The Windows Registry is the brain of the Windows operating system and holds all the nuts and bolts, or in more technical terms, it is a hierarchical database storing configuration settings and options needed to run applications and commands. The Windows Registry, however, is actually dynamic and only exists when Windows is running.
The Registry resembles a subtree like Windows Explorer because of its nesting pattern. There are five 'Hives' or main registry keys containing a nesting of keys, subkeys and values having a set of support files containing backups of its data. Depending on the OS version, there may be four to six 'Hives' or main registry keys displayed (d). Each is named according to their handles (Handle Key = HK) defined in the Win32 API and are used to govern settings:
- HKEY_LOCAL_MACHINE - holds hardware and software info within these five subkeys (d):
- Hardware (c)
- SAM (Security Accounts Manager) (c)
- Security (c)
- HKEY_CURRENT_CONFIG – holds hardware info currently in use and allows for backwards compatibility with older applications and device drivers. Cannot be edited.
- HKEY_CLASSES_ROOT - contains file extension associations to help Windows recognize a particular file type.
- HKEY_CURRENT_USER - holds profile info specific to user who is logged on. Cannot be edited.
- HKEY_Users – holds default profile (current user) as well as all profiles for users who have logged onto the computer previously.
- HKEY_PERFORMANCE_DATA (a) - Provides runtime information into performance data provided by either the NT kernel itself or other programs that provide performance data.
- HKEY_DYN_DATA (b) - contains dynamic information about plug-n-play devices. The data here is dynamic, which means it changes constantly and is created on the fly. This key is rewritten every time you boot up, it is therefore virtual and not displayed (so hidden) in the hive.
(a) Only in NT-based versions of Windows, but invisible in the Windows Registry Editor. Not stored in any hive and while it is not visible in the registry editor, it is visible through the registry functions in the Windows API.
(b) Only in Windows 9x/Me, and visible in the Windows Registry Editor
(c) The first 3 subkeys (hardware, SAM and security) that fall under registry key 'HKEY_LOCAL_MACHINE cannot be modified.
(d) The six and seventh subkeys (Components and BCD) are exclusive to versions Windows Vista and above and are mapped on-demand by the kernel.
Registry keys or hives use a syntax using backslashes to denote levels of hierarchy just like Windows' path names. For example: HKEY_Local_Machine\Software\Classes. Subkeys have a mandatory name that is not case sensitive and a non-empty string that cannot contain a backslash 'within' the name.
HKEY_LOCAL_MACHINE\Software = subkey of "Software"
HKEY_LOCAL_MACHINE\Software\Microsoft = subkey of 'Software and subkey of "Microsoft"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows = subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of the HKEY_LOCAL_MACHINE root key.
Both the subkeys and registry values contain application information needed to support COM functionality, i.e. supported data formats, programmatic identifiers, compatibility information, DCOM and controls. Because registry keys can impact the performance of the of the Windows operating system, also known as the white listed area, you should always update your backup files before making any edits or changes. Using the wrong editing tool or making an error could keep the Windows OS from booting and leave you facing a blue screen.