were many upgrades, more users today are likely to be doing clean installations—virtually all existing Windows 3.x systems have already been upgraded. This key contains two subkeys:
IniFiles and reg.dat. These values show whether the .ini and reg.dat files have been migrated successfully to later formats.
Note For those of you migrating from NT 4, or still working with NT 4 machines, it's important to note that NT 4 has a Description subkey that contains names and version numbers for software installed on the local computer. Though any vendor may use this subkey, the author can only see one entry, which is entered during installation of Windows XP. Microsoft RPC (Remote Procedure Call) has several entries in this subkey.
HKEY_LOCAL_MACHINE\System: The System Information Manager The HKEY_LOCAL_MACHINE\System subkey holds startup information used by Windows XP when booting. This subkey contains all the data that is stored and not recomputed at boot time.
Note A full copy of the HKEY_LOCAL_MACHINE\System information is kept in the system.alt file, found in the %SystemRoot%\System32\Config directory in versions of Windows prior to Windows XP.
The HKEY_LOCAL_MACHINE\System key (a.k.a. the System key) is organized into control sets (such as ControlSet001, ControlSet002, and CurrentControlSet) containing parameters for devices and services. (The Clone key, present in prior versions of Windows NT, is not found in Windows XP.)
The main control sets are as follows:
ControlSet001 The current and the default control set used to boot Windows XP normally.
Mapped to CurrentControlSet at boot time, ControlSet001 is the most critical component in the registry in the normal bootup process.
ControlSet002 A backup control set from the Last Known Good boot that is used to boot when the default control set (ControlSet001) fails or is unusable for some reason.
ControlSet003 ControlSet003 (and ControlSet00n, where n is greater than 3) is a backup control set from the Last Known Good boot that may be used to boot from when the default control set (ControlSet001) fails or is unusable for some reason.
CurrentControlSet The control set Windows XP has booted from. It is usually mapped to ControlSet001.
Note For those of you migrating from NT 4, or still working with NT 4 machines, it's important to note that the Clone control set found in NT 4 is the volatile copy of the control set (usually ControlSet001) that was used to boot the system. Created by the system kernel during initialization, this key is not accessible from the Registry Editor.
Windows XP uses the CurrentControlSet and previous control sets; it does not use the Clone control set at all.
The HKEY_LOCAL_MACHINE\System key contains three or four other items:
MountedDevices Contains items for each locally attached storage device that is available to the system.
DISK Found in some systems that have been upgraded from earlier versions of Windows, this subkey contains items for each mapped CD-ROM drive. For example, I map my CD-ROM drives to drive letters after S:—I have three entries in this subkey mapping each CD-ROM drive to a different drive letter. This subkey is updated by the Disk Administrator tool.
Select Contains four subkeys. It also has information on which control set was booted and which subkey is the Last Known Good set. Also, if there is a "failed" control set, the failed control set's identity will be found in the Select subkey.
Setup Contains information used by Setup to configure Windows XP. This information includes locations of drives and directories, the setup command line, and a flag telling if setup is currently in progress.
The HKEY_LOCAL_MACHINE\System key is critical both to the boot process and to the operation of the system. Microsoft has created a number of tools and processes that help protect the HKEY_LOCAL_MACHINE\System key information. These include the Last Known Good boot process, which allows mapping in a known (or so we hope) copy of the control set, which in turn allows the system to boot if the original control set is too damaged to be booted.
Warning Do not, I repeat, do not, boot using the Last Known Good control set unless it is necessary! Any changes made to the system during the previous session will be lost, gone, forever and ever!
When modifying the control sets, be aware of the process of booting and creating the control sets. Generally, modifying a backup control set won't affect the system.
When Is the Current Control Set the Last Known Good Control Set?
At some point in the boot process, the current control set is copied into the Last Known Good control set. In Windows XP, the process of replacing the Last Known Good control set is done after the initial logon is performed. This allows the system to catch any problems related to the logon process.
HKEY_USERS: Settings for Users
Let's take a closer look at SIDs. No, despite what you may think, SID is not the kid down the street; SID is short for Security Identifier. The SID, which Windows XP uses to identify a user, contains information about user rights and privileges, settings, and any other information that is specific to that particular user.
The Anatomy of a SID
A SID always begins with the letter S, which denotes that this object is a SID, followed by long number separated with hyphens. The number consists of three to seven groups of numerals expressed in hexadecimal. For example, a valid SID might be this:
S-1-5-21-1234567890-1234567890-1234567890-123
This SID consists of eight separate parts separated by hyphens. After the S, the next three parts are the version number, authority, and subauthority values. The following three identify the specific installation—each Windows installation has different installation identifiers. The final part indicates the type of SID.
As mentioned, the number immediately following the S is a revision (or version) number.
Windows XP (and all previous versions of Windows that used SIDs) have a number 1 in this position. Perhaps some day in the future, a version of Windows will have a version number that is not 1; however, it seems that the version number, and SIDs in general, are very stable objects.
The SID Identifier Authority
The field immediately following the S-1 in a SID is the Identifier Authority. The meaning of the Identifier Authority varies somewhat on the following fields (the subauthority values).
Table 3.1 shows some typical Identifier Authority values and their modifiers.
Table 3.1: SID Identifier Authority Values and Modifiers Authority - Subauthority Authority Name Description
0 Null The basic Identifier Authority.
0 - 0 Nobody Used when there is no security.
1 World The basic Identifier Authority.
Table 3.1: SID Identifier Authority Values and Modifiers Authority - Subauthority Authority Name Description
1 - 0 Everyone Everyone: all users, guest, and
anonymous users.
2 Local The basic Identifier Authority.
3 Creator The basic Identifier Authority.
3 - 0 Creator/Owner The owner of an object.
3 - 1 Creator/Group The primary group of the owner.
3 - 2 Creator/Owner
Server
Not used after Windows NT 4.
3 - 3 Creator/Group Server Not used after Windows NT 4.
4 Non-unique The basic Identifier Authority.
5 NT The basic Identifier Authority. Most
work with Windows XP users will be in the NT authority (that is, the SID will begin with S-1-5).
5 - 0 (undefined) Not used in Windows XP.
5 -1 Dialup Used for users who are logged on to the
system using a dial-up connection.
5 - 2 Network Used for users who are logged on to the
system using a LAN connection.
5 - 3 Batch Used for users who are logged on to the
system in a batch queue facility.
5 - 4 Interactive Used for users who are logged on to the system interactively (a locally logged on user).
5 - 5 - X - Y Logon Session Used for users who are logging on to the system. The X and Y values identify the logon session.
Used to identify Active Directory domain controllers.
5 - 10 (undefined) Undefined in Windows XP.
5 - 11 Authenticated Users Used for users who have been authenticated by the system and are logged on.
5 - 12 Restricted Code Unknown in Windows XP.
5 - 13 Terminal Server User Used for users who are logged on to the system using Microsoft Terminal Server.
Table 3.1: SID Identifier Authority Values and Modifiers Authority - Subauthority Authority Name Description
5 - 18 Local System The local computer's system account.
This subauthority is new to Windows XP.
5 - 19 Local Service The local computer's service account.
This subauthority is new to Windows XP.
5 - 20 Network Service The computer's network service account.
5 - 21 Non-Unique A non-unique value to identify specific users.
5 - 32 Domain Used with domains to identify users. See
Table 3.3.
New! SID Authority values greater than 5 are undefined in Windows XP. Subauthority values greater than 32 are not documented. Note that both Local Service and Network Service Authorities are new to Windows XP.
SIDs Used by Windows XP
Current user configurations are saved in HKEY_USERS, which contains at least three keys.
These keys are SIDs. The first key, .DEFAULT, is the default user profile. This profile is used when no user is currently logged on. Once a user logs on, their profile is loaded and stored as the second and third keys found in HKEY_USERS.
The second key, the user profile for the user who is currently logged on, appears as something like this:
S-1-5-21-45749729-16073390-2133884337-500
This key is a specific user's profile—either the user's own profile or copied from the default user profile (found in %SystemDrive%\Documents and Settings\All Users) if the user has not established his or her own profile.
The third key looks something like this:
S-1-5-21-45749729-16073390-2133884337-500_Classes
This key contains information about the various classes specifically registered for the current user.
In these keys, or SIDs, the ending three- or four-digit number identifies both the user, and for some users, the type of user. Table 3.2 lists a number of general user types that might be assigned. In this book, the most commonly seen value is 500, which is assigned to me, the system Administrator account.
Table 3.2: Common SID Values
User Group SID
DOMAINNAME\ADMINISTRATOR S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-500 DOMAINNAME\GUEST S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-501 DOMAINNAME\DOMAIN ADMINS S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-512 DOMAINNAME\DOMAIN USERS S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-513 DOMAINNAME\DOMAIN GUESTS S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-514 General users might be assigned SIDs ending in four-digit numbers starting at 1000. My domain has a user called Pixel, whose SID ends in 1003, and another user, Long, whose SID ends in 1006. Get the picture?
There are also a number of built-in and special groups of SIDs, as shown in Tables 3.3 and 3.4.
Table 3.3: The Built-in Local Groups Built-in Local Group SID
BUILTIN\ADMINISTRATORS S-1-2-32-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-544 BUILTIN\USERS S-1-2-32-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-545 BUILTIN\GUESTS S-1-2-32-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-546 BUILTIN\POWER USERS S-1-2-32-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-547 BUILTIN\ACCOUNT OPERATORS S-1-2-32-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-548 BUILTIN\SERVER OPERATORS S-1-2-32-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-549 BUILTIN\PRINT OPERATORS S-1-2-32-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-550 BUILTIN\BACKUP OPERATORS S-1-2-32-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-551 BUILTIN\REPLICATOR S-1-2-32-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-552
Table 3.4: The Special Groups
Special Group SID
\CREATOR OWNER S-1-1-0x-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx
\EVERYONE S-1-1-0x-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx NT AUTHORITY\NETWORK S-1-1-2x-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx NT AUTHORITY\INTERACTIVE S-1-1-4x-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx NT AUTHORITY\SYSTEM S-1-1-18-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx NT AUTHORITY\LOCALSERVICE S-1-1-19-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx NT AUTHORITY\NETWORKSERVICE S-1-1-20-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx Naturally, there are many more SID codes and definitions. Tables 3.2 through 3.4 simply show a few of the more commonly used SIDs.
Note Remember to differentiate between the HKEY_USERS hive and the
HKEY_CURRENT_USER hive. HKEY_CURRENT_USER contains a pointer that references the current user in HKEY_USERS.
The content of a user's profile, as it is found in the HKEY_USERS hive, is interesting. For example, the following keys are present in a typical user's profile (usually, there is nothing to guarantee that they will all be present, or that others might not be added):
AppEvents Contains information about events (an event is an action like closing, minimizing, restoring, or maximizing) in a key called EventLabels. This information includes a text label for the event, such as the label "Close program" for the event close. These labels are used for a number of purposes, but one that most of us see is in the Control Panel's Sounds applet. A second section in AppEvents is Schemes, which lists labels for each application that uses specific sounds for its own events.
Console Contains the default command-prompt configuration. This configuration may be customized for each command prompt individually, or it is possible in this key to change the global default, which would be used for all new command prompts that are created. For an example of command-prompt customization, open a command window and select Properties from the System menu. There are more settings that may be configured in the registry than are found in the Properties dialog box.
Control Panel Contains information saved by many of the Control Panel's applets. Typically, these are default, or standard, values that are saved here, not user settings, which are stored elsewhere.
Environment Contains the user environment variables for a user. Generally, the System Properties applet, Environment tab, is used to set user and system environment values.
EUDC Not implemented in Windows XP. Windows 2000 has the EUDC key, which contains the definitions and other information about End User Defined Characters (EUDC). The program eudcedit.exe lets users edit/design characters that are specific to their needs.
Identities Contains the information to link users and software configurations. Most configurations are Microsoft based, such as Outlook Express.
Keyboard Layout Contains the keyboard configuration. Most users, at least those in the U.S., will have few or no substitutions. However, users who are using special keyboards or non–
U.S. English keyboards will have some substitutions for special characters found in their languages.
Network Contains mappings for each network drive connected to the computer. Information about the connections includes the host (server), remote path, and username used for the connection. The Network key is not typically found in the .DEFAULT key because users with no user profile are not automatically connected to a remote drive.
Printers Contains mappings for each remote (network) printer connected to the computer.
Information about the printer connection includes the host (server) and the DLL file used to manage the connection. The Printers key is typically not found in the .DEFAULT key because users with no user profile are not automatically connected to a remote printer.
RemoteAccess Contains the various remote access configurations. The connections are managed using the Control Panel's Network and Dial-up Connections applet.
New! SessionInformation New to Windows XP, the SessionInformation subkey,
ProgramCount, indicates the number of Windows applications that are loaded and running.
This count does not include command prompt windows.
Software Contains information about software installed, including components such as Schedule, Notepad, and so on. Also included in Software is Windows XP itself, with configuration information specific to the currently logged-on user.
System Contains information about items such as backup configurations and files that are not to be backed up.
UNICODE Program Groups Contains information about program groups that use Unicode.
More commonly found on computers configured for languages other than English, Unicode is the scheme for displaying characters from both English and non-English alphabets on
computers.
Volatile Environment Contains information about the logon server that will be placed in the environment. One typical item is the logonserver environment variable. All items in Volatile Environment are dynamic; that is, they are created each time a user logs on. Other dynamic environment information might be contained in this key as well.
HKEY_CURRENT_CONFIG: The Current Configuration Settings The registry hive HKEY_CURRENT_CONFIG is created from two registry keys,
HKEY_LOCAL_ MACHINE\System and HKEY_LOCAL_MACHINE\Software. As it is created dynamically, there is little value in modifying any of the objects found in the HKEY_CURRENT_CONFIG hive.
The HKEY_CURRENT_CONFIG hive is composed of two major subkeys:
Software Contains current configurations for some software components. A typical
configuration might have keys under Software for Microsoft Internet Explorer, for example.
System Contains information about hardware. The most common device found in this key is the video display adapter (found in virtually all configurations) and sometimes information about the default video modes as well. The video mode settings contained here are typical for any video system: resolution, panning, refresh rates (didn't you wonder where refresh rates were saved?), and BitsPerPel (color depth).
Generally, you would modify the source settings for a hardware device in HKEY_LOCAL_MACHINE\ System\ControlSet001\Hardware
Profiles\Current\System\CurrentControlSet\Services\ <device>\Device0, where <device> is the device being modified. For example, my Matrox Millennium is listed under the device name MGA64.
Tip For more information about the source for HKEY_CURRENT_CONFIG, take a look at HKEY_LOCAL_MACHINE, described earlier in this chapter.
HKEY_PERFORMANCE_DATA: The Performance Monitor Settings Ever wonder where the Windows XP Performance Monitor information is contained? There is a final "hidden" registry hive, named HKEY_PERFORMANCE_DATA. This hive, which is simply not accessible except to applications written specifically to access performance data, is primarily dynamic in nature. To find the answer to this question, check out Chapter 11.
NTUSER: The New User Profile
Windows XP's installation process creates a default user profile and configuration. This information is located in %SystemDrive%\Documents and Settings\Default User. Whenever a new user logs on to a workstation or domain, this default user profile is copied to the user's profile. After that, the user modifies their profile to their own requirements and needs.
Note Windows XP's Default User folder has the hidden attribute set, making it invisible unless the View All Files option is turned on.
As an example, Windows XP's default language is typically U.S. English. (There are other language editions of Windows XP; for this example, I'm assuming the U.S. English version.) Whenever a new user logs on, the user will have U.S. English as his or her language, even if the system administrator has selected a different, non-English locale.
The default user profile is saved in the disk directory at \Documents and Settings\Default User [WINNT], where WINNT is the directory that Windows XP is installed. (In Windows NT 4, the default user information was stored in %SystemRoot%\Profiles\Default User.) User information is always saved in a file named ntuser.dat. There is an entire configuration for new users in this directory—check out the Start menu, Desktop, and other directories, too.
You will find that interesting modifications can be made that enable new users to become proficient quickly without spending too much time customizing their computers.
Warning This technique is an advanced use of the Registry Editor, and you must exercise care not to inadvertently modify the wrong registry or the wrong keys. Back up the registry before doing the following.
First, to make this new user profile accessible to remote users (that is, all users other than those who log on locally), you must copy the Default User directory to the share named Netlogon. This share is typically located in the directory at
First, to make this new user profile accessible to remote users (that is, all users other than those who log on locally), you must copy the Default User directory to the share named Netlogon. This share is typically located in the directory at