Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Windows XP Registry 70-270: MCSE Guide to Microsoft Windows XP Professional.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The Windows XP Registry 70-270: MCSE Guide to Microsoft Windows XP Professional."— Presentation transcript:

1 The Windows XP Registry 70-270: MCSE Guide to Microsoft Windows XP Professional

2 Windows Registry Overview (Page 1)  The Registry is a hierarchical database of information about system’s configuration … Stores information essential to the functioning of Windows XP Information for Microsoft and third-party applications To “Registry Editor”

3 Windows Registry Overview (Page 2)  Information replaces initialization files, i.e. The WIN.INI (or other.ini files), or Autoexec.bat and Config.sys files of MS- DOS and Windows 3.x  It is not a text file, but rather several files with data in binary or encrypted format

4 Windows Registry Overview (Page 3)  Many changes are made to the system configurations through various Control Panel applets and applied to Registry … It usually is better to use the appropriate Windows interface If the Registry Editor is used incorrectly, serious problems may result that require reinstalling the operating system

5 Windows Registry Overview (Page 4)  Some settings can be established or changed only by editing Registry directly: In that case run the Registry editor from the "Start" menu by entering command "regedit" at the Run… command  Either way, the Registry is designed for programming ease as well as speed of interaction for processes

6 Windows Registry Components (Page 1)  Left pane shows a hierarchical structure: Keys—top-level containers in the hierarchy  Each key starts with HKEY to indicate highest-level status), i.e. HKEY_LOCAL_MACHINE Subkeys—within each subkey exists:  One or more values  Or additional subkey levels To “Registry Editor”

7 Hierarchical Registry Structure Return

8 Windows Registry Components (Page 2)  Right pane displays the value entries: Named parameters for control settings or configuration data Each value entry is composed of three elements: (1) the entry name, (2) data type, and (3) data value To “Registry Editor”

9 Registry Data Types (Page 1)  Binary—binary format Most hardware component information is stored as binary data Actually displayed in hexadecimal format Referred to as REG_BINARY  DWORD—binary, hex or decimal Hexadecimal numbers are displayed starting with characters "0x" as in 0xC (12) Referred to as REG_DWORD

10 Registry Data Types (Page 2)  String—fixed-length text string Referred to as REG_SZ  Multiple String—contains multiple human- readable characters Entries are delimited by spaces, commas, or other marks (i.e. NULLs) Referred to as REG_MULTI_SZ

11 Registry Data Types (Page 3)  Expandable String—contains variables that are resolved (replaced) when a program or service uses the data I.e. %systemroot%\File.exe Referred to as REG_EXPAND_SZ  This list is not complete, but rather is a partial list of the most common data types

12 Registry Data Types (Page 4)  Additionally there is a type "None" when the data has no particular type Written to registry by applications or the system, and is displayed in hexadecimal format as binary Referred to as REG_NONE

13 Windows Registry (Page 1)  Not a complete collection of settings Holds only exceptions to defaults  To alter a value that is a default, a new value entry must be added to Registry Administrator must know the exact syntax, spelling, location, and valid values  Always edit with extreme care The Microsoft Windows XP Professional Resource Kit includes help file (Registry.chm) with all possible entries and valid values

14 Windows Registry (Page 2)  Each time Windows XP starts, Registry is loaded into memory from files on the hard drive … Changes become effective immediately Only on rare occasions is rebooting the system required  Written from memory back to hard drive files on shutdown

15 Windows Registry (Page 3)  The Registry is stored not in one file, but rather in several Each contains a discrete body of keys, subkeys and values known as a hive  Complete listing of path and filenames are found in Registry at subkey: HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Control\hivelist

16 The Registry Keys  The five highest-level keys (HKEY) in the Registry are: HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG

17 Root Key Abbreviations  The root keys have an abbreviated format: For example the abbreviation for the HKEY_LOCAL_MACHINE key is “HKLM” (So subkeys can be rendered using a shorter format, i.e. HKLM\HARDWARE)  Abbreviations for the other root keys are: HKEY_CLASSES_ROOT—“HKCR” HKEY_CURRENT_USER—“HKCU” HKEY_USERS—“HKU” HKEY_CURRENT_CONFIG—“HKCC”

18 HKEY_LOCAL_MACHINE (Page 1)  Controls the local computer, establishing configuration of hardware and operating system environment  Includes information about the hardware devices, installed applications, device drivers, kernel services, physical settings  Dependent on physical composition of the hardware and software present on machine Not dependent on logged-on user, or currently running processes or applications

19 HKEY_LOCAL_MACHINE (Page 2)  The five subkeys are: HARDWARE, SAM, SECURITY, SOFTWARE and SYSTEM  All these subkeys except HARDWARE are saved to hive files in: %systemroot%system32\config (usually c:\windows\system32\config) The files cannot be opened manually To Registry Editor “HKLM”To “HKLM” files

20 HKEY_LOCAL_MACHINE Return

21 HKEY_LOCAL_MACHINE Files Return

22 HKEY_LOCAL_MACHINE\ HARDWARE (Page 1)  Sub key containing data related directly to physical devices installed on a computer: Configuration data Device driver settings Mappings and linkages Relationships between kernel-mode and user-mode hardware calls IRQ hooks

23 HKEY_LOCAL_MACHINE\ HARDWARE (Page 2)  Re-created from data read from state of physical devices and associated device drivers each time system starts … Does not save when system shuts down Does not map to a specific hive file  Contents should not be manipulated Should be no need since settings always reflect current state of system Most data is encrypted in binary format

24 HKEY_LOCAL_MACHINE\ HARDWARE (Page 3)  Subkeys: DESCRIPTION—data extracted from device's firmware or BIOS DEVICEMAP—information about device driver paths, locations and filenames RESOURCEMAP—information about mappings between system resources (I/O ports, I/O memory address, interrupts, direct memory access) and device drivers

25 HKEY_LOCAL_MACHINE\ HARDWARE (Page 4)  Subkeys (con.) ACPI (not always present)—when system supports Advanced Configuration and Power Interface OWNERMAP (only present when certain bus types are present in computer)  Same information is viewable from Start menu  Programs  Accessories  System Tools  System Information

26 HKEY_LOCAL_MACHINE\SAM (Page 1)  Subkey which is the Security Accounts Manager (SAM) database Contains data related to security  Location where user accounts and group memberships are defined  Stores the entire security structure of the Windows XP system

27 HKEY_LOCAL_MACHINE\SAM (Page 2)  Do not attempt to modify this subkey: Not viewable in the Registry Editor Most data is in binary or encrypted format Also has a security setting so only System (or the System utility) has read/write rights Use the Local Users and Groups applet in “Control Panel” to manipulate data  Resides in a hive file named SAM in the \%systemroot%\System32\config directory

28 HKEY_LOCAL_MACHINE\ SECURITY (Page 1)  Subkey which serves as a container for security policy on the local machine Applies to all local users  Defines control parameters, such as: Password policy User rights Account lockout Audit policy General security options for local machine

29 HKEY_LOCAL_MACHINE\ SECURITY (Page 2)  Do not attempt to modify this subkey … Not viewable in the Registry Editor Most data is in binary or encrypted format Also has a security setting so only System utility has read/write rights Use the Local Security Policy applet in "Adminstrative Tools" in " Control Panel" to manipulate data  Resides in a hive file named SECURITY in \%systemroot%\System32\config directory

30 HKEY_LOCAL_MACHINE\ SOFTWARE  Subkey which serves as a container for data about installed software and mapped file extensions Applies to all local users  HKLM\SOFTWARE\Classes subkey stores same data as HKEY_CLASSES_ROOT key In fact it is created by copying data from HKLM\SOFTWARE\Classes subkey  Resides in a hive file named SOFTWARE in \%systemroot%\System32\config directory To Registry Editor “HKLM\SOFTWARE\Classes”To “HKLM” files

31 HKEY_LOCAL_MACHINE\ SOFTWARE\CLASSES Return

32 HKEY_LOCAL_MACHINE\ SYSTEM (Page 1)  Subkey that stores data required to boot Windows XP: Startup parameters Loading order for device drivers Service startup credentials (settings and parameters) Basic operating system behavior

33 HKEY_LOCAL_MACHINE\ SYSTEM (Page 2)  Essential to start process of Windows XP  Contains subkeys called control sets that include complete information about start process for the system  Resides in a hive file named SYSTEM in \%systemroot%\System32\config directory To Registry Editor “HKLM\SYSTEM”To “HKLM” files

34 HKEY_LOCAL_MACHINE\ SYSTEM Return

35 HKEY_LOCAL_MACHINE\ SYSTEM (Page 3)  The MountedDevices subkey contains settings for storage devices including the control set boot status  Additionally contains Control set subkeys called CurrentControlSet, ControlSet001, ControlSet002, etc: CurrentControlSet is redirected from one of the numbered control sets as identified in the HKLM\SYSTEM\Select subkey (the Default value entry) Update HKLM\System\LocalDevices by changing drive letter for any partition using "Computer Management" applet

36 HKEY_LOCAL_MACHINE\ SYSTEM (Page 4)  Control set subkeys (con.): Each control set has four subkeys:  Control—data related to controlling system startup, boot parameters, computer name, and necessary subsystem to initiate  Enum—data regarding required device drivers and their configurations  Hardware Profiles—the one currently in use  Services—data about drivers, services, file systems, and required components needed to load services during bootup, and order in which they are called

37 HKEY_LOCAL_MACHINE\ SYSTEM\Select Subkey  HKLM\SYSTEM\Select subkey values reference the Control sets: Default—which one will be used during the next bootup Current—which one was used to start current session LastKnownGood—which one was used to boot and successfully log on a user (more to follow)—select when booting Failed—which one was replaced from the LastKnownGood because of failure to start

38 The Selection Menu

39 HKEY_CLASSES_ROOT (Page 1)  Container for information pertaining to application associations based on file extensions and COM object data  Copied from HKLM\SOFTWARE\Classes subkey  Maintained for backward compatibility and not strictly required by Windows XP

40 HKEY_CLASSES_ROOT (Page 2)  Do not edit contents of this key directly in the Registry Editor: To update use either: 1. "File Types" tab of Folder Options in "Control Panel", or … 2. Select Tools menu  Folder Options… command in "Windows Explorer"

41 HKEY_CURRENT_CONFIG (Page 1)  Container for data that pertains to whatever hardware profile is currently in use  Links to the: HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current subkey  Maintained for backward compatibility Not strictly required by Windows XP

42 HKEY_CURRENT_CONFIG (Page 2)  Do not edit directly in the Registry Editor: To update use Device Manager in "Control Panel" by selecting either: 1. The Device Manager interface on the "Hardware" tab of Systems applet, or … 2. The Device Manager node from "Computer Management" utility in Administrative Tools Use the Hardware Profiles interface on the "Hardware" tab of Systems applet in "Control Panel" to select a profile

43 HKEY_CURRENT_USER  Container for profile for whichever user is currently logged on  Contents are built each time a user logs on by copying appropriate subkey from the HKEY_USERS key  Should not be edited directly … Modify user’s profile through conventional profile management techniques Values stored in the \Documents and Settings\%username% folder

44 HKEY_USERS (Page 1)  Contains profiles for all current users who have ever logged onto system  Each time system boots builds the key: Loads a default user profile file and locally stored copies of either "Ntuser.dat" or "Ntuser.man" from user's profile directory (\Documents and Settings\%username%) HKEY_USERS\.Default node is location for the default (new) user settings To “Ntuser.dat”

45 Ntuser.dat Return Folder options: “Show hidden files and folders” is on Folder options: “Show hidden files and folders” is on

46 HKEY_USERS (Page 2)  Should not be edited directly Modify user’s profile through conventional profile management techniques  To remove user profile from this key, delete the user account utilizing either “User Accounts” or “Computer Management” The latter from Administrative Tools  Subkeys in HKEY_USERS use Windows Security IDs (SIDs) to identify users, and not usernames

47 HKEY_DYN_DATA  Appears only on machines with Windows 95 or Windows 98 applications that use older versions of Plug and Play  Maintained for backward compatibility

48 Registry Editors  Two tools that can be used to operate on the Registry directly: Regedit.exe—a GUI viewer and editor Reg.exe—a command-line utility

49  Combines all of keys into a single display  Can be executed from the Start menu  Run… command Type "regedit" and click button  Double-click keys or click [+] and [-] buttons to open and close nodes Regedit.exe (Page 1)

50  Functions include: Global searching— 1. Select Edit menu  Find… command 2. Use function key to continue searching with same search value Regedit.exe (Page 2) Close all nodes to the five highest-level keys— then trying searching for the DefaultUserName value entry Close all nodes to the five highest-level keys— then trying searching for the DefaultUserName value entry

51  Functions include (con.): Security manipulation (more next slide)—  Select any key or subkey in Registry  Select Edit menu  Permissions… command  Set Full Control, Read and/or Special Permissions Regedit.exe (Page 3)

52 Protecting the Registry  The Registry should only be edited by a qualified person  Permissions can be assigned to the hives and keys within the Registry Almost identical to assigning permissions and protecting files and folders on any NTFS partition Only privileged groups and users should be allowed to edit and view the Registry

53 Reg.exe (Page 1)  Console Registry tool for Windows XP, executed as a command-line utility (not a GUI interface)  Permits users, batch files, or programs (scripts) to operate on the Registry Update seems to have been eliminated from the Windows XP version  Not as convenient or user-friendly as Regedit.exe

54 Reg.exe (Page 2)  Launch the command prompt … Start menu  Programs  Accessories  Command Prompt, or … Start menu  Run… command, then type "cmd" and click button  Type "reg" and press key to view basic documentation Notice each major key can be abbreviated, i.e. HKLM is HKEY_LOCAL_MACHNE

55 Reg.exe (Page 3)  Use the "reg query" command to view contents for a specific key or keys  Type "reg query /?" for help on the query function

56 Reg.exe (Page 4)  Format of the query function: reg query SubKeyName /v ValueName Quotes may be needed around the SubKey structure if any elements are two or more words The "/v" parameter tells Reg.exe to search for the specific value entry  Example to view your logon name: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName

57 A Sample Batch File Create this file and save it on Desktop— then execute it from Command prompt

58 Changing the Registry (Page 1)  Back up all important data on computer before editing Registry  Make a distinct backup of all or the part of Registry that will be changed Saving each key or subkey individually is recommended  Restart machine before editing Registry Writes any unsaved values to disk

59 Changing the Registry (Page 2)  Perform only a single Registry modification at a time (test before going on)  Restart immediately after each change Forces full system compliance with new settings in Registry  Test changes on nonproduction system before deploying on critical production systems

60 Registry Storage Files (Page 1)  Static images of the Registry are stored in \%systemroot%\System32\config and \%systemroot%\Repair of boot partition  Files do not necessarily match one-to-one with top-level keys  Large number of files are used for storing Registry data which are available for backup or for rollback versions Files categorized a subkey files, logging and backup files

61 Registry Storage Files

62 Registry Storage Files (Page 2)  The Registry file extensions: No extension—the actual storage file itself (the hive file).alt—the backup file for the subkey  Only HKLM\SYSTEM has a backup file.log—log files record all successful and failed changes to Registry  Verifies all modifications are completed.sav—copies of original key values after the text portion of Windows XP installation

63 Registry Storage Files (Page 3)  Only two of HKEY_LOCAL_MACHINE subkeys are stored in files: Default subkey of HKEY_USERS key HKEY_CURRENT_USER key  Other subkeys built "on the fly" or copied from subkeys of HKEY_LOCAL_MACHINE

64 Registry Storage Files (Page 4)  The ERD (Emergency Repair Disk) no longer exists in Windows XP … Copy \%systemroot\System32\Config and \%systemroot\Repair directories to create a custom ERD (more to follow in section on backup and recovery)

65 Registry Fault Tolerance (Page 1)  If the Registry becomes corrupted or is destroyed, Windows XP cannot function or even start  Fault tolerance of Registry is sustained by its structure … Uses an "all or nothing" approach If change is interrupted, desired change is not implemented and the Registry remains in it previous state  Interrupted due to power failure, hardware failure, too little CPU time, etc.

66 Registry Fault Tolerance (Page 2)  Memory residence also supports fault tolerance--changes to the registry are made in RAM  Become permanent when key values are written to disk; occurs: During a process known as a flush, At system shutdown When forced by an application Occasionally just after a Registry alteration

67 Registry Fault Tolerance (Page 3)  Fault tolerance also built-in through the use of Transaction logs … Alterations are written first to appropriate log If the system fails before flush is complete, original state of the key can be recovered from log and stored to Registry in RAM  The flush operation for the HKLM\SYSTEM key uses the backup file (System.alt) to store the changes until update is complete Then updates the backup as well

68 Backing Up the Registry (Page 1)  Important to backup the Registry in one of several ways  Use Windows XP Backup tool or some other third party backup utility Usually involves selecting a "Backup the Registry" or "System State" checkbox  Manually make copies of the files in the \%systemroot%\System32\config and \%systemroot%\Repair folders For creating the custom ERD

69 Backing Up the Registry (Page 2)  Use the tools in the "Microsoft Windows XP Professional Resource Kit"  Launch Regedit.exe to backup all or part of the Registry 1. Select a root key or subkey 2. From File menu  Export… command 3. Make sure the Selected Branch radio button in "Export Range" group is selected 4. Enter filename and select path, then click the button Backup the HKLM\SOFTWARE subkey Backup the HKLM\SOFTWARE subkey

70 Restoring the Registry (Page 1)  First Windows XP uses its automatic fault- tolerance mechanisms to maintain a functional Registry  Otherwise access the boot option by pressing and select Last Known Good Configuration (LKGC) The most recent settings that worked Any changes made since the LKGC was stored will be lost

71 Restoring the Registry (Page 2)  If the LKGC fails: Use backup software such as UltraBac (www.ultrabac.com) to restore Registry fileswww.ultrabac.com Reinstall Windows XP, either fully or as an upgrade, the latter of which may replace the part of the Registry causing problem  If system boots but is not functioning the way is should, use your Registry backup Same tool used to create the backup

72 Restoring the Registry (Page 3)  Use the Import tool if Regedit.exe export command was used to create backup: 1. From File menu  Import… command 2. Select the file 3. Click the button 4. Wait until message indicates the import was successful and click the button May be full Registry or subset of subkeys The backup.reg file can be executed directly without launching Regedit Before beginning modify the "LegalNoticeText" value entry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system subkey Before beginning modify the "LegalNoticeText" value entry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system subkey

73 Windows XP Professional Resource Kit Registry Tools (Page 1)  Tools that are separate from Windows XP Professional operating system that can be used to manipulate the Registry  Purchased from Microsoft as well as most software or book vendors

74 Windows XP Professional Resource Kit Registry Tools (Page 2)  Key utilities: Regdump.exe—command-line tool used to dump all or part of Registry to a file Regfind.exe—command-line tool used to search for keys, value names, or data values based on keywords Compreg.exe—GUI tool used to compare Registry keys and highlight differences

75 Windows XP Professional Resource Kit Registry Tools (Page 3)  Key utilities (con.): Regini.exe—command-line scripting tool to add keys to Registry *** Regback.exe—command-line scripting tool to back up keys Regrest.exe—command-line scripting tool to restore keys Scanreg.exe—GUI tool used to search for keys, value names, or data values based on keywords

76

Download ppt "The Windows XP Registry 70-270: MCSE Guide to Microsoft Windows XP Professional."

Similar presentations

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 3 IT278 Network Administration Course Name – IT278 Network Administration Instructor.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 3 IT278 Network Administration Course Name – IT278 Network Administration Instructor.
The Windows Registry Adapted from

The Windows Registry Adapted from
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 3: Configuring the Windows Vista Environment.

Chapter 3: Configuring the Windows Vista Environment.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 4: Troubleshoot System Startup and User Logon Problems.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 4: Troubleshoot System Startup and User Logon Problems.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Week:#14 Windows Recovery

Week:#14 Windows Recovery
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.

Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Working with the Windows XP Registry

Working with the Windows XP Registry

Similar presentations

Ads by Google