Today we will try to get into the Windows registry from the back door, without using the standard WinAPI functions intended for this. What will it give us in the end? The ability to write and read from the registry directly, bypassing the restrictions set by the developers of antivirus solutions!
Looking ahead, I will note: this topic is interesting, but there is a whole set of serious problems. Although who said that we can’t afford it? 🙂
What is the register, or a little lyrics
From point of view operating system Windows registry is a unique pantry. This peculiarly built hierarchical database stores settings, data, registration information and other crap about almost everything in the system, from programs to the settings of a specific user. Almost everything is stored in the registry. Despite the fact that some programs prefer to store their settings in ini-configs (especially programs written for Win 3.11. - Ed.), Windows itself reads all the necessary information about itself from the registry. For the sake of fairness, we note that in * nix-like operating systems, the system for storing settings in all kinds of configs still dominates.
Newbies - system administrators when starting to work with the registry, senior comrades scare that wrong setting and changing registry settings can completely crash the system with its subsequent reinstallation. And indeed it is.
For example, the so-called restore points are copies of the registry. They are widely used by users when various problems with both operating system and software and hardware.
I must say that 99% of information about the Windows registry is a description of the main keys plus advice on how to work with them. But how does the operating system itself work with the registry? And can we emulate her actions? Let's speculate a little.
So what?
The registry is both strong and weak side Windows. Strong side registry is that for developers software there is no need to manipulate a bunch of configs, as is, for example, implemented in nixies. The registry is also convenient for the creators of COM components - the system automatically registers such a component in the registry and facilitates the task of its further use.
The weakness of the registry is that access to modification of sensitive areas of the registry allows you to manage Windows any a program written by some newly minted malware. Remember at least the most famous branch of the Windows registry, which allows you to run programs at the start of the OS :).
If in Windows 98 the registry could be repaired by anyone who thought of it, then starting with Windows XP only users with an administrator account have access to the registry. In Vista +, registry access is protected by UAC. This is understandable.
I must admit that with the release of Win7, the security concepts when working with the registry were revised in better side... For example, the HKEY_LOCAL_MACHINE registry key is protected. V general case an attempt to write something to it will be redirected to the appropriate HKEY_CURRENT_USER branch for the current user.
Interface
To work with the registry directly, Windows offers the programmer a whole set of WinAPIs that any system developer should be familiar with - these are Reg * functions such as RegOpenKey, RegQueryValue, and so on. In the Win core, these are NtOpenKey, NtQueryValueKey and a number of others. There is little point in describing them - all documentation on the proper use of these functions can be found on MSDN.
Here is what is worth noting. Antiviruses and proactives to control user actions installed hooks on the mentioned functions, both in the kernel and in the usermode.
With the release of Win7 x64, the situation has changed, and I already wrote about this once. Windows Developers decided to abandon the ability to intercept potentially dangerous functions in the Win kernel. Now the KeServiceDescriptorTable variable in x64 is exported anymore, and it won't work to rewrite the required code section - PatchGuard won't give it. There are, of course, sadomasochistic solutions to circumvent these restrictions - but there will be more crap than profit. Moreover, Microsoft offers convenient ObRegisterCallbacks to control the registry.
INFO
There is very little information on the Web about the structures that describe the main registry files. And almost all of them are in English. Initial knowledge can be found. In addition, it is well written about the registry in the bible of the system engineer "Internal Windows device"From comrades M. Russinovich and D. Solomon.
And now - about the most interesting
But what exactly is a registry really? If you look into the WINDOWSsystem32config folder, you can see several files there: system, software, security, SAM and several others.
These are registry files.
However, it would be unfair to speak of the registry simply as a combination of files loaded into memory. Much of what the registry contains is dynamic, that is, a number of values are calculated at the stage of loading the system itself, primarily this concerns certain hardware parameters. For example, this is the HKEY_DYN_DATA registry subkey, the data of which, when the operating system is loaded, is located in random access memory and are there until the operating system shuts down. The same, by the way, can be said about the key subkey HKEY_LOCAL_MACHINE, which does not have its corresponding file on the disk, but is actually formed from other registry files, such as software, system and others.
Thus, from the inside, the registry can be rather roughly called a "virtual combination of registry files." After starting the system, these files are located both in the paged pool and in nonpaged memory.
Registry structure
In order to learn how to work with the registry directly, one cannot do without knowledge of its internal structure. In general, Microsoft has never revealed the secrets of the internal structure of the files that make up the registry, as it poses a security risk. According to my observations, all the available descriptions of the registry files and its structure (and, by the way, there are quite a few of them) are the results of the research of pioneer researchers. The most complete, in my opinion, such a "study" is possible, it belongs to Comrade Peter Norris.
We will not go into the details of the organization and structure of the registry, this is a long, tedious business and does not exactly fit into the framework of the article. It is important to understand here that the registry is a hierarchical tree-like structure, sometimes it is also said to look like a honeycomb.
And what to do with all this now?
I'll grieve right away: you won't be able to mess with the registry directly in the usermode, the system will not let you do this, as is usually the case with files occupied by other processes. If you try to twist, you can only read such a "busy" file, and then if you guess with the flags with which it was opened. Unfortunately, it will not be possible to write information into the "registry file" of interest to us. By the way, the feature with the record the information you need it can go to the registry, if you write to the registry * .BAK files, they are definitely available for writing.
So watch your hand :).
The first thing that can come to your bright mind is to open the registry file directly and write something there.
Theoretically, this can be done, for this you need, firstly, to be able to work with "busy" files (search for methods on the Web) and, secondly, as I said above, you need to know internal structure registry files. This method is rather clumsy, but, despite its delusionalism, it is quite viable, although it is difficult to implement in practice (try experimenting with it yourself).
Here I will offer two ways to help you cut the registry into small pieces.
The first way is that for the configuration manager (Configuration Manager, part of the operating system, if you are not in the know), the registry is nothing more than a set of strictly defined structures in operating memory which, as it turns out, are very easy to work with. What are these structures, you ask? HBASE_BLOCK, HHIVE, HBIN, HCELL, HMAP_ENTRY, HMAP_DIRECTORY, a bunch of CM_ * structures used by the config manager to manage the registry. From the point of view of the operating system, the registry is simply a collection of regulated structures in memory. For example, the signature "regf" for the "registry file" is a predefined constant:
Define HBASE_BLOCK_SIGNATURE 0x66676572 typedef struct _HBASE_BLOCK (ULONG Signature; // 0x66676572 ULONG Sequence1; ULONG Sequence2; LARGE_INTEGER TimeStamp; ....) And here is the regf signature ...
That is, the meaning of all this my monologue is that there is a gorgeous opportunity to manipulate the registry at the operating system level, but at the same time not using its standard tools. How is this possible? We just emulate the actions of the operating system itself, exactly the way it itself works with the registry! It is important, as I said, to understand that for the OS itself, the registry is nothing more than a set of corresponding structures in memory.
If we have access to the registry files at the kernel level, then why are we worse than the OS itself in order to establish its own order?
And then the most interest Ask- how to find these very structures in memory? Right, staff resources there is no system for solving this issue, so you have to get out in a tricky way.
Knowing what the structures look like, you need to remember that each file, the hive of the registry, has its own constant signature. For example, "regf" is 0x66676572. For the hive, the signature will be 0xBEE0BEE0. Having access to memory from the kernel, we can find these signatures in memory quite easily by simply scanning it. You can also scan the memory in search of the "CM10" signature - it is this signature that is assigned by the config manager to the paged memory block, which is allocated for the CMHIVE structure. I suppose, having found the element of interest to us in memory, you will figure out what to do with it further :).
How, for example, can you change the value of a registry cell? The value is stored in the CM_KEY_VALUE-> Data field, so if you have a task to change any field in a specific registry key, look for the value there:
Typedef struct _CM_KEY_VALUE (WORD Signature; // #define CM_KEY_VALUE_SIGNATURE 0x6B76 WORD NameLength; ULONG DataLength; ULONG Data; //<---------- данные ячейки будут здесь ULONG Type; WORD Flags; WORD Spare; WCHAR Name; } CM_KEY_VALUE, *PCM_KEY_VALUE;
The second option is a kind of modification of the first. If you know, there is one peculiarity when working with the registry - all changes, that is, "creating new keys / writing / deleting keys", as a rule, take effect after a system reboot (well, or after rebooting the explorer, this is such a hack method). Until then, all changes are in a suspended, "dirty" state. Moreover, the system, when accessing the registry, communicates with it through the file system cache. This is understandable - there can be hundreds of calls to the registry per second, therefore, relying on the speed of the file system is unreasonable, no speed will save you here. Therefore, the system works with the registry, as they say, virtually, through the file system cache. And here, in order to pull the guts of the registry into the light, you need to get into the cache! How this is done has already been described in tyrnets, including in.
Pro & Cons, or instead of a conclusion
What can I say in the end? The variation on the topic of direct control over the registry, proposed to the reader in the article, is purely experimental. I do not argue that it is too heavy for practical implementation, and many will say that it is better to use normal WinAPI functions designed to work with the registry - and they will be right to some extent. However, the implemented die_hard in reality, based on the principles given in the article, will have a truly thermonuclear power, beyond the control of either the Avers or the operating system itself.
Now I'll finish. Happy compilation and may the Force be with you!
Www
The article by Mark Russinovich on the "Inside the Registry" is obligatory to read, there was even a Russian translation. An excellent tool for collecting registry information: http://goo.gl/iSSVy.
Windows Registry(Windows Registry - system registry) is a hierarchical (tree-like) database containing records defining parameters and settings of Microsoft Windows operating systems. The registry as it looks when viewed by the registry editor is generated from data sourced from registry files and hardware information collected during the boot process. Registry files in English use the term "Hive"... In the documentation from Microsoft, this term is translated as "Bush".
The main files responsible for the formation of the registry
Registry files are created during the installation of the operating system and are stored in the folder:
% SystemRoot% \ system32 \ config (usually C: \ windows \ system32 \ config).
For Windows operating systems, these are files with the names:
system
software
sam
security
default
components
bcd-template
In operating systems Windows Vista, Windows 7, Windows8,,, registry files are located in the directory \ Windows \ system32 \ config and have the same names, however, these operating systems have added a new registry key to store ( Boot Configuration Data) With name BCD00000000... The file with the data of this section has the name bcd and is located in a hidden folder Boot active partition (the partition from which the system is booted). Usually, during a standard Windows installation, a small active partition is created (from 100 to 500 megabytes, depending on the operating system), which is hidden from the user and contains only service data for booting the system - boot records, boot manager bootmgr, boot configuration store BCD, localization files and memory testing programs. Bush location bcd depends on how the bootloader is configured when the system is installed, and may be on the same partition as the Windows directory.
The location of the registry files in any Windows versions can be viewed using Registry Editor, under:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ hivelist
This section stores information about all hives, including user profiles, with links to their location in the Windows file system.
Registry structure
The Windows registry has a tree structure and consists of 5 main registry keys:
HKEY_LOCAL_MACHINE (HKLM) - The largest registry key. It contains all the basic settings of the operating system, as well as the hardware and software of the computer. The information contained in this section applies to all users who register in the system.
HKEY_ CLASSES_ ROOT (HKCR) - Contains associations between applications and file types (by file extensions). In addition, this section contains information about the registered file types and COM and ActiveX objects. Besides HKEY_ CLASSES_ ROOT this information is also stored in sections HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER... Chapter HKEY_LOCAL_MACHINE \ Software \ Classes contains default settings that apply to all users on the local computer. The options contained in the section HKEY_CURRENT_USER \ Software \ Classes, override the default and apply only to the current user. Chapter HKEY_CLASSES_ROOT includes data from both sources.
HKEY_USERS (HKU) - Contains the environment settings for each of the loaded user profiles, as well as the default profile. V HKEY_USERS there is a nested section \ Default as well as other subsections identified by the SID ( Security ID, SID) of each user.
This section duplicates information in HKEY_USERS \ user SID, where user SID- the security identifier of the user who is currently registered in the system (you can find out the SID of the current user by typing in command line whoami / user).
HKEY_CURRENT_ CONFIG (HKCC) - Contains settings for the current hardware profile. The current hardware profile includes the sets of changes made to the default device configuration specified in the subsections Software and System root partition HKEY LOCAL_MACHINE... V HKEY_CURRENT_CONFIG only changes are reflected. In addition, the information in this section is located in HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ HardwareProfiles \ Current.
Registry data is stored as parameters located in registry keys. Each parameter is characterized by a name, data type and value.
Basic data types used in the registry
REG_DWORD is a 32-bit number. This data type is used by many parameters in device drivers and services. Registry editors can display this data in binary, hexadecimal, and decimal format.
REG_SZ - Human-readable text string. Values representing component descriptions are usually assigned this data type.
REG_EXPAND_SZ - Expandable data string. This string is a text containing a variable that can be replaced when called from the application, for example, used to write environment variables.
REG_MULTI_SZ - Multiline field. Values that are actually lists of text strings in a human-readable format usually have this data type. The lines are NULL delimited.
REG_BINARY - Binary data. Most hardware components use information that is stored as binary data. Registry editors display this information in hexadecimal format.
REG_RESOURCE_LIST - Hardware resource list. Applies to branch only HKEY_LOCAL_MACHINE \ HARDWARE.
Also, sometimes you can find these types of registry data:
REG_RESOURCE_ REQUIREMENTS_LIST- List of required hardware resources. Applies to branch only HKEY_LOCAL_MACHINE \ HARDWARE.
REG_FULL_RESOURCE_ DESCRIPTOR - A descriptor (descriptor) for a hardware resource. Applies to branch only HKEY_LOCAL_MACHINE \ HARDWARE.
REG_QWORD is a 64-bit number.
REG_DWORD_ LITTLE_ENDIAN - 32-bit little-endian number, equivalent REG_DWORD.
REG_DWORD_BIG_ ENDIAN - 32-bit number in big-endian format.
REG_QWORD_LITTLE_ ENDIAN - 64-bit spiked number. Equivalent REG_QWORD.
REG_NONE - The parameter has no specific data type.
Interaction of the registry with the operating system
When the computer starts up, the hardware recognizer ( hardware recognizer) adds a list of devices it has discovered to the registry. Typically, hardware recognition is done by a program Ntdetect.com and operating system kernel Ntoskrnl.exe
At system startup, the system kernel extracts from the registry information about the device drivers being loaded and the order in which they are loaded. In addition, the program Ntoskrnl.exe transfers information about itself to the register (eg version number).
During system boot, device drivers exchange boot parameters and configuration data with the registry. The device driver reports the system resources it uses, including hardware interrupts ( IRQ) and memory access channels ( DMA) so that the system can include this data in the registry. By the way, the registry allows you to create multiple hardware profiles. Hardware profile ( hardware profile) is a set of instructions that you can use to tell the operating system which device drivers to load when you start your computer. By default, the system creates a standard hardware profile that contains information about all hardware found on the computer.
When a user logs in, user profiles are loaded ( user profiles). All information related to a particular username and associated rights is stored in the registry. A user profile defines individual system settings (display resolution, network connection settings, connected devices, and more). User profile information is also stored in the registry.
When installing applications. Each time the installer starts, it adds new configuration data to the registry. When starting up, all installers must read information from the registry to determine if the components they need are present on the system. In addition, the registry allows applications to share configuration information, which gives them more interoperability. The application must actively and correctly use the registry, as well as be able to delete it correctly, without affecting components that can be used by other programs (libraries, program modules, etc.). This information is also stored in the registry.
When administering the system. When a user makes changes to the system configuration using system administration tools (for example, using Control panels or snap MMC), all changes are immediately reflected in the system registry. In fact, administration tools are the most convenient and secure tools for modifying the registry. By the way, the registry editor ( regedit.exe), because all changes to the system can be made directly by editing the registry.
■ During the boot and operation of the operating system, the registry data is constantly accessed, both for reading and writing. Registry files are constantly changing, since not only the system, but also individual applications can use the registry to store their own data, parameters and settings. In other words, accessing the registry is one of the most common operations. Even if the user is not working at the computer, access to the registry is still performed by system services, drivers, and applications.
■ Violation of the integrity of the registry files (violation of the data structure) or incorrect values of certain critical parameters can lead to a system crash. Therefore, before experimenting with the registry, take care of the possibility of saving and restoring it.
Many users come across the terms "clean the registry", "delete from the registry", "backup copy of the registry", "system registry", etc., but a significant part of them do not even know what this registry is. In this article, we will consider what the system registry is, why you need to clean it and how to work with it.
What is the Windows Registry?
The registry, system registry, Windows registry is a huge and at the same time the main hierarchical database of operating systems of the Windows family, first appeared in the distant 1992 in Windows 3.1. It consists of several files stored in the system directories, such as ServiceProfiles,% USERPROFILE%, System32config. It originated as a replacement for ini files, which previously stored the system configuration. This significantly increased the speed of access to system data.
The database contains information about the computer hardware and software, settings and modes of operation of each system component, account settings, control panel settings, service configuration, file associations and much more. A significant number of changes made by the user, applications or the operating system itself on the computer are stored in the system registry.
Why clean your registry and optimize it?
As noted, the registry contains information about virtually all system components and their settings, and it represents more than a dozen protected system files. Based on this, the files of the system database, like any others, are susceptible to fragmentation (when the sectors storing one document are scattered across the disk surface, instead of being in the neighborhood), which increases the access time to the registry. Therefore, it needs periodic defragmentation. Only defragmenting system files in the usual way will not work, since they are constantly used by Windows. For this, a lot of special utilities have been developed - defragmenters and tweakers.
It is necessary to clean the system database from garbage records, which is information about remote applications, libraries, fonts, drivers and file associations with remote programs, etc. in order to reduce the size of the registry and the time of access to registry entries.
Registry structure
The system database consists of several sections, each of which is stored in its own file. Some subsections that take up a lot of space, for example, information about installed applications, are also saved in separate files.
Windows System Registry - Branches
- HKEY_CLASSES_ROOT (HKCR) - this branch stores data about all file extensions registered in the operating system, their associations with programs, as well as about ActiveX and COM components.
- HKEY_CURRENT_USER (HKCU) - the configuration of the current user account is stored here.
- HKEY_LOCAL_MACHINE (HKLM) - information about the hardware components of the computer, their drivers, modes of operation, and information about loading the Windows operating system.
- HKEY_USERS (HKU) - Stores all data about all user accounts of this computer.
- HKEY_CURRENT_CONFIG (HKCC) - This contains information about the hardware used to turn on the computer.
How to run the program to work with the registry?
Windows is equipped with a simple and functional utility for the user to work with its registry. There are several ways to launch the registry editor, through which all records of the system database are managed.
How do I open the Windows registry?
1st way
- We call the "Run" dialog box by means of the combination "Win + R".
- We write "regedit" in the text form and click "OK".
2nd way
- We call "Start" and enter the command to start the registry editor "regedit" in the search line.
- In the search results, click on "regedit.exe" to launch the system utility.
We work with system registry entries using the standard registry editor
After starting the registry editor, a window will appear in front of us, displaying the hierarchical structure of the system database.
Each of its branches contains a large number of subsections, which are opened by clicking on the triangle, double-clicking on the name of the section / subsection, or by clicking on the "®" button - the cursor to the right on the keyboard.
The user has the following options for working with the system registry:
- export and import of both entire branches and their individual sections and records (keys);
- transfer of any registry subkeys to paper in the form of text information;
- creating, deleting, renaming keys and branches;
- search for any information in the registry.
All actions are performed through two items of the main menu ("File" and "Edit") of the registry editor after selecting the required key or subsection, as well as through them context menu, which is invoked by right-clicking on an object.
Working with the registry through a standard program is not much different from working with the data of the file system of your hard disk with a few exceptions, one of which is the inability to work with several objects at the same time. And the view of the system database in the form of a tree will be unusual for many users. The F2 button is also responsible for renaming, Delete - deleting branches and registry keys
Important! Before performing any actions with the registry, be sure to create backup branch or section to which you intend to make changes.
Backing up a section or branch:
Call the context menu of the branch to be changed and select "Export" or select the branch, call the "File" menu item and click "Export ...".
Set the path and name of the output file.
If you still have questions on the topic "What is a registry and how to work with it? ", You can ask them in the comments
How to create an Apple id on iPhone, iPad or iPod touch?
First of all, open the App Store, iTunes Store or iBooks and select any free program. Now the row with the selected object press GET. Then press it again to load the item. Click "Create New Apple ID". Follow further instructions. Click "No" when asked for your payment details. After entering your information, you will be asked to verify your Apple ID by email. Before using your Apple ID, you must first verify it.
- Return to the previous step
- Restart the F.A.Q
- Ask
Thanks! We will try to answer as soon as possible.
if (function_exists ("the_ratings")) (the_ratings ();)?>
If the operating system was installed on a computer for a long time and during all this time it has never been reinstalled, then users, as a rule, note a decrease in the speed of its operation and the occurrence of periodic failures. This can manifest itself in slow loading, long-term opening of some programs, in the appearance of dialog boxes about the errors that have occurred. And the longer a person works at a computer, the more failures and malfunctions he notices, and over time, working on such a computer can turn into a real nightmare.
The culprit of all these listed problems can be the system registry - a very important component of the operating system. Therefore, even novice users would not hurt to know its purpose, the impact on general work OS, as well as about the means of its monitoring and care.
So sooner or later, the user is faced with the question - either reinstall the operating system with all the programs and re-configure it user interface, or try to "clean" the system and return it to its former performance.
DESCRIPTION AND PURPOSE
The Windows registry is essentially a tree-like database that contains information about all the parameters that are required for the correct and smooth operation of the operating system. It contains the settings for the installed hardware and software, personal profiles users who have access to the computer, the types of files that programs can create, and information about the properties of folders.
The importance of the Windows registry is difficult to overestimate. On how correct his information depends on how efficiently all the nodes of the PC, both software and hardware, will work. If the user begins to notice any problems with his computer, then this is a clear sign that a failure has occurred in the registry and some of its settings have gone wrong. If the failure in the system registry is serious, then download Windows user will fail and the operating system will have to be reinstalled.
The system registry is stored at X: \ Windows \ System32 \ сonfig, where X is the letter of the system drive.
ROOT SYSTEM REGISTERS
The Windows registry consists of several main sections:
- - HKEY_CURRENT_CONFIG (HKCC) - this section contains all information about hardware profile which is used on local machine during system startup;
- - HKEY_CURRENT_USER (HKCU) - the section stores information about specific user that is logged in and works in it in currently time. This branch stores its folders, screen settings, set parameters for the control panel;
- - HKEY_CLASSES_ROOT (HKCR) - this section contains data on file type extensions and applications that will open when they are launched;
- - HKEY_USERS (HKU) - this branch stores information about all loaded active profiles users of a specific PC;
- - HKEY_LOCAL_MACHINE (HKLM) - a branch for storing information about loading Windows OS, information about device drivers and hardware computer;
- - HKEY_USERS (HKU) - the branch stores individual settings the profile of each user who is registered in the system. It also stores information about the "default" profile for the new users being created.
Each root registry key contains many subsections, which in turn may have their own multiple subsections, which store system settings. The registry hierarchy is very complex, and the number of sections in it is simply enormous, therefore, within the framework of this material, we just need to understand the very principle of constructing its structure so that, if necessary, you can find the parameter you need.
IMPACT OF THE REGISTER ON WORKWINDOWS
As noted earlier, the speed of the system and its stability directly depends on the state of the registry. Most often, the system starts to "slow down" when the registry grows in size. And the larger it is, the longer it takes to boot the computer, since when the OS starts up, the system registry is always checked for errors, after which it is backed up. Moreover, the more software is on the computer, the larger the registry becomes.
At the same time, Windows is designed in such a way that the work of any software, be it a simple utility or Super game, will always require interaction with the system registry to search required parameters, which is getting harder and longer to find than bigger size registry and the number of branches in it.
There is one more important factor affecting speed Windows work, but before talking about it, let's make a small remark. In computers, there are two main types of memory - RAM (random access memory), it is also random access memory, and ROM (permanent memory), which includes hard drives, flash drives and other components that store your data. RAM is very fast memory allowing you to instantly exchange information with central processing unit, but the ROM is much slower.
Now, let's continue, the slowdown in opening programs is very often caused by the fact that for fast execution loading them, there is not enough RAM. And often, in order to provide the required amount of memory for a program, the system picks it up from its total volume (a combination of RAM and ROM), starting to refer to the hard drive space, i.e. there is a so-called "swap" (part of the information is recorded on HDD). As a result, when, when loading or running an application, it needs the necessary information written to disk, it is read much longer than if the system took them from RAM.
To avoid such a situation, it is necessary to exclude all unnecessary or rarely used programs from entering the RAM.
But the fact is that one of the main sources of littering the "RAM" of your computer is the registry, the data from which, Windows system loads, at startup, without understanding whether you need them or not. Among them, there may be "traces" for a long time remote programs, applications or their settings that you are unlikely to need anymore. Thus, if you do not pay enough attention to the state of the system registry, all this garbage will clutter up precious space in RAM.
Very often, in the process of using a computer, users begin to experience dialog boxes with all sorts of errors occurring in Windows. Many of them are the result of incorrect changes made to the registry, which conflict with the system settings. This may be due to replacement standard libraries on older versions or after they were suddenly removed, for example after viral infection and subsequent cleaning of the computer.
METHODS OF EDITING THE REGISTER
The user can solve all problems with the "bloated" registry in two ways: manually or using programs, but in any of these cases, changes will be made to the system registry.
An inexperienced user should not make changes manually. In this case, it is better to use special programs with which you can painlessly change the registry base for the OS to work. Fortunately, there are enough such utilities on the market now, while there are both paid programs, and free, with quite decent functionality. The main purpose of these utilities is to search and remove broken keys, which are no longer used, but only clog the registry, as well as defragment it.
And yet, if you decide to make changes to the registry yourself, then the most optimal solution will use the built-in Windows utility Registry Editor... In order to get to the registry editor, there is special team"Regedit", which must be entered in the Run window (called by pressing Windows keys+ R).
After launching the utility, the user will see a window divided into two parts, in one of which the sections, subsections and branches of the system registry are shown, and in the other - the parameters of the element that the user has selected in the registry.
Also in the registry editor, in the Edit tab, there is a search option (called by pressing the Ctrl + F keys) that searches given words in section names, parameter names, and their values. This is very convenient function, allowing, for example, to clean the registry from traces of an unnecessary program by its name.
When adjusting the registry manually, you need to be very careful. One wrong action and the performance of the system will be completely disrupted, and Windows will have to be reinstalled.
Users who are just starting to understand how to work with a computer often ask when they can make changes to the registry themselves, and when they need to turn to a professional for help. If possible, a specialist, if problems arise with the registry, should always be called, or at least an experienced friend should be invited. It is highly discouraged for a layperson to make adjustments to valid entries. In addition, before making adjustments, you must definitely make a backup copy of the registry, then in case wrong actions that will lead to the inoperability of the system, it will be possible to restore the registry from a backup using the same utility that was used to make the changes. You also need to remember that in no case should you replace the registry of one version. Windows system the registry of a different version.
The most common mistakes and their consequences when adjusting the registry by amateurs are deleting or changing the necessary sections and keys, after which some programs may stop working, not load Account user or happen complete rejection system operation.
REGISTER MONITORING
The Windows registry is a reflection of how the operating system works. And in order to understand that everything in the system works without interruptions, it is necessary to constantly monitor it. Perfect option use for monitoring some popular utility that was created specifically for this purpose. Why install and use it? In order to analyze the work of programs. The user will always be able to see what processes are taking place in the system, which programs are running and which of them most often refer to the registry, and if he sees something suspicious, he will be able to take measures to eliminate the problems.
The monitoring utilities are fairly easy to use. Even a person who has no special education can understand them. And this is their big plus, since it is desirable for all users, both experienced and beginners, to know at least approximately what is happening in the OS registry of their computer. For example, you can use one of the most popular registry monitoring utilities - Registry Monitor (RegMon).
REGISTER CARE
Installing and then removing various programs, the Windows OS user does not always know that, as a rule, information about them is not completely deleted from the registry. There are always some "tails" that further slow down the operation of the system. To prevent this from happening, it is necessary not only to monitor the registry, but also to provide care for it. To do this, you do not need to look for the remaining entries in the registry yourself, you can do this using special programs, the existence of which has already been mentioned above. The programs jv16 PoverTools, CCleaner, Reg Organizer, RegCleaner and others. With their help, the user can not only clean the registry from "garbage", but also defragment the hard drive, edit startup, clear browser history, delete outdated files for system recovery, etc.
CONCLUSION
The ability to handle the registry is a huge plus for a user of any level. In this case, without waiting for outside help, you can independently improve or restore the performance of your operating system in case of serious problems. True, it is even more important not to bring your working operating system to a deplorable state by monitoring the registry or at least constantly cleaning it from "garbage".
In general, most of the problems with Windows that arise due to problems in the registry can be solved independently with the help of expert advice, which they favorably post on the Internet. True, in order to take advantage of them, in any case, you need at least general outline know what the registry is and how to make changes to it. Well, if you did not manage to cope with the problems on your own, your basic knowledge help to correctly explain the essence of the problem to a specialist computer service, which will significantly speed up the process of its elimination.
In files SYSTEM.DAT and USER.DAT in the catalog Windows 95/98 or in a folder C: \ W \ System32 \ Config \ v Windows NT the so-called system registry is stored, containing a large number of information. Apart from the records required Windows, most programs write their own information there as well. To make changes to the registry, you need to open it using the program designed for this. An example is the program REGEDIT, supplied as standard Windows... To launch it, open the dialog box Start / Run, enter Regedit and press OK.
You will see a window split in two. On the left is the Explorer-like navigator, and on the right is the information itself. The registry consists of six sections: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG and HKEY_DYN_DATA... Each section contains folders. If there are subfolders in a folder or section, then to the left of this folder is the " a plus". When you click on it, this folder." unfolds ", and the icon turns into " minus"by clicking on which you can again" roll up". If you click on the folder icon or its name, a list of those parameters that are contained in this folder (but not in subfolders!) Will appear in the right window. Each parameter consists of its name and value. Each parameter has its own path, by which it can be found. The path consists of the sequence of folders in which this parameter is located, starting with the parent folder (this is one of the six main sections listed above). An example of such a path would be HKEY_CURRENT_CONFIG \ Display \ Settings, and the parameter name Resolution. When combined, these two values - the parameter and the path to it (often called an address) indicate a unique parameter. For example, to two various parameters may be the same path, two parameters may have the same name, but lie in different folders and subfolders, but two parameters with the same address and name cannot exist. The registry can be searched (using the menu, or by the keyboard shortcut CTRL + F).
Highlighting desired section(by clicking on the section icon or its name), you can create a parameter or subsection in it. To do this, you must use the menu Edit / Create... In the system registry Windows there are 3 types of parameters: string, binary, and DWORD... The string stores one line ( string), v binary - binary value, v DWORD- decimal or hexadecimal value... When creating a parameter, you must specify its name. Then, by double-clicking on it in the right window, you can enter the value of the parameter (or change the existing one).
If the advice says to set a parameter value, it means that you need to change existing meaning parameter to the desired one, or, if a parameter with such a name is absent, create it and then change the content.
At the end of the work, for most of the changes you need to close REGEDIT and restart the computer. Well, first of all, let's figure out what it is: the registry Windows... When we install or uninstall programs, we change the parameters Windows we install new equipment, all this is recorded and recorded in the register. You could say that the register is the heart Windows. To view or edit the registry, you need to run the program Regedit (Start - Run - Regedit). Physically, the registry is stored in a directory Windows (95/98) under the names User.dat and System.dat... I say right away if you don't know what you want to change to 100% do not change, otherwise the price is worthless. Well, for those who have changed, I give a hint. At successful loading, Windows makes backups of the registry under names User.da0 and System.da0... This is what we will use. Of course, you can create your own backups for every "fireman". If Windows does not boot, then at boot time we press Ctrl. How to appear the menu select " Command prompt only", go to the folder Windows ("CD C: \ Windows") and type the command scanreg / restore(v Windowse NT - rdisk). Now reboot and Windows should start. If there is no such program, then you will have to type in the command line from the folder Windows:
attrib -h -r -s system.dat
attrib -h -r -s system.da0
copy system.da0 system.dat
attrib -h -r -s user.dat
attrib -h -r -s user.da0
copy user.da0 user.dat
Well, now let's go directly to the registry.
1.) Open regedit find the key
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Uninstall.
Here you will find full list installed programs... If some programs are no longer there, remove unnecessary folders with their names (an incomplete list is displayed in " Control Panel - Add or Remove Programs ").
2.) In the key
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Current Version \ Run
there is a list of all programs that start at boot Windows. You can delete unnecessary program, or you can add. To do this, you need to create String parameter, for the name you must enter the name of the program, and as the parameter value, enter the path to the program. If there are several users on your computer, the list of programs can be here:
HKEY_USERS \ .DEAFAULT \ Software \ Microsoft \ Windows \ CurrentVersion and
HKEY_USERS \ (Username) \ Software \ Microsoft \ Windows \ CurrentVersion
3.) That's it, the warm-up is over and we are moving on to Main menu.
To get rid of the item Favorites (Windows 98), go to the section
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
and create here Binary parameter NoFavoritesMenu with the meaning 01 00 00 00 ... Everything! Now the Favorites item will no longer appear. Delete the created parameter or change its value to 00 00 00 00 to put the item back. You can get rid of other items in the same way:
Documentation- parameter NoRecentDocsMenu
Settings - NoSetFolders
Find - NoFind
Shutdown - NoClose
Logging out ... - NoLogOff.
You can also cancel the job right click mouse in the main menu, to do this, create in the same place DWORD-parameter under the name NoChangeStartMenu with the meaning 1 ... Ready! Well, the final touches. Like the message about which button to start with? Not? Then we create DWORD- parameter named NoStartBanner and the value 1.
4.) Go to
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Winlogon
and create String parameter LegalNoticeCaption. Enter "Chernobyl virus detected" as the value, create another string parameter LegalNoticeText with the value "Click" OK "and all data on the hard disk will be destroyed." Restart Windows and enjoy the result. In the first parameter we enter the title, and in the second - the text itself.
5.) Now you can change the clock in the lower right corner. Go to
HKEY_CURRENT_USER \ Control Panel \ International
and create a string parameter sTimeFormat
Its meaning " HH: mm", where HH is the hour,: is the separator character, and mm is the minutes. A reboot is required for the changes to take effect. It's fun to see how your friend will be tormented by adjusting the clock if you swap HH and mm! Well, if you want to shit very hard, then you need to do this: Hm: mH "mH; Hm and so on.
6.) So that there are no arrow labels in the icons, find the key HKEY_CLASSES_ROOT \ Piffile and remove the parameter IsShortcut, the same should be done in the folder Lnkfile... Restart your computer and enjoy the result.
7.) The path to installation files Windows 95/98 lies in
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Setup.
Change it and Windows will search setup files when adding components or changing system parameters.
8.) To remove the "palm" from the shared resources, just delete the value Default out of the key
HKEY_CLASSES_ROOT \ Network \ SharingHandler
9.) You can also remove all icons from the desktop altogether. To do this, create in the key
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
DWORD parameter named " NoDesktop"Reboot and you will see the cleanest desktop in the world.
10.) In order to hide the disks in the explorer, go to
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
and create here Binary parameter With name " NoDrives ".
The value will depend on which drives you want to hide:
Disk A- meaning 01 00 00 00
B - 02 00 00 00
C - 04 00 00 00
D - 08 00 00 00
E - 10 00 00 00
F - 20 00 00 00
If you want to hide several disks, then you need to sum their values. But note that these numbers are hexadecimal. To calculate correctly, use the calculator ( Programs - Standard - Calculator)... Select from the menu Calculator "View - Engineering"then select "Hex" and calculate. For example, to hide drives C and D need to add 04 00 00 00 and 08 00 00 00 ... Enter in the parameter value 0C 00 00 00... To hide drives A and E need to add up 01 00 00 00 and 10 00 00 00, we get the result 11 00 00 00.
11.) Open Properties: Screen, here we will hide some tabs. In the registry editor, find the key
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
create here DWORD-parameter named NoDispBackgroundPage and the value 1 ... Now the tab Background will not be displayed. The rest of the tabs are hidden by the following parameters:
NoDispAppearancePage - Decoration
NoDispScrSavPage - Screensaver
NoDispSettingPage - Setting.
12.) Now let's make the point To open with... always appeared in the context menu. For this we will find the key HKEY_CLASSES_ROOT \ * \ and create a section in it shell(if not). Here we will create another section " openas"and it also contains" command". Change the value" Default" on the " C: \ WINDOWS \ rundll32.exe shell32.dll, OpenAs_RunDLL% 1". Done, you can check.
13.) To change the drop rate Main menu go to the key
HKEY_CURRENT_USER \ Control Panel \ desktop
and create Menu Show Delay string parameter. Enter the delay time (in milliseconds) in the value and reboot.
14.) Now let's try the item Open in Notepad put in the context menu. Let's go to the section HKEY_CLASSES_ROOT \ * \ shell(If not, create). Create a section " Open"and change Default on the " Open in Notepad". Now create a section" command " and in it change Default on the " notepad.exe% 1". Ready.
15.) Now let's play with Internet Explorer "om. Want to change your browser wallpaper? You are welcome. Go to the key
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Toolbar
and create The string parameter "BackBitmap". And as a parameter, enter the path to the picture in the format Bmp and restart your browser. But that's not all.
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Main
create a new Window Title string parameter... In the value, enter what you want to see in the title after the page name, restart your browser and enjoy. The conductor will look exactly the same.
16.) If you want to admire a name or just a word after hours in Systray (the bottom panel) then go to
HKEY_CURRENT_USER \ Control Panel \ International \
and create two string parameters: s1159 and s2359... In their value, you must enter the desired name. The limit is 8 letters.
17.) When you need to restart the registry, and you don't want to restart the machine, in some cases the following will help: press Ctrl + Alt + Del then select Explorer and the button " Complete task "... Answer the offer to turn off the car with a refusal, then press " Remove task"in the next window, after which you will see how it disappeared and appeared" Task bar".
Not everything works in Windows 95
Registry repair
Care must be taken when working with the registry. Deleting any important data accidentally or unknowingly can crash the operating system. Then the situation can be saved only by restoring the last working copy.
If you are going to experiment with the registry, first save the SYSTEM.DAT and USER.DAT files on the disk. They are located in the directory where the operating system was installed and have read-only and hidden attributes. If the registry is seriously damaged, you can rewrite these files to the Windows directory, install desired attributes and the registry will be as good as new. Just do not try to restore these files when Windows is loaded, otherwise the system will shut down completely and save it only complete reinstallation! To restore these files, you must first reboot into DOS and replace the damaged files with good ones there.
But this is not the only data recovery option. The fact is that the operating system, at each successful launch saves a copy of the registry in a .cab file that is written to the hidden SYSBCKUP directory of the Windows directory. By default, the last five copies are kept. This number can range from 0 to 99 and is set by the value of the MaxBackupCopies key in the scanreg.ini file in Windows directory... Truth is not worth installing too great importance since files take up a lot of space (one file is larger than a megabyte).
To restore the registry from one of these backups, you need to reboot into DOS and run the command
A list of available registry backups will appear, sorted by the time they were created. After selection desired copy the data will be safely restored, and you will receive a register that corresponds to the state of affairs at the time of its creation.
But if you installed any programs or changed the operating system settings in the interval between the last backup and a failure in the registry, then all this data will be irretrievably lost. Do we need it? Definitely not! To back up the registry at any time, use the command
which in case is normal passed verification will create a backup.
Another option for backing up and restoring the registry is to export the key or entire branch that you plan to modify. This can be done in Regedite for Windows from the Registry menu. Highlight the required section and click on the item "Export registry file". After specifying the file name, the data in this section will be exported to it. The file has REG extension... To import it into the registry, just double-click on it and the data will be transferred. True, this information recovery method has one significant disadvantage: all deleted or modified entries will be restored, but added entries will not be deleted. So this way it is more suitable if you make some insignificant changes, and in order to roll them back without re-entering the old data, you can use export / import.
In general, you need to work with the registry very carefully, but if you periodically back up it, then no problems should arise
