There are many things that will scare a system administrator, and one of those things is messing with the Registry. In this article, I will explain what Windows Registry is, how it works, what Hives are, and the specific groups of keys.
Windows Registry is a hierarchical database that stores configuration information for the Windows Operating System to run properly. It stores virtually everything from user passwords, device driver information, to application settings and everything else in between.
In Windows, the highest level of the hierarchy is known as a Hive. In other words, a Hive is a logical grouping of keys., subkeys, and values in the Registry. Keys look like folders and are used for organizational folders.
Hives are grouped by like settings. For instance, HKEY_USERS has settings that impact all users, while HKEY_CURRENT_USER has settings that impact only the current logged-in user. But let's go through each hive and explain what they do.
HKEY_CLASSES_ROOT
- This is commonly abbreviated as HKCR.
- It holds configuration data for Visual Basic (VB) programs and COM objects.
- Data in HKEY_CLASSES_ROOT comes from 2 different sources.
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes
- HKEY_CURRENT_USER\SOFTWARE\Classes
- If there is a subkey created in either location, it also gets created in HKCR automatically.
- This is commonly abbreviated as HKCU.
- This area of the Registry changes depending on who the actual logged-in user is.
- Every time a user logs in, this is re-created based on the information stored in the user's NTUSER.DAT file.
- If the user has never logged in before, then this is created from the default user NTUSER.DAT file, which is stored at C:\Users\Default\Ntuser.dat
- HKCU does not actually store data, but rather, it contains a pointer to the user's actual data, which is housed under HKEY_USERS.
- Each user is assigned a security identifier (SID), and each user has a key with his SID where his data is stored in HKEY_USERS.
- This is commonly abbreviated to HKLM.
- This is a treasure trove of information! This includes information on hardware, operating system, security, drivers, and startup parameters.
- Hardware: Stores information about hardware that the system has detected.
- SAM: SAM stands for Security Accounts Manager. This stores user and group information. Don't ever edit this key directly. If you do, you may block users from being able to log on. If you need to change information in this key, use Active Directory.
- Security: Contains security information that is needed by the system and by the network. Don't ever edit this key directly, instead, use Group Policy, Local Security Policy, and Active Directory.
- Software: The Software subkey stores subkeys for each software program you install, sorted by each vendor. It also contains program variables that may be needed to launch or work with the application.
- System: The System key stores subkeys related to control sets. This includes the current control set and the control set that have been used at some point in time.
- This is commonly abbreviated as HKU.
- This contains user-specific settings for each user that logged on to the system.
- Each user is represented by his SID, which is unique to each user.
- The SID for the default user is just .DEFAULT, while the others have numeral representation.
- S-1-5-18: Local System
- S-1-5-19: NT Authority-Local Service
- S-1-5-20: NT Authority-Network Service
- A longer SID with a 500 at the end of it is an administrator account.
- This is commonly abbreviated as HKCC.
- It is similar to HKEY_CURRENT_USER in that it doesn't actually store data, but it stores pointers to the data.
- HKCC has the configuration data pulled from the current hardware profile.
- The pointer it actually stores points sto HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current
No comments:
Post a Comment