive no longer exists in Windows XP. In Windows NT 4, this hive was intended to contain information about the system's Plug and Play status.
However, since Windows NT 4 does not support Plug and Play, this key was empty.
Windows XP does not have this hive.
Registry Key Data Types
The keys within hives can contain values that can be edited using the Registry Editor. These values have different data types:
REG_BINARY Represents binary values. They may be edited or entered as hexadecimal or binary numbers. Figure 3.1 shows the Registry Editor's Edit Binary Value window.
Figure 3.1: The Edit Binary Value window for the Registry Editor.
REG_SZ Used for registry keys containing strings. Editing is easy; just type in the new string. Case is preserved, but realize that the string is initially selected, so be careful not to inadvertently delete it. Strings are of fixed length and are defined when the key is created.
Figure 3.2 shows a string being edited in the Edit String window. A string key may be made longer by adding more characters to the string; it will be reallocated if this happens.
Figure 3.2: The Edit String window for the Registry Editor.
REG_EXPAND_SZ Used if the key is to contain an environment variable that must be expanded prior to its use. Some keys need to contain values that reference environment variables, much like a batch file—for example, if a string contains the field
%SystemRoot%\System32, and it is necessary to replace the %SystemRoot% part of the string with the value that is assigned to it in the environment. To do this substitution, this string must be defined as a REG_EXPAND_ SZ type string. The result of the expansion is then passed to the requestor. %SystemRoot% is a standard environment variable containing the location, drive, and directory where Windows XP has been installed. The Registry Editor uses the same window as is used for REG_SZ for entering a REG_EXPAND_SZ key, as shown in Figure 3.3.
Figure 3.3: The Edit String window, where you can use an expanded environment variable in the string.
Note Any environment variable, created by either the system or the user, may be used in a REG_EXPAND_SZ key.
REG_DWORD A 32-bit value, entered as decimal or hexadecimal. The Edit DWORD Value window, as Figure 3.4 shows, allows you to enter only valid numeric data to save you from sloppy typing.
Figure 3.4: You can enter only numeric data in the Edit DWORD Value window.
REG_MULTI_SZ Used to store multiple strings in a single registry key. Normally, a string resource in the registry can contain only one line. However, the multistring type allows a string resource in the registry to hold multiple strings as needed. Figure 3.5 shows multiple strings being edited, with four lines of value data.
Figure 3.5: The Edit Multi-String window lets you add multiple values to a string resource.
REG_FULL_RESOURCE_DESCRIPTOR Used to manage information for hardware resources. No one should edit the items that appear in the Resources window fields. Figure 3.6 shows a resource object displayed in the Registry Editor. However, these objects are never, ever changed manually.
Figure 3.6: A disk resource shown in the Resources window.
REG_NONE An identifier used when no data is stored in the key. It doesn't take a rocket scientist to figure out that there is no editor for the REG_NONE type.
REG_UNKNOWN Used when the key's data type cannot be determined.
Other registry data types not fully supported by the Registry Editor include:
REG_DWORD_BIG_ENDIAN Like REG_DWORD, but specifies the big endian format, where the four bytes of the DWORD are arranged in opposite order than little endian format (little endian format is the native mode for Intel processors, while noncompatible processors from other companies, such as Apple's Macintosh computers, use big endian).
REG_LINK Used for a symbolic link between a registry value and either Windows or an application's data. Entries in REG_LINK are in Unicode text.
REG_QWORD A 64-bit integer number.
REG_RESOURCE_LIST Contains entries used by device drivers, including information about the hardware's configuration.
REG_RESOURCE_REQUIREMENTS_LIST Contains a list of resources required by a driver.
In addition to the above types of registry data, applications also have the ability to create custom registry data types as needed. This flexibility allows the application to both save and load the registry data without having to perform complex conversions and translations. Now, let's move on to the various major hives that make up the registry.
HKEY_LOCAL_MACHINE: The Machine's Configuration
The HKEY_LOCAL_MACHINE hive contains information about the current hardware configuration of the local computer. The information stored in this hive is updated using a variety of processes, including the Control Panel, hardware and software installation
programs, and administrative tools, and is sometimes automatically updated by Windows XP.
It is important not to make unintended changes to the HKEY_LOCAL_ MACHINE hive. A change here could quite possibly render the entire system unstable.
Note All the settings in the HKEY_LOCAL_MACHINE hive are recomputed at boot time. If a change has been made, and the change is causing problems, first try rebooting the system. The Windows XP Boot Manager should rebuild the
HKEY_LOCAL_MACHINE hive at reboot time, discarding any changes made.
HKEY_LOCAL_MACHINE\Hardware: The Installed Hardware Key HKEY_LOCAL_MACHINE\Hardware contains information about the hardware
configuration of the local machine. Everything hardware related (and I do mean everything) is found in this hive.
In Windows XP, the HKEY_LOCAL_MACHINE\Hardware key is subdivided into four subkeys:
Description Contains descriptive information about each device, including a general description, information about basic configurations, and so on.
DeviceMap Contains information about devices, including the location in the registry where a device's full configuration is saved.
ResourceMap Contains translation information about each major component that is installed in the system. Most keys contain a set value entries named .Raw and .Translated.
ACPI Contains information about the ACPI (Advanced Configuration and Power Interface).
The ACPI key is only found on systems that support ACPI. Potential ACPI subkeys include the following:
RSDP Root System Description Pointer
DSDT Differentiated System Description Table FADT Fixed ACPI Description Table
FACS Firmware ACPI Control Structure PSDT Persistent System Description Table RSDT Root System Description Table SSDT Secondary System Description Table
Note In Windows NT 4, the Hardware key contains another subkey, OWNERMAP, which contains information about removable PCI-type devices. These are devices plugged into the system's PCI bus but generally not permanently installed on the system's
motherboard. However, not all PCI-type devices are listed in OWNERMAP.
Description
Within HKEY_LOCAL_MACHINE\HARDWARE\Description is a wealth of information about the installed hardware. The only subkey, System, fully describes the CPU and I/O.
Items in the Description key are always redetected at boot time.
The System subkey contains the following subkeys:
CentralProcessor Contains information about the CPU. This includes speed, which is an identifier that contains the CPU's model, family, and Stepping. This subkey also contains vendor information; for example, a "real" Intel CPU has the VendorIdentifier string
"GenuineIntel", while a CPU from AMD contains the string "AuthenticAMD".
FloatingPointProcessor Describes the system's FPU (floating point unit) in a set of entries similar to that of the CPU. The fact that the typical CPU has an integral FPU is not considered here; the FPU is listed separately, regardless.
MultiFunctionAdapter Describes the system's bus (PCI), any PnP BIOS installed, and other devices, including the controllers for disk drives, keyboards, parallel and serial ports, and the mouse. For a mouse that is connected to a serial port, the mouse is found under the serial port, while a mouse that is connected to a PS/2 mouse port is shown connected to a pointer
controller as a separate device.
ScsiAdapter Describes the system's IDE interfaces, if there are any. Windows XP lists these as SCSI interfaces, and they include the controllers for IDE disk drives, IDE CD-ROM drives, and other supported IDE devices. This key may not be found in all installations. Windows XP does not use this information, though it may be found in legacy installations that have been updated from earlier versions of Windows.
Note ScsiAdapter lists only the devices attached to the IDE controller. The IDE controller itself is described in HKEY_LOCAL_MACHINE\Hardware\DeviceMap.
Typically, the Description key can be used to determine what hardware is installed (and being used) and how the installed hardware is connected. However, some devices, such as storage devices (non-IDE hard drives, SCSI devices, non-IDE CD-ROM drives, video, and network interface cards), are not listed in HKEY_LOCAL_MACHINE\Hardware\Description. Instead, they are listed in HKEY_LOCAL_MACHINE\Hardware\DeviceMap. Why? Because these devices are not detected at the bootup stage; instead, they are detected when they are installed.
DeviceMap
The HKEY_LOCAL_MACHINE\Hardware\DeviceMap subkey contains information about devices, arranged in a similar fashion to the
HKEY_LOCAL_MACHINE\HARDWARE\Description subkey discussed earlier. Windows
XP does not have any changes in the DeviceMap, when compared to earlier versions of Windows. The DeviceMap subkey contains the following subkeys:
KeyboardClass Contains the address of the subkey that manages information about the keyboard.
PARALLEL PORTS Contains the address of the subkey that manages information about the parallel printer ports.
PointerClass Contains the address of the subkey that manages information about the system mouse.
Scsi A complex subkey that contains information about each SCSI interface found on the computer. A note about what is considered a SCSI port is in order. Actually, Windows XP pretends that IDE devices, as well as many CD-ROM devices that are connected to special interface cards, are SCSI devices. This is a management issue. Windows XP is not converting these devices to SCSI, nor is it using SCSI drivers; rather, Windows XP is simply classifying all these devices under a common heading of SCSI.
SERIALCOMM Contains the address of the subkeys that manage information about the available serial ports. In Windows NT 4, if the system mouse is connected to a serial port and not to a PS/2 mouse port, that port is not listed in the SERIALCOMM subkey.
VIDEO Contains the address of the subkey that manages the video devices. Two devices are typically defined in VIDEO: one is the currently used adapter, and the second is a backup consisting of the previously installed (usually the generic VGA) adapter's settings to use as a backup in the event of a problem with the video system.
Note For those of you still working with, or migrating from, NT 4, it's important to note that DeviceMap in NT 4 includes two additional subkeys which do not appear in Windows XP. KeyboardPort contains the address of the subkey that manages information about the keyboard interface unit, often called the 8042 after the original chip that served as the keyboard controller in the original PC. PointerPort contains the address of the subkey that manages information about the port that the system mouse is connected to.
These two additional subkeys do not appear in later versions of Windows.
ResourceMap
All the various hardware device drivers use the ResourceMap subkey to map resources that they will use. Each ResourceMap entry contains the following usage information:
• I/O ports
• I/O memory addresses
• Interrupts
• DMA (direct memory access) channels
• Physical memory installed
• Reserved memory
The ResourceMap subkey is divided into subkeys for each class of device (such as Hardware Abstraction Layer), and under these subkeys lie subkeys for different devices.
Windows XP and Windows 2000 include a new key in ResourceMap called PnPManager.
This key contains Plug and Play information.
HKEY_LOCAL_MACHINE\SAM: The Security Access Manager
HKEY_LOCAL_MACHINE\SAM contains information used by all versions of Windows 2000 and Windows XP. It also contains user information (permissions, passwords, and the like). The SAM key is mirrored in HKEY_LOCAL_MACHINE\Security\SAM; making changes to one changes the other.
Note Can't see the SAM or Security key? Use the Registry Editor to select the subkey you cannot see and then select Edit → Permissions from the main menu. Next, change the Type of Access from Special Access to Full Control.
In Windows, this information is set using the Microsoft Management Console (MMC), Local Users and Groups branch. If the Windows system is a domain controller, the SAM is not used (we have the Active Directory services now). The SAM subkeys (both in
HKEY_LOCAL_MACHINE\SAM\SAM and HKEY_LOCAL_MACHINE\Security\SAM) should only be modified using the MMC in Windows or the User Manager administrative programs in Windows NT 4.0 and earlier. However, attempts to modify information that is in the SAM subkeys typically result in problems. For example, users will be unable to log on, wrong permissions will be assigned, and so on.
Warning Don't attempt to modify the SAM or Security key unless you have made a full backup of your registry, including the SAM and Security keys, as described in Chapter 2.
HKEY_LOCAL_MACHINE\Security: The Windows Security Manager The HKEY_LOCAL_MACHINE\Security key contains information relevant to the security of the local machine. This information includes:
• User rights
• Password policy
• Membership of local groups
In Windows XP, you'll set this information using the Active Directory Users and Computers program.
Note For those of you migrating from NT 4, or still working with NT 4 machines, it's important to note that under Windows NT 4, the Security subkeys should only be modified using the User Manager or the User Manager for Domains. With all versions of Windows 2000 and Windows XP Professional, only the Active Directory
administrative programs (Active Directory Users and Computers) should be used.
Attempts to modify information in the Security key typically result in problems. For example, users are unable to log on, wrong permissions are assigned, and so on. The XP Home edition cannot join a domain and therefore has no access to Active Directory.
HKEY_LOCAL_MACHINE\Software: The Installed Software Information Manager
The HKEY_LOCAL_MACHINE\Software registry key is the storage location for all software installed on the computer. The information contained in
HKEY_LOCAL_MACHINE\Software is available to all users and consists of a number of standard subkeys as well as a few subkeys that may be unique to each computer.
One computer on my network, using a beta version of Windows .NET Server (this also applies to Windows XP), has the following subkeys in
HKEY_LOCAL_MACHINE\Software. These subkeys correspond to items that I have installed on my computer:
Adobe Contains information about the copy of Adobe's Acrobat program that was recently installed.
Federal Express Contains information about the FedEx online access and support I have on my computer. All of my FedEx airbills are produced by computer, making shipments much easier.
INTEL Contains information about the Intel 3D Scalability Toolkit that I installed at some point. I don't remember when or why, but it's there.
Intuit Contains information specific to the financial software that is Intuit's specialty.
Qualcomm Contains information specific to the Eudora e-mail program. The nice thing about Eudora is that there is a free version for private use.
The following are system subkeys probably installed on your computer; however, some of these subkeys, such as ODBC and Clients, may not be present on some minimal installations:
Classes Contains two types of items. First are file-type association items. For example, a typical association entry might have the name DIB, with a string that associates this name with the application Paint Shop Pro. Second are COM (Common Object Model) associations.
For example, the extension .doc is associated with Microsoft Word for Windows or with WordPad, the default viewer for .doc files. Both WordPad and Word may be embedded in other applications. For instance, Outlook, Microsoft's upscale e-mail system, can use Word-formatted documents and embed either Word for Windows or WordPad to display and edit these documents.
Clients Contains client-server relationships. For example, Microsoft Outlook is a
multipurpose program with e-mail, a calendar, contact lists, news, and other features. Each of these parts of Outlook has a complex series of calling protocols that are defined in the Clients subkey.
Gemplus Stores information for use with GemSAFE Smart Cards. These cards are used for security in Windows XP.
Microsoft Stores a number of items that pertain to Microsoft products or parts of Windows XP. As few as 20 or as many as 100 entries can be in the Microsoft subkey.
ODBC Stores items that pertain to Open Database Connectivity, which allows applications to retrieve data from a number of different data sources. Many users install ODBC, either intentionally or as a side effect of installing another product.
Policies This subkey contains entries for policy enforcement, a feature that has been added to Windows XP Professional. Policies are not used in XP Home.
Program Groups This subkey contains one value entry, ConvertedToLinks, which is used to indicate whether the program groups were converted. A value of one (0x1) shows that the conversion is complete. Even a system installed on a new computer that didn't require conversion will have this value.
Schlumberger This subkey contains entries used with Windows XP security management.
This group includes both smart cards and terminals.
Secure If you say so. The Secure subkey is the location in which any application may store
"secure" configuration information. Only an Administrator may modify this subkey, so mere mortal users can't change secure configuration information. Not many, if any, applications use the Secure subkey.
Windows 3.1 Migration Status Used to indicate if the computer was upgraded from