What are Registry Values and How They Work?

The system Registry is a Windows-specific collection of configuration values and general information related to the installed applications. Although knowing a little about the Registry can provide a great deal of help when troubleshooting various bugs and software problems, the Registry also is a subject of public confusion and, in some cases, deliberate scams on the part of criminals. Registry values are the individual entries in the system's Registry and can include different types of information referenced by system services, the graphical user interface (or GUI), drivers and even the input-output kernel.

Defining What the Registry Contains in Detail

Although other operating systems sometimes have crude analogues to the Registry, the Registry is a specific component of all Windows OSes, from Windows 3.1 up to Windows 8. Besides keys (which are storage containers for Registry values) and other, general data, this database includes the following possible value entries:

  • Binary data, or an entry that can take only one of two values (traditionally zero and one).
  • 32-bit numbers. Separate entry categories also exist for little-endian and big-endian formats, which are differentiated by how they handle the order of bytes.
  • 64-bit numbers. A separate entry exists for the little-endian variant.
  • Three separate categories for null-terminated strings with different characteristics, and a third for a sequence of multiple null-terminated strings.

Viewing the Registry's entries requires that you use an appropriate Registry-specific program. Rather than loading all entries and other data in a single list, the Registry organizes its information into directories. The major directories are known as Hives while sub-directories are referred to as Keys. Windows also provides a basic text-searching tool that allows you to find specific information without needing to click through each folder in turn.

The default program for examining or editing the Registry is Regedit.exe, although third parties can offer alternative programs. In general, our malware research team strongly discourages casual PC users editing the Registry unnecessarily. Deleting or modifying Registry values bypasses many built-in security features and can cause permanent damage to your operating system or various applications. It also must be emphasized that the Registry has little, if any, impact on the overall performance of your PC, and doesn't need to be edited manually except in unusual circumstances. Primarily, these circumstances arise when dealing with the manual correction of software configuration, installation or uninstallation bugs).

The Security Problems That Come with the Registry

Because the Registry essentially is a text database, it doesn't slow down your computer, even when it's burdened by additional values that serve no purpose. This circumstance is particularly common for programs with poorly-coded uninstallation routines; uninstalling an application may not remove all of its Registry data, which results in unnecessary Registry clutter. Although the existence of this 'junk data' isn't especially ideal, our malware researchers don't consider it a source of security or performance problems.

Unfortunately, scammers and malware authors have taken hold of public confusion over the Registry and spread additional misconceptions in the pursuit of profit. One of the most common types of scamware is the fake Registry cleaner, a program that claims to improve your PC's performance by cleaning the Registry. The marketing boasts made by these programs almost always are fraudulent or, at a minimum, very exaggerated. They also may attack your PC by blocking programs, hijacking your browser or reducing your security settings.

RegClean is Microsoft's own utility for cleaning the Registry, but isn't installed by default. As with the Registry Viewer, third parties may provide alternative solutions, although you should be careful to identify the differences between real Registry cleaners and fraudulent ones.

Because the Registry values include data for all types of programs, malware authors often try to block access to the database. A trojan may block Regedit.exe specifically, along with other common security tools like the Windows Task Manager. The standard solution to this dilemma is to launch an uninfected OS from a peripheral device or launch Windows in Safe Mode, both of which can disable the malware and let you access the Registry Editor.

Malware also may delete or modify specific Registry values associated with certain programs, as well as values tied to key security features. This causes the associated software or feature to become nonfunctional – at least until the values are restored. The easiest way to restore a deleted Registry entry is to reinstall the program. If you require a thorough recovery of your Registry's old data, you can 'roll back' your Registry to a previous state by using System Restore. Only especially brave PC users and Windows architecture experts should feel free to edit the Registry without any kind of automated assistance.

Competent anti-malware software will include malware-deleting functions that scour your Registry for malicious values and remove them. They also may be able to restore some specific entries that are benign, but have been modified maliciously.

At the end of the day, your average PC owner doesn't need to concern himself or herself with the Registry's inner workings. Occasional maintenance with various Windows tools will provide all the 'tidying up' that your Registry requires. However, understanding your PC does require understanding the basics about your Registry. This also can provide a good deal of preemptive protection from some of the most common PC threats that our malware researchers have seen.