To understand what the Windows registry is, imagine human brain, which stores all the key information and code that allows various parts computer, operating system and software communicate with each other. Including detailed information about hardware, communication protocols, installed software, configuration files and, of course, the inner workings of Windows itself.
It doesn't matter which version of Windows you are using, you will have not one but several registry files, as Windows splits the registry into several core files containing all necessary information about the operation of the computer, its hardware, files of each individual user, software, parameters and settings.
The database registry files that the operating system loads into the computer's memory when the computer starts or when a user logs on are often large and complex. But without these files of settings and parameters, the computer will not be able to work at all.
The registry resembles the brain for other reasons as well. He is also capable of self-healing, but only to a limited extent. While the human body is full of the building blocks necessary to repair and restore damaged cells and tissues, in the case of the registry, if parts of the databases containing the information necessary to boot or restore the system are damaged, about self-repair out of the question.
Luckily, however, you can restore and repair your registry externally, even reset it to an earlier state, or completely erase it and start from scratch.
Earlier, in older versions of Windows, there was a need to manually open the .ini file in the program or driver folder and make your necessary changes to the parameter settings. Each program and hardware driver had its own .ini file and each of them, for each individual PC, required individual configuration.
And since there have always been minor differences between different PCs, an imported .ini file is unlikely to work.
Via Microsoft registry reconciled this chaos, and effectively pulled all those individual .ini files into a single, manageable database.
The registry was first introduced in Windows 95 and Windows NT, and as a core component of the operating system, it hasn't changed much to this day. The reason for this is compatibility with existing hardware and software, which is critical for business PC users. Changing the registry too much will break or require a complex virtualization machine that, by at least, will create significant security problems.
Over time, the registry, with features such as User Account Control (UAC), which prevents malware from penetrating deep into your folder structure where it will never be found, has become more resilient and secure.
Despite its size and tens or even hundreds of thousands of keys contained in it, it is quite simple and reliable, making up a fairly simple structure of folders, keys and values.
Windows registry files
If you are using modern version Windows, I mean Windows 7, Windows 8 or 8.1 and Windows 10, the registry, its structure, operation and editing capabilities are the same there. The main components of the operating system do not change very often.
Windows has several repositories for registry files, one for all PC user-specific settings such as hardware and Common parameters operating system, and several others for each individual user.
The main registry files are located in the% systemroot% \ System 32 \ Config \ directory and consist of the following:
- SAM (Security Accounts Manager)
- SECURITY
- SOFTWARE
- SYSTEM
- DEFAULT
- USERDIFF (used only for OS upgrades)
In addition, each user has their own registry files:
- % userprofile% \ ntuser.dat
- % userprofile% \ AppData \ Local \ Microsoft \ Windows \ UsrClass.dat
The first of these files, the ntuser.dat file, contains the main user software, settings and configuration parameters. The second, UsrClass.dat, contains Extra options such as custom file relationships and COM (Composite Object Model) information.
Registry files are in binary format and cannot be read without special software. This differs them from .REG files, which can be exported from the editor for viewing and editing by administrators. windows registry.
Registry keys and values
The registry, when viewed as a whole, is divided into five main sections or groups. It helps to organize the various keys and folders in the registry, making them easy to manage.
When you modify or create items in the registry, you create keys and values, but what are the differences between the Windows registry files?
Note. Registry keys are containers that contain values for software and hardware or Windows operating system. Keys can be thought of as a folder in which the values are - separate files... You can navigate the keys using the folder type hierarchy. The values are kind of register nuts and bolts. These are parameters, integers and strings containing data and information to help boot Windows and work efficiently with your hardware and applications.
HKEY_CLASSES_ROOT (HKCR)
This section stores information about registered OLE applications, class IDs and file associations. Sometimes you can see it abbreviated, HKCR section. It adds duplicate keys to the existing HKEY_CURRENT_USER \ Software \ Classes subkey, and Windows will use the HKEY_CURRENT_USER \ Software \ Classes subkey as the main subkey.
HKEY_CURRENT_USER (HKCU)
This section contains user profile configuration options, including the location of user folders on disk, control panel settings, and specific application configuration options.
HKEY_LOCAL_MACHINE (HKLM)
This section contains all settings specific to a PC on which Windows is installed. It contains SAM, SECURITY, SYSTEM and SOFTWARE files. The fifth file, HARDWARE, is created anew each time the computer is started and contains information about the detected hardware.
And also this section contains located in
% systemroot% \ System 32 \ config \ COMPONENTS and BCD files, which store information related to the PC download configuration.
There are only a few subkeys under the HKEY_LOCAL_MACHINE registry key that deserve attention because this set of registry files is the most frequently edited and edited by users.
SAM
The Security Accounts Manager keys section is usually blank if the user does not have the appropriate administrator rights. It contains security information for all connected PC domains, including local domain also called SAM.
The SAM database contains the username used to log on to the domain, the domain UID (unique identifier), the cryptographic hash of the user's password, the user's location in the registry and on the server, and various other parameters and flags required when connecting.
SECURITY
This subsection is also empty for most users, unless of course they have the appropriate administrative permissions. When connected to a domain, it is associated with the base Data Server Registry Hive, which contains all security policies applicable to the current user and installed applications.
SYSTEM
This subsection contains information about Windows installation, settings and data on connected to this moment devices and containing system files disks.
SOFTWARE
This section contains settings for the current Windows installation, installed programs and applications, and software vendor keys, includes subsections for file extensions, MIME types, and class and interface object identifiers (such as ActiveX).
HKEY_USERS (HKU)
HKEY_CURRENT_CONFIG (HKCC)
HKCCs contain information collected during computer and Windows boot. This information applies only to the current session and is deleted when the computer is turned off.
Each of the registry keys contains individual keys different types providing maximum flexibility in managing and configuring the Windows operating system, applications and hardware.
HKEY_PERFORMANCE_DATA
This section is not visible when using the Windows Registry Editor. It contains the runtime and performance data, Windows kernels, drivers, applications and services. They are removed when the computer is turned off and restored on the next boot.
Registry value types
When you create a new registry value, you will be presented with the following options:
- REG_BINARY: This type of keys stores raw binary data.
- REG_DWORD: A 32-bit variable length integer.
- DWORDS: Typically used to define device driver customization options and software customization.
- REG_SZ: fixed length string value.
- REG_EXPAND_SZ: Expandable string value length, also used for environment variables.
- REG_MULTI_SZ: multi-string that can contain a list of values, usually separated by commas or spaces.
- REG_RESOURCE_LIST: list of resources, nested arrays, used by device drivers.
- REG_RESOURCE_REQUIRMENTS_LIST: List of hardware resources used by device drivers.
- REG_FULL_RESOURCE_DESCRIPTOR: nested, used to store resource lists physical devices, arrays.
- REG_LINK: A symbolic link (UNICODE) to the next registry key that defines the root key and the path to the target key.
- REG_NONE: data that is not of a specific type.
- REG_QWORD: 64-bit length variables.
Note... There are some differences between the 32-bit (x86) and 64-bit (x64) Windows registries. The 64-bit qword parameter is not supported on 32-bit versions of the Windows operating system. In addition, the registry handles 32-bit and 64-bit keys in such a smart way that file system handles multiple versions of the same dll files but retains compatibility, which you can find in the registry section HKEY_LOCAL_MACHINE \ Software \ WOW6432Node.
.REG files
Reg files differ from registry files in several important ways. First, although they store registry keys and values, they are intended for backups and transfers between PCs, and Windows installation from these values and keys. Also, .REG files, unlike registry database files that contain a binary system, are stored in text format ASCII.
REG files open automatically (or at least should if everything is properly installed and organized) when double click in the Windows Registry Editor.
You can use .REG files, in the Registry Editor itself, to export the entire registry or its individual keys.
And also you can manually edit the content of the .REG file in Windows notepad or any other text file editor. Click right click mouse on the .REG file in the explorer, in the appeared context menu open the "edit" option.
In the example in the figure, the key HKEY_CURRENT_USER \ Control Panel \ Desktop \ WindowMetrics is specified, and it is highlighted here because it includes an addition to the default configuration.
At the end of the key is a section called "MinWidth" which has a numeric value of 54. This key changes the behavior of the icons on the panel Windows tasks(do not group), so that program icons, when launching multiple instances, are displayed separately, but without their signatures.
Overall, while the Windows Registry is a huge bloated behemoth with thousands of complex binary, hexadecimal, and ASCII values and codes, it's pretty easy to work with.
In files SYSTEM.DAT and USER.DAT in the catalog Windows 95/98 or in a folder C: \ W \ System32 \ Config \ v Windows NT the so-called system registry containing a large number of information. Apart from the records required Windows, most programs write their own information there as well. To make changes to the registry, you need to open it using the program designed for this. An example is the program REGEDIT, supplied as standard Windows... To launch it, open the dialog box Start / Run, enter Regedit and press OK.
You will see a window split in two. On the left is the Explorer-like navigator, and on the right is the information itself. The registry consists of six sections: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG and HKEY_DYN_DATA... Each section contains folders. If there are subfolders in a folder or section, then to the left of this folder is the " a plus". When you click on it, this folder." unfolds ", and the icon turns into " minus"by clicking on which you can again" roll up". If you click on the folder icon or its name, a list of those parameters that are contained in this folder (but not in subfolders!) Will appear in the right window. Each parameter consists of its name and value. Each parameter has its own path, by which it can be found. The path consists of a sequence of folders in which this parameter is located, starting with the parent folder (this is one of the six main sections listed above). An example of such a path would be HKEY_CURRENT_CONFIG \ Display \ Settings, and the parameter name Resolution. When combined, these two values - the parameter and the path to it (often called an address) indicate a unique parameter. For example, two different parameters can have the same path, two parameters can have the same names, but lie in different folders and subfolders, but two parameters with the same address and name cannot exist. The registry can be searched (using the menu, or by the keyboard shortcut CTRL + F).
Highlighting desired section(by clicking on the section icon or its name), you can create a parameter or subsection in it. To do this, you must use the menu Edit / Create... In the system registry Windows there are 3 types of parameters: string, binary, and DWORD... The string stores one line ( string), v binary - binary value, v DWORD- decimal or hexadecimal value. When creating a parameter, you must specify its name. Then, by double-clicking on it in the right window, you can enter the value of the parameter (or change the existing one).
If the advice says to set a parameter value, it means that you need to change existing meaning parameter to the desired one, or, if a parameter with such a name is absent, create it and then change the content.
At the end of the work, for most of the changes you need to close REGEDIT and restart the computer. Well, first of all, let's figure out what it is: the registry Windows... When we install or uninstall programs, we change the parameters Windows we install new equipment, all this is recorded and recorded in the register. You could say that the register is the heart Windows. To view or edit the registry, you need to run the program Regedit (Start - Run - Regedit). Physically, the registry is stored in a directory Windows (95/98) under the names User.dat and System.dat... I say right away if you don't know what you want to change to 100% do not change, otherwise the price is worthless. Well, for those who have changed, I give a hint. At successful loading, Windows makes backups of the registry under names User.da0 and System.da0... This is what we will use. Of course, you can create your own backups for every "fireman". If Windows does not boot, then at boot time we press Ctrl. How to appear the menu select " Command prompt only", go to the folder Windows ("CD C: \ Windows") and type the command scanreg / restore(v Windowse NT - rdisk). Now reboot and Windows should start. If there is no such program, then you will have to type in command line from folder Windows:
attrib -h -r -s system.dat
attrib -h -r -s system.da0
copy system.da0 system.dat
attrib -h -r -s user.dat
attrib -h -r -s user.da0
copy user.da0 user.dat
Well, now let's go directly to the registry.
1.) Open regedit find the key
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Uninstall.
Here you will find full list installed programs. If some programs are no longer there, remove unnecessary folders with their names (an incomplete list is displayed in " Control Panel - Add or Remove Programs ").
2.) In the key
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Current Version \ Run
there is a list of all programs that start at boot Windows. You can delete an unnecessary program, or you can add it. To do this, you need to create String parameter, for the name you must enter the name of the program, and as the parameter value, enter the path to the program. If there are several users on your computer, the list of programs can be here:
HKEY_USERS \ .DEAFAULT \ Software \ Microsoft \ Windows \ CurrentVersion and
HKEY_USERS \ (Username) \ Software \ Microsoft \ Windows \ CurrentVersion
3.) That's it, the warm-up is over and we are moving on to Main menu.
To get rid of the item Favorites (Windows 98), go to the section
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
and create here Binary parameter NoFavoritesMenu with the meaning 01 00 00 00 ... Everything! Now the Favorites item will no longer appear. Delete the created parameter or change its value to 00 00 00 00 to put the item back. You can get rid of other items in the same way:
Documentation- parameter NoRecentDocsMenu
Settings - NoSetFolders
Find - NoFind
Shutdown - NoClose
Logging out ... - NoLogOff.
You can also cancel the work with the right mouse button in the main menu, for this create there the same DWORD-parameter under the name NoChangeStartMenu with the meaning 1 ... Ready! Well, the final touches. Like the message about which button to start with? Not? Then we create DWORD- parameter named NoStartBanner and the value 1.
4.) Go to
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Winlogon
and create String parameter LegalNoticeCaption. Enter "Chernobyl virus detected" as the value, create another string parameter LegalNoticeText with the value "Click" OK "and all data on the hard disk will be destroyed." Restart Windows and enjoy the result. In the first parameter we enter the title, and in the second - the text itself.
5.) Now you can change the clock in the lower right corner. Go to
HKEY_CURRENT_USER \ Control Panel \ International
and create a string parameter sTimeFormat
Its meaning " HH: mm", where HH is the hour,: is the separator character, and mm is the minutes. A reboot is required for the changes to take effect. It's fun to see how your friend will be tormented by adjusting the clock if you swap HH and mm! Well, if you want to shit very hard, then you need to do this: Hm: mH "mH; Hm and so on.
6.) So that there are no arrow labels in the icons, find the key HKEY_CLASSES_ROOT \ Piffile and remove the parameter IsShortcut, the same should be done in the folder Lnkfile... Restart your computer and enjoy the result.
7.) The path to installation files Windows 95/98 lies in
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Setup.
Change it and Windows will search setup files when adding components or changing system parameters.
8.) To remove the "palm" from the shared resources, just delete the value Default out of the key
HKEY_CLASSES_ROOT \ Network \ SharingHandler
9.) You can also remove all icons from the desktop altogether. To do this, create in the key
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
DWORD parameter named " NoDesktop"Reboot and you will see the cleanest desktop in the world.
10.) In order to hide the disks in the explorer, go to
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
and create here Binary parameter With name " NoDrives ".
The value will depend on which drives you want to hide:
Disk A- meaning 01 00 00 00
B - 02 00 00 00
C - 04 00 00 00
D - 08 00 00 00
E - 10 00 00 00
F - 20 00 00 00
If you want to hide several disks, then you need to sum their values. But note that these numbers are hexadecimal. To calculate correctly, use the calculator ( Programs - Standard - Calculator)... Select from the menu Calculator "View - Engineering"then select "Hex" and calculate. For example, to hide drives C and D need to add 04 00 00 00 and 08 00 00 00 ... Enter in the parameter value 0C 00 00 00... To hide drives A and E need to add up 01 00 00 00 and 10 00 00 00, we get the result 11 00 00 00.
11.) Open Properties: Screen, here we will hide some tabs. In the registry editor, find the key
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
create here DWORD-parameter named NoDispBackgroundPage and the value 1 ... Now the tab Background will not be displayed. The rest of the tabs are hidden by the following parameters:
NoDispAppearancePage - Decoration
NoDispScrSavPage - Screensaver
NoDispSettingPage - Setting.
12.) Now let's make the point To open with... always appeared in the context menu. For this we will find the key HKEY_CLASSES_ROOT \ * \ and create a section in it shell(if not). Here we will create another section " openas"and it also contains" command". Change the value" Default" on the " C: \ WINDOWS \ rundll32.exe shell32.dll, OpenAs_RunDLL% 1". Done, you can check.
13.) To change the drop rate Main menu go to the key
HKEY_CURRENT_USER \ Control Panel \ desktop
and create Menu Show Delay string parameter. Enter the delay time (in milliseconds) in the value and reboot.
14.) Now let's try the item Open in Notepad put in context menu... Let's go to the section HKEY_CLASSES_ROOT \ * \ shell(If not, create). Create a section " Open"and change Default on the " Open in Notepad". Now create a section" command " and in it change Default on the " notepad.exe% 1". Ready.
15.) Now let's play with Internet Explorer "om. Want to change your browser wallpaper? You are welcome. Go to the key
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Toolbar
and create The string parameter "BackBitmap". And as a parameter, enter the path to the picture in the format Bmp and restart your browser. But that's not all.
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Main
create a new Window Title string parameter... In the value, enter what you want to see in the title after the page name, restart your browser and enjoy. The conductor will look exactly the same.
16.) If you want to admire a name or just a word after hours in Systray (the bottom panel) then go to
HKEY_CURRENT_USER \ Control Panel \ International \
and create two string parameters: s1159 and s2359... In their value, you must enter the desired name. The limit is 8 letters.
17.) When you need to restart the registry, and you don't want to restart the machine, in some cases the following will help: press Ctrl + Alt + Del then select Explorer and the button " Complete task "... Answer the offer to turn off the car with a refusal, then press " Remove task"in the next window, after which you will see how it disappeared and appeared" Task bar".
Not everything works in Windows 95
Registry repair
Care must be taken when working with the registry. Deleting any important data accidentally or unknowingly can crash the operating system. Then the situation can be saved only by restoring the last working copy.
If you are going to experiment with the registry, first save the SYSTEM.DAT and USER.DAT files on the disk. They are located in the directory where the operating system was installed and have read-only and hidden attributes. If the registry is seriously damaged, you can rewrite these files to the Windows directory, set the necessary attributes and the registry will be as good as new. Just do not try to restore these files when Windows is loaded, otherwise the system will shut down completely and save it only complete reinstallation! To restore these files, you must first reboot into DOS and replace the damaged files with good ones there.
But this is not the only data recovery option. The fact is that the operating system, at each successful launch saves a copy of the registry in a .cab file that is written to the hidden SYSBCKUP directory of the Windows directory. By default, the last five copies are kept. This number can range from 0 to 99 and is set by the value of the MaxBackupCopies key in the scanreg.ini file in the Windows directory. Truth is not worth installing too great importance since files take up a lot of space (one file is larger than a megabyte).
To restore the registry from one of these backups, you need to reboot into DOS and run the command
A list of available registry backups will appear, sorted by the time they were created. After selection desired copy the data will be safely restored, and you will receive a register that corresponds to the state of affairs at the time of its creation.
But if you installed any programs or changed the operating system settings in the interval between the last backup and a failure in the registry, then all this data will be irretrievably lost. Do we need it? Definitely not! To back up the registry at any time, use the command
which in case is normal passed verification will create a backup.
Another option for backing up and restoring the registry is to export the key or entire branch that you plan to modify. This can be done in Regedite for Windows from the Registry menu. Highlight the required section and click on the item "Export registry file". After specifying the file name, the data in this section will be exported to it. The file has REG extension... To import it into the registry, just double-click on it and the data will be transferred. True, this information recovery method has one significant disadvantage: all deleted or modified entries will be restored, but added entries will not be deleted. So this way it is more suitable if you make some insignificant changes, and in order to roll them back without re-entering the old data, you can use export / import.
In general, you need to work with the registry very carefully, but if you periodically back up it, then no problems should arise
Good day, dear readers. In today's article it will be about such a thing as windows registry .
For most users, the registry is associated with something completely unknown, has some downright mythical character and causes almost awe.
I must say that all this is not in vain, because joking with the registry is quite dangerous and even a small wrong move often leads to the most serious consequences. However, when handled correctly, it becomes irreplaceable tool on setting Windows.
The tips below will clarify some things for you and pave a certain path along which you will learn the basics of handling the registry, so that, if necessary, you can make changes to its parameters without much fear.
Windows Registry - Introductory and Terms
We can say that the system registry Windows is a database that stores different meanings OS parameters (operating system) and applications installed by you.
The advantage of using the registry is the ability to change parameters that you cannot reach using windows Windows.
However, on the other hand, changing these options is not backed up by hints, visual design and all sorts of warnings against wrong actions, which are often given when using the control panel or other system / program options.
Thus, working with them is, so to speak, walking through a minefield for uninformed users and, especially due to the lack of visual clarity, many do not even come close to this tool.
What does the Windows Registry do?
In general, the mechanism of its operation is quite simple. When installing the program (or changing any parameter Windows in any of the settings menu) the system itself searches for desired parameters and makes adjustments to one of the registry values.
For example, this happens when you uninstall applications using the tool " Installation and removal of programms» (« Control Panel»).
By the way, when you carelessly delete the folder with installed program by simply pressing Delete v My computer, and not through the appropriate tools in the system, the registry items responsible (namely, containing program settings, information about the location, etc., etc.) for this program do not disappear, but remain in the system and thus litter it.
That is why it is so important to correctly delete applications, to clean and take care of the system in a timely manner, which I have repeatedly written about in my articles - "" or, say, "".
Do you want to know and be able to do more yourself?
We offer you training in the following areas: computers, programs, administration, servers, networks, site building, SEO and more. Find out the details now!
What does the registry look like? This is a kind of table containing all the registry entries, which is stored on the hard disk in the form of several files, but it is buried in such a way that the only way to work with it is to use the built-in tools. Windows or third-party programs.
regedit - we look at the Windows registry with our own eyes
To enter the Windows- open the registry editing tool, then write in the window that appears and click Enter.
A piece will appear in front of you (it is a built-in Windows-registry editor), in which you can see what this miracle is, which I am talking about in this article.
The stored values are divided into categories and placed in folders, like those that you are so used to seeing in " My computer". To open a folder, click on it a couple of times with the mouse or use the small plus sign next to its name.
The folders in a section are called keys, and the contents of the folders that appear on the right are called values.
Why you might need a Windows Registry
Before you start torturing and tinkering with the system, I warn you: the information stored in the registry is very important for correct work Windows, changing or deleting it may cause the computer to malfunction.
It's also worth noting that changes take effect when you make them. Registry Windows- this is not a document Word, in which you confirm or cancel the amendments to the settings, so in any case do not change the parameters unknown to you.
Most easy way secure the system - before taking any action, create a restore point (read about this below), which will automatically make a copy of the registry and you will most likely (but not always) return to it in case of problems.
Sometimes it is worth writing down the changes made on paper, which will greatly simplify the troubleshooting if something does not go as planned (you cannot keep everything in your head).
How important is the registry Windows, can be judged by the fact that the system independently creates backup copies of all its values at each boot, and therefore the system has such an option as “ Loading the last good configuration "(Lives in the same place as safe mode, namely, when you click in front of the boot screen (a strip crawls there)).
How and how to edit the registry
There are many programs that provide a wide range of functions for working with the registry, but one should be careful when choosing such tools, since non-professional program implementations can negatively affect the operation of the system.
Therefore, it is worth using only proven applications or system tools. I prefer the built in Windows the tool, which has already gone a little higher (and will go a little lower :)).
In general, managing the registry is not as difficult as it seems, first of all you must know which values to change and what to change them for. And there it is a matter of technology.
The main control window of the program practically does not differ in outward appearance from the familiar to the user Windows conductor.
In addition, she, like, has the menu " Favorites"Which can be used to quick access to the parameters of the various keys.
To do this, select desired value, click Favorites-Add to favorites, enter a name and click the " OK". This feature is very useful if you need to make changes to one or more options on a regular basis.
What are the categories of the registry responsible for and what can be done in it
Each of the five main categories is responsible for storing its own set of parameters. For instance, HKCU- she HKEY_CURRENT_USER- contains keys that control settings specific user, a HKEY_LOCAL_MACHINE- the operating system as a whole.
I will give a few simple examples of working with the registry so that you understand the basics:
Clearing history
- Despite the fact that the list of sites that you have visited with Internet Explorer can be deleted manually, they still pop up when you enter address bar similar options;
- You can get rid of this story using third-party programs or by editing the registry. We open it and go along the way " HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ TypedURLs»;
- Going there, on the right side of the editor you will see a list of addresses that you can delete by highlighting and clicking on the " Delete"(after poking with the right mouse button on what we want to delete).
Well, or for example.
Blocking the task manager
Using the registry, you can unblock or block the Task Manager:
- Open and go to " HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \»;
- If on the left, below " Policies", You will not find the directory" System"Right-click on" Policies"And select" Create", and then " Chapter»;
- Below will appear new folder, which you need to rename to " System»;
- Next, in the window with parameters (this is on the right), right-click, select Create -> DWORD parameter and give it a name DisableTaskMgr;
- Right-click on it and select " Change»;
- In the value input line, put 1 to turn off (or 0 to enable) Task Manager, and then select the radio button " Calculus system" on the " Decimal»;
- After that, when you try to call the task manager, "" will appear (or vice versa, this message will disappear if it was blocked).
Caution when applying
I would like to once again warn you against changes to unknown values. Each time you dive into the settings, create control points to restore, and also produce backup important files... This will protect you from accidental failures and loss of information.
To create a restore point, press " Start- Execute- msconfig-System Restore". In the window that opens, you need to select" Create a restore point", After which, following the prompts, you can easily save the current state of the OS. You can also restore the previous state using this menu, using the adjacent item.
In order to make a backup copy of the entire registry \ registry branch, run, select the desired section \ branch \ folder, press " File- Export"and then choose where to save the file .reg.
To use this backup later, either click File- Import, or just click on the file and confirm with the button " Yes"adding data to the registry Windows.
If you save a branch, then it is saved (and imported, respectively, too) with subfolders and with all the values in it.
Afterword
These are the pies. By the way, in the open spaces world wide web there are so many websites that talk about different parameters and changes in the registry. Be careful not to use the first advice that comes across without knowing the result.
Again, I can't help but mention
Today we will try to get into the Windows registry from the back door, without using the standard WinAPI functions intended for this. What will it give us in the end? The ability to write and read from the registry directly, bypassing the restrictions set by the developers of antivirus solutions!
Looking ahead, I will note: this topic is interesting, but there is a whole set of serious problems. Although who said that we can’t afford it? 🙂
What is the register, or a little lyrics
From the point of view of the Windows operating system, the registry is a unique pantry. This peculiarly built hierarchical database stores settings, data, registration information and other crap about almost everything in the system, from programs to the settings of a specific user. Almost everything is stored in the registry. Despite the fact that some programs prefer to store their settings in ini-configs (especially programs written for Win 3.11. - Ed.), Windows itself reads all the necessary information about itself from the registry. For the sake of fairness, we note that in * nix-like operating systems, the system for storing settings in all kinds of configs still dominates.
Newbies - system administrators when starting to work with the registry, senior comrades scare that wrong setting and changing registry settings can completely crash the system with its subsequent reinstallation. And indeed it is.
For example, the so-called restore points are copies of the registry. They are widely used by users when various problems with both operating system and software and hardware.
I must say that 99% of information about the Windows registry is a description of the main keys plus advice on how to work with them. But how does the operating system itself work with the registry? And can we emulate her actions? Let's speculate a little.
So what?
The registry is both strong and weak side Windows. Strong side registry is that there is no need for software developers to manipulate a lot of configs, as is, for example, implemented in nix. The registry is also convenient for the creators of COM components - the system automatically registers such a component in the registry and facilitates the task of its further use.
The weakness of the registry is that access to modification of sensitive areas of the registry allows you to manage Windows any a program written by some newly minted malware. Remember at least the most famous branch of the Windows registry, which allows you to run programs at the start of the OS :).
If in Windows 98 the registry could be repaired by anyone who would think of it, then starting with Windows XP, only users with account administrator. In Vista +, registry access is protected by UAC. This is understandable.
I must admit that with the release of Win7, the security concepts when working with the registry were revised in better side... For example, the HKEY_LOCAL_MACHINE registry key is protected. V general case an attempt to write something to it will be redirected to the appropriate HKEY_CURRENT_USER branch for the current user.
Interface
To work with the registry directly, Windows offers the programmer a whole set of WinAPIs that any system developer should be familiar with - these are Reg * functions such as RegOpenKey, RegQueryValue, and so on. In the Win core, these are NtOpenKey, NtQueryValueKey and a number of others. There is little point in describing them - all documentation on the proper use of these functions can be found on MSDN.
Here is what is worth noting. Antiviruses and proactives to control user actions installed hooks on the mentioned functions, both in the kernel and in the usermode.
With the release of Win7 x64, the situation has changed, and I already wrote about this once. Windows Developers decided to abandon the ability to intercept potentially dangerous functions in the Win kernel. Now the KeServiceDescriptorTable variable in x64 is exported anymore, and it won't work to rewrite the required code section - PatchGuard won't give it. There are, of course, sadomasochistic solutions to circumvent these restrictions - but there will be more crap than profit. Moreover, Microsoft offers convenient ObRegisterCallbacks to control the registry.
INFO
There is very little information on the Web about the structures that describe the main registry files. And almost all of them are in English. Initial knowledge can be found. In addition, it is well written about the registry in the bible of the system engineer " Internal organization Windows "from comrades M. Russinovich and D. Solomon.
And now - about the most interesting
But what exactly is a registry really? If you look into the WINDOWSsystem32config folder, you can see several files there: system, software, security, SAM and several others.
These are registry files.
However, it would be unfair to speak of the registry simply as a combination of files loaded into memory. Much of what the registry contains is dynamic, that is, a number of values are calculated at the stage of loading the system itself, primarily this concerns certain hardware parameters. For example, this is the HKEY_DYN_DATA registry subkey, the data of which, when the operating system is loaded, is located in random access memory and are there until the operating system shuts down. The same, by the way, can be said about the key subkey HKEY_LOCAL_MACHINE, which does not have its corresponding file on the disk, but is actually formed from other registry files, such as software, system and others.
Thus, from the inside, the registry can be rather roughly called a "virtual combination of registry files." After starting the system, these files are located both in the paged pool and in nonpaged memory.
Registry structure
In order to learn how to work with the registry directly, one cannot do without knowledge of its internal structure. In general, Microsoft has never revealed the secrets of the internal structure of the files that make up the registry, as it poses a security risk. According to my observations, all the available descriptions of the registry files and its structure (and, by the way, there are quite a few of them) are the results of the research of pioneer researchers. The most complete, in my opinion, such a "study" is possible, it belongs to Comrade Peter Norris.
We will not go into the details of the organization and structure of the registry, this is a long, tedious business and does not exactly fit into the framework of the article. It is important to understand here that the registry is a hierarchical tree-like structure, sometimes it is also said to look like a honeycomb.
And what to do with all this now?
I'll grieve right away: you won't be able to mess with the registry directly in the usermode, the system will not let you do this, as is usually the case with files occupied by other processes. If you try to twist, you can only read such a "busy" file, and then if you guess with the flags with which it was opened. Unfortunately, it will not be possible to write information into the "registry file" of interest to us. By the way, the feature with the record the information you need it can go to the registry, if you write to the registry * .BAK files, they are definitely available for writing.
So watch your hand :).
The first thing that can come to your bright mind is to open the registry file directly and write something there.
Theoretically, this can be done, for this you need, firstly, to be able to work with "busy" files (search for methods on the Web) and, secondly, as I said above, you need to know the internal structure of the registry files. This method is rather clumsy, but, despite its delusionalism, it is quite viable, although it is difficult to implement in practice (try experimenting with it yourself).
Here I will offer two ways to help you cut the registry into small pieces.
The first way is that for the configuration manager (Configuration Manager, part of the operating system, if you are not in the know), the registry is nothing more than a set of strictly defined structures in operating memory which, as it turns out, are very easy to work with. What are these structures, you ask? HBASE_BLOCK, HHIVE, HBIN, HCELL, HMAP_ENTRY, HMAP_DIRECTORY, a bunch of CM_ * structures used by the config manager to manage the registry. From the point of view of the operating system, the registry is simply a collection of regulated structures in memory. For example, the signature "regf" for the "registry file" is a predefined constant:
Define HBASE_BLOCK_SIGNATURE 0x66676572 typedef struct _HBASE_BLOCK (ULONG Signature; // 0x66676572 ULONG Sequence1; ULONG Sequence2; LARGE_INTEGER TimeStamp; ....) And here is the regf signature ...
That is, the meaning of all this my monologue is that there is a gorgeous opportunity to manipulate the registry at the operating system level, but at the same time not using its standard tools. How is this possible? We just emulate the actions of the operating system itself, exactly the way it itself works with the registry! It is important, as I said, to understand that for the OS itself, the registry is nothing more than a set of corresponding structures in memory.
If we have access to the registry files at the kernel level, then why are we worse than the OS itself in order to establish its own order?
And then the most interest Ask- how to find these very structures in memory? Right, staff resources there is no system for solving this issue, so you have to get out in a tricky way.
Knowing what the structures look like, you need to remember that each file, the hive of the registry, has its own constant signature. For example, "regf" is 0x66676572. For the hive, the signature will be 0xBEE0BEE0. Having access to memory from the kernel, we can find these signatures in memory quite easily by simply scanning it. You can also scan the memory in search of the "CM10" signature - it is this signature that is assigned by the config manager to the paged memory block, which is allocated for the CMHIVE structure. I suppose, having found the element of interest to us in memory, you will figure out what to do with it further :).
How, for example, can you change the value of a registry cell? The value is stored in the CM_KEY_VALUE-> Data field, so if you have a task to change any field in a specific registry key, look for the value there:
Typedef struct _CM_KEY_VALUE (WORD Signature; // #define CM_KEY_VALUE_SIGNATURE 0x6B76 WORD NameLength; ULONG DataLength; ULONG Data; //<---------- данные ячейки будут здесь ULONG Type; WORD Flags; WORD Spare; WCHAR Name; } CM_KEY_VALUE, *PCM_KEY_VALUE;
The second option is a kind of modification of the first. If you know, there is one peculiarity when working with the registry - all changes, that is, "creating new keys / writing / deleting keys", as a rule, take effect after a system reboot (well, or after rebooting the explorer, this is such a hack method). Until then, all changes are in a suspended, "dirty" state. Moreover, the system, when accessing the registry, communicates with it through the file system cache. This is understandable - there can be hundreds of calls to the registry per second, therefore, relying on the speed of the file system is unreasonable, no speed will save you here. Therefore, the system works with the registry, as they say, virtually, through the file system cache. And here, in order to pull the guts of the registry into the light, you need to get into the cache! How this is done has already been described in tyrnets, including in.
Pro & Cons, or instead of a conclusion
What can I say in the end? The variation on the topic of direct control over the registry, proposed to the reader in the article, is purely experimental. I do not argue that it is too heavy for practical implementation, and many will say that it is better to use normal WinAPI functions designed to work with the registry - and they will be right to some extent. However, the implemented die_hard in reality, based on the principles given in the article, will have a truly thermonuclear power, beyond the control of either the Avers or the operating system itself.
Now I'll finish. Happy compilation and may the Force be with you!
Www
The article by Mark Russinovich on the "Inside the Registry" is obligatory to read, there was even a Russian translation. An excellent tool for collecting registry information: http://goo.gl/iSSVy.
So, today the conversation will focus on a topic that would seem not very important, but, in fact, very necessary for every Windows user (and there are an overwhelming majority of them) - about what the registry is, what it consists of, why it is needed and how to save it in their bins. So what is a registry anyway? In essence, this is a huge, hierarchically structured database, powered by user requests. This database is needed to organize data about the system, as well as to optimize access to them. The registry contains a lot of diverse information both about the usual settings of the operating system and about various fine-tuning settings, including security settings and work with low-level programs, as well as drivers.
The registry is not an external program, it is part of the operating system. Ntdetect searches for the registry files when the system boots and loads the parameters of this very boot from there. knowledge of registry keys and knowledge of their significance is essential for effective system management. And also at least for elementary diagnostics "why it doesn't work like that". The registry is a tree-like system of value / key catalogs. Which are responsible for certain settings. Moreover, it should be borne in mind that different keys can be of different types - from boolean to string.
Illustrative anatomy.
So, it's worth telling what the registry physically consists of and how it works. It's worth making a reservation right away. That in the form in which the registry is presented to the user, it is not stored anywhere and special programs are needed to edit it - registry editors. The standard regedit.exe and regedit32.exe are fine. In the process of configuring and installing the system, some part of the registry data is formed, as well as during the operation of the system - another. As a result, when the system boots, the virtual object REGISTRY \ is formed, which is the registry. To edit, view and study the registry using standard Windows tools (programs regedit.exe and regedt32.exe), it is the registry branches that are available. After editing the registry and / or making changes to it, these changes are immediately written to the files that are integral parts of the registry. These are, in Windows 95 and Windows 98, user.dat and system.dat; on Windows ME - user.dat, classes.dat and system.dat. In later versions of the system, a much larger number of necessary files appeared.
About the shortcomings and how scammers make money on these shortcomings.
In fact, the system is quite complex, but quite reliable. Due to the excessive complexity, it is difficult to fragment the registry, and therefore - with the speed of its operation. Also, the registry tends to become excessively "fat" as a result of the accumulation of data over a long period of time, which also complicates its functioning. This problem is solved with the help of special programs to optimize and clean the registry. While dealing with this issue on your own, you should remember that you should not delete something from the registry if you do not know about its purpose - this can seriously damage the system, or even disable it altogether. In addition, scammers are trying to get on with these problems - the network is full of offers "download a program to optimize the registry, after the installation of which the computer will run 30% faster." Usually, such an offer is followed by a form for sending an SMS, which confirms the previous suspicions. You should not pay attention to such things, and even more so believe them - then you will not lose either money or nerves.
The main branches of the registry, their meaning and purpose.
HKEY_CLASSES_ROOT is a link to HKEY_LOCAL_MACHINE \ Software \ Classes. The information stored here ensures that the required program starts when you open a file using Explorer. This section contains associations between applications and file types, and information about OLE.
HKEY_USERS - This section contains settings for all users of the computer.
HKEY_CURRENT_USER - this branch is a link to a specific internal subkey HKEY_USERS. All settings are set in accordance with which of the users is currently in the system (i.e. which session is active).
HKEY_LOCAL_MACHINE - Contains practically the settings and parameters that belong to this computer, including hardware settings, hardware configuration and user profiles.
HKEY_CURRENT_CONFIG is essentially just a reference to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Hardware Profiles \ Current. There you will find all the incoming hardware settings required to start the system.
The main standard sections written above cannot be deleted or renamed. Some registry keys are volatile and are not stored in any file. The OS creates and manages these partitions entirely in RAM without storing them on the hard drive, so they are temporary in nature. The system creates volatile partitions each time it boots. For example, HKEY_LOCAL_MACHINE \ HARDWARE is a registry key that stores information about hardware devices and their assigned resources. Resource assignment and hardware detection occurs every time the system boots, so it is logical and natural that this data does not need to be permanently stored on the hard disk.
How to keep "already acquired".
Sometimes it is useful to make a backup (backup) of the system registry - for fear of damage to it. This can happen as a result of unsuccessful experiments with the registry, incorrect installation of drivers, and many dozen other reasons. And to have it "just in case" does not hurt either. In order not to do this manually every time, you can use one of the many autobackup programs, for example, Comodo Backup.
