This article is work in progress so don't rely on it being completely correct. The format of some sections is likely to dramatically change to clarify and simplify the content. There will also be further work added to bring it up to Windows 8. I am publishing it now to give people the opportunity to ask questions and suggest improvements.
- What is the Windows registry?
- What activities change the Windows registry?
- How is the registry stored on disk?
- How is the registry stored in memory?
- How is the registry managed?
- How does Windows startup use the registry?
- Answers to some other common questions
What is the Windows Registry?
The complete registry only exists in memory
The registry is commonly described as a hierarchical database. But you may not have realized two important facts:- The registry database is only ever complete when loaded into your computer's memory.
- The registry is the sum of two parts, the data and the processes that create it and provide access to it.
| Diagram 1 - Windows assembles the registry in memory |
 |
This is so important so I'll repeat it. At the heart of the registry is a database that exists in two main forms:
- Some registry hives are stored on disk even when Windows is not running.
- All the registry hive structures only exist in memory. This includes a set of volatile hives that only exist when Windows is running.
The registry can only be accessed through the Registry Configuration Manager
The other Windows components that allow the registry data to be accessed are in the Windows kernel. The Registry Configuration Manager is the most dedicated but other kernel components like the Object Manager provide further essential capabilities. These are discussed in more detail in How is the registry managed? but here's a preview so you can picture it.| Diagram 2 - Windows kernel components provide access to the registry |
 |
The beehive references started as a joke
In reading about the registry you may have noticed the references to hives, bees and cells. They are a long running joke. Apparently, one of the developers hated bees and another developer took the opportunity to introduce many references to bees. It is also relevant that the registry database is indexed using binary trees or B-trees (pronounced "Bee-trees"). That's why the primary database structures are called hives.You can see registry database structure by running the registry editor, RegEdit. It shows one hierarchical tree but the Windows registry is not one big database file. The primary data structure is the hive of which there are several. Each hive is indentified by a root key which provides access to all sub-keys in the tree up to 512 levels deep.
Each hive has a root key
There are six pre-defined root keys which are used to access all other keys or sub-keys. In other words, the binary tree is traversed from the root downwards. So new keys are added through these root keys and all existing keys have to be found through the root keys. One disadvantage of this approach is that a problem with a higher key may prevent access to lower keys. In practice this does not occur very often.The following table lists the root keys with the abbreviations that will be used in the remainder of this article.
| Table 1 - Registry root keys | ||
| Root Key Abbreviation | Root Key Name | Component data is stored for |
| HKCC | HKEY_CURRENT_CONFIG | Current hardware |
| HKCR | HKEY_CLASSES_ROOT | Classes (types) of documents and registered applications |
| HKCU | HKEY_CURRENT_USER | Current logged-on user |
| HKLM | HKEY_LOCAL_MACHINE | The system hardware, software and security |
| HKPD | HKEY_PERFORMANCE_DATA | Performance data |
| HKU | HKEY_USERS | User profiles |
Registry HKEYS are handle keys used to access the registry objects
As shown in Diagram 2, programs gain access to the registry by using the Registry Application Programming Interface (API) which provides a standard set of functions for the Windows sub-systems and application programs to access and update the Registry. This is how the Registry editor (RegEdit) and other utilities work. When a program uses the API to access the registry the Windows Object Manager will return a handle for the object identified by a key. That is why the "HKEY" in the root keys means "handle key".Although the handles are valid in any registry they can be used differently in different versions of Windows. Also, some registry handles are not provided from the registry hives. HKPD, for example, is diverted by the API to the Windows performance management sub-systems. That is why you cannot find HKEY_PERFORMANCE_DATA when you use the Registry editor.
The registry structure is like a file storage structure
You may find it easier to relate to the registry terminology by referring to tree formats or file storage. The analogy of files is particularly apt because Windows used to be configured from .INI files. More particularly, the keys themselves use file-naming conventions. This is a handy feature because Windows can manage registry objects just like file objects. Registry hives have symbolic links which are like virtual paths mappings in file system. Registry subkeys also have owners and permissions just like directories and folders.| Table 2 - Relating to Registry terminology | ||
| Registry | Other trees | File storage |
| Hive | Tree | File-system |
| Key | Node | Directory or folder |
| Subkey | Subnode | Subdirectory or subfolder |
| Value | Key | File |
| Type | Type | File type |
| Data | Value | File content |
You might have noticed that I haven't explained what cells are here. I mentioned them when discussing hives and bees. The reason that they aren't here is that cells are part of the in-memory structure for the hives and are not visible anywhere outside the kernel. They will only be explained if I add a section on the internal workings of the Registry Configuration Manager.
The registry is kernel-based for speed
The registry is an integral part of Windows so it is based in the Windows kernel for the best performance and access to the most important components of Windows.The registry is designed to save space
The registry stores configuration settings in a hierarchy to minimise the size of the registry. System-wide settings are used first then the user settings are added on top. This means that the user settings only have to store those settings that differ from the default. The user settings then supercede the equivalent system-wide settings.The same applies for programs and hardware. Programs normally have settings for the system, e.g. installed components, and settings for each user, e.g. recently-opened files. Likewise multiple hardware profiles can be used.
Another advantage of only storing differences from the system or default settings is that different users can easily use the same computer with the same system configuration. They only need the settings in their profile to customize the system to suit them.
The minimized size of the user settings also makes it easier to transmit those settings when you are roaming and log onto a different computer on the same local area network (LAN) or wide area network (WAN).
| Diagram 3 - User settings override system-wide settings | |||
| Specific differences | User-specific differences e.g. HKCU\User SID System-specific difference e.g. HKCU\Software\Classes | ||
| Defaults | User defaults e.g. HKU\.default System-wide defaults e.g. HKLM\Software\Classes | ||
Some of the registry complexity is to maintain backward compatibility
Originally Windows 3.1 only had the REG.DAT file. Windows 95 to ME and NT had the SYSTEM.DAT and USER.DAT. Every major release of Windows introduces further complexity to the files and the internal structure. So some hives are retained purely for backwards compatibility. This leaves us with three main categories of hive:- Windows 9x (and 3.1) software classes to maintain compatibility with 16-bit applications, OLE and the Component Object Model (COM) for developing applications.
- Windows 2000 has Standard hives which are maintained to alllow users to roam with a standard configuration. Windows 2000 largely moved to the current registry files.
- Windows latest versions.
- The emulation of Windows 32-bit on Windows 64 (WOW64) to allow 32-bit and 64-bit registry entries to coexist in the registry
- The introduction of the .NET Framework and web-based software which is superceding the old COM framework.
What activities change the Windows Registry?
Windows installs and upgrades
Windows setup copies a prototype version of the Registry from the install media.| Diagram 4 - Setup uses a prototype registry to setup Windows |
 |
If you have an option to upgrade then Windows installs the new registry formats and then copies or converts the existing keys as appropriate.
| Diagram 5 - Windows upgrades merge the existing registry hives into the prototype |
 |
Windows startup
The Windows startup sequence is quite complex so it is discussed separately in How does Windows startup use the registry?.The first steps of startup are designed to determine the configuration needed to load Windows. But initially the Windows Kernel and the registry are not loaded. So the Boot Configuration Data (BCD) is loaded from its file. Once the Windows Loader is started then the hardware abstraction layer and the kernel image are loaded before the Registry API is available. The System hive is loaded into physical memory to determine the relevant control set to be used to configure Windows properly. The registry is then assembled and from that point further startup processes are accessing the registry and making changes. These changes are made whether there are any further changes to the computer configuration or any problems that may develop.
User logon
When a user logs on, Windows loads hives that are specific to that user. These contain settings that differ from the defaults. How does Windows startup use the registry? also provides further details for this.Device driver changes
When we install (or uninstall) drivers this changes the registry. We may not even notice this happening because new hardware is normally recognized automatically by Plug and Play so the correct drivers can be loaded without our intervention.Applications changes
Installing or uninstalling applications is a major source of changes after the initial install of Windows. This almost always involves user intervention.User interaction primarily with programs
We also have interactions with our application programs and Windows components. These programs modify the registry in many ways and the changes can be to system-wide settings as well as user-specific settings.| Diagram 6 - The registry is changed by driver and application changes or simply using a program |
 |
How is the Registry stored on disk?
The Registry files are stored in several locations
The following table lists all the Windows directories where Registry data files can be found. The files are effectively snapshots of most but not all of the Registry hives. Table 3 summarises the main file locations. If you look on your disk, you will see that there are further sub-directories in each of these directories.| Table 3 - Registry hive file locations | |||
| File Location | Example file location | File name | Description |
| %UserProfile% | C:\Users\Username\ | NTUser.dat | User profile configuration |
| %SystemRoot%\System32\Config\ | C:\Windows\System32\Config\ | Components Default SAM Security Software System | System configuration |
| %SystemRoot%\ServiceProfiles\LocalService %SystemRoot%\ServiceProfiles\LocalService | C:\Windows\ServiceProfiles\LocalService C:\Windows\ServiceProfiles\LocalService | NTUser.dat | User profile configurations used by Windows |
| %SystemDrive%\Boot or %SystemDrive%\EFI\Microsoft\Boot | C:\Boot\ or C:\EFI\Microsoft\Boot | BCD | Boot Configuration Data |
| %UserProfile% %SystemRoot%\System32\Config\ %SystemRoot%\System32\Config\Txr etc | C:\Users\Username\ C:\Windows\System32\Config\ C:\Windows\System32\Config\Txr etc | Transaction Registry files can be found in the main registry hive folders. | |
There are several types of Registry file
The primary registry files usually have no file extension (except for NTUser.dat) but there are other files that do. They attach the extension to the entire filename including the original extension. Table 4 indicates most of those file types.| Table 4 - Other files | ||
| File Extension | Example filenames | Purpose |
| none | System NTUser.dat | Hive backup created by the Configuration Manager |
| ALT | System.alt | Backup for the System key created by the Configuration Manager |
| BLF | NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf | TxR transaction files1 |
| LOG, LOGn | System.log, System.log1, etc NTUser.dat.log, NTUser.dat.log1, etc | Transaction log of the key and value changes created by the Configuration Manager |
| REGTRANS-MS | NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec} .TMContainer00000000000000000001 .regtrans-ms | TxR transaction files1 |
| REG | no standard names | REGistration entry files are created by RegEdit and other programs |
| SAV | System.sav | WIndows Vista and 7 initial SYSTEM install file. Windows 2000, XP, 2003 backup copy of the system configuration at the end the text-mode startup before the graphic-mode startup began. If graphics-mode fails the restart loads the .sav file to skip text-mode. |
How is the registry stored in memory?
In-memory Registry hives
The registry hives in memory have the same data as the hive file data structures. However the data structure and indexing are different. As I said earlier, these hives form the complete registry because some hives do not exist on disk.The hives for each user account utilise the Security ID (SID) as the unique identifier. Such variable key names are indicated in italics in Table 5. The list of profiles is stored in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Profilelist.
| Table 5 - Registry hives | |||
| Hive key | Format | Links | Hive description |
| HKCC | volatile pre-2000 | Symbolic for 9x | Current hardware profile which only includes the differences from the standard configurations. HKCC is a symbolic key to the current hardware profile under HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles. |
| HKCR | volatile pre-2000 | Symbolic for 3.1 | Primarily for backward compatibility with 16-bit Windows, ie back to Windows 3.1. Stores types (or classes) of documents and registered applications. HKCR is a symbolic key to HKLM\SOFTWARE \Classes (the default settings) and HKCU\Software\Classes (settings for the current user which takes priority over the default settings), combining them into one view. |
| HKCU\User account SID | 2000 standard | Symbolic for 9x | The preferences of the current (logged-in) user. This configuration is designed to roam with the user. |
| HKLM\BCD00000000 | Since Vista, Boot Configuration Data for which there is not a hive. NB: Use BCDedit.exe and not RegEdit.exe to edit the BCD. | ||
| HKLM\Components | |||
| HKLM\Hardware | volatile | Hardware data created during the boot/startup process. | |
| HKLM\SAM | 2000 standard | SAM=Security Accounts Manager. This is usually empty unless you've been authorized to access another system. Then it will be linked to another SAM database. | |
| HKLM\Security | 2000 standard | This is usually empty unless you've been authorized to access another system. Then it will be linked to other security policies. | |
| HKLM\Software | The largest part of the registry. Software settings updated by applications. Primarily set by the software applications apart from Windows settings. | ||
| HKLM\System | System configuration | ||
| HKU\.Default | 2000 standard | Defaults for all user accounts on the computer. User accounts only store the differences from this profile. If group policies are set then this is copied to HKCU | |
| HKU\User account SID | User accounts | ||
| HKU\User account SID_Classes | Classes for the user account | ||
| HKU\Local Service account SID | Pre-defined account used by Windows to run services on your PC with minimum privileges. Used for example if a login process is not found. Unused since Vista. | ||
| HKU\Network Service account SID | Pre-defined account used by Windows to run services on your PC with minimum privileges. Used for example if a login process is not found. Unused since Vista. | ||
Differences between the hives
Apart from the obvious differences in configuration data, there are three main differences between the various Registry hives:
- Some are symbolic links (also called aliases and clones) that point to other hives.
- Some are volatile and are not permanently stored on disk.
- Some retain compatibility with earlier versions of Windows, e.g. the Standard hives that remain unchanged since Windows 2000.
Symbolic keys are also called alias or clone links. They redirect the Registry Configuration Manager to another key. In other words they provide a different view of the same data. They function in a similar manner to Windows shortcuts. Any changes to the real keys are cloned to the symbolic keys but not vice versa. This also means that they are not copies.
For example, HKCR is a symbolic link to HKLM\SOFTWARE \Classes (the default settings) and HKCU\Software\Classes (settings for the current user), combining them into one view. Any data contained in HKCU overrides any data contained in HKLM. Therefore any change in HKCR is always "cloned" into HKCU.
Volatile hives
The volatile hives are either created from different information or are different views of information contained in the Registry files:- HKCR is a symbolic key to HKLM\SOFTWARE \Classes (the default settings) and HKCU\Software\Classes (settings for the current user which takes priority over the default settings), combining them into one view.
- HKCC is a symbolic key to the current hardware profile under HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles.
- HKLM\Hardware is created at startup.
Standard versus Latest hive formats
Latest hives have the most up-to-date format whereas Standard hives retain a format that is compatible with Windows 2000. That means in a mixed Windows computing environment the settings can be used on computers running different versions of Windows and users can roam all those computers.The Standard hives that remain compatible with Windows 2000 are:
- HKCU
- HKLM\SAM
- HKLM\Security
- HKU\.DEFAULT
How is the Registry managed?
The kernel-mode Configuration Manager manages the registry
The kernel-mode Configuration Manager is the primary component of the Windows Kernel Image that manages the Registry. It works with several Kernel components such as the Object Manager which handles resource management for Kernel subsystems and the Transaction Manager which ensures transactions are completed or reversed if they partially complete.The Object Manager integrates Registry hive keys into the Kernel namespace. As I said earlier, Registry keys use Windows file-naming conventions. The Object Manager knows that a name beginning with "Registry" should be handed to the Configuration Manager.
The Configuration Manager manages changes to the Registry Hive
When handed an object by the Object Manager, the Configuration Manager searches the hive tree for the key.The example in Diagram 6 indicates the two forms of the registry keys. The Regedit and API form = HKLM\SYSTEM\CurrentControlSet is translated by Win32 or Win64 to the object namespace form = \Registry\Machine\System\ CurrentControlSet then passed onto the Configuration Manager as \Machine\System\ CurrentControlSet.
| Diagram 6 - The Registry Configuration Manager manages access to and changes of the registry hives |
 |
The Configuration Manager writes non-volatile hive changes to the hive files
The Transaction Manager, as mentioned already, handles atomic updates of the Registry hive files ensuring that related changes are completed together or rolled-back together if there is an error. You will notice that I have left the Transaction Manager out of the following diagram to keep it simple with the emphasis on the Configuration Manager managing the changes. There is also a registry cache for writes to disk. Writes to hives in memory are made immediately whereas writes to the disk files are grouped together and written in batches.| Diagram 7 - The Registry Configuration Manager manages changes of the registry hives |
 |
How does Windows startup use the registry?
A quick overview
When you boot your computer and start Windows there are several processes that involve the registry. I've summarized them in this diagram. The main points are that:- A BCD hive is created in memory but it is not loaded from the hive files. Instead the BCD is loaded from the BCD files stored on disk.
- The SYSTEM hive is usually a smallish hive because it has to fit into about half the available physical memory during startup. The WIndows Boot Manager temporarily loads the SYSTEM hive into physical memory so Windows can startup before loading the Kernel Image. The Kernel includes the remaining registry components and supporting systems including virtual memory and the Registry API which are used to load the rest of the hives.
- Windows Logon also loads user hives. For example, HKCU is loaded when logon is succesful. NB This diagram will be updated to reflect that during a later update.
| Diagram 8 - Windows startup processes use the registry |
 |
More detail on Windows startup steps
The following table provides much more detail about what is happening at each step. Note that I've assumed there is no option to select a different boot manager or boot configuration. Also note that most processes are performed sequentially (ie asynchronously) while some processes are performed at the same time (ie synchronously). This sequence is primarily defined for Windows Vista and 7 so there are some differences from Windows XP which may be noted.| Table 6 - Startup activities | |
| POST | |
| Activity | Registry involvement |
| POST (Power-On Self Test) hardware: motherboard first then adapters. | |
| Search for boot device to start the OS. This data is stored in CMOS. | |
| Windows Boot Manager (bootmgr) since Vista; previously NTLdr in XP. | |
| Activity | Registry involvement |
| Detect hardware to pass to WIndows Loader | |
| Load the default boot configuration | Since Vista, the Boot Control Data (BCD) is stored in a Registry compatible file stored in \Boot\BCD or in the Extensible Firmware Interface (EFI) partition. XP used the Boot.ini file. |
| Windows Loader (Winload) operating system loader since Vista; previously the operating system loader functon of NTLdr in XP. | |
| Activity | Registry involvement |
| Loads HAL (Hardware Abstraction Layer) | |
| Detects the hardware configuration | Loads the System hive from %SystemRoot%\System32\Config\System. |
| Load the Kernel Image (NTOSKRNL.EXE) which includes the Cache Manager, Executive, Kernel, Memory Manager, Scheduler, Security Reference Monitor, etc | The Registry uses the Configuration Manager and other Kernel systems. |
| Winload passes the hardware detection data to the kernel | Passes the path to the System hive and BCD |
| Windows Logo appears. | |
| Windows Kernel (ntoskrnl) | |
| Activity | Registry involvement |
| Enable the Registry API | Before loading the Registry hive files. Scans the registry for the paged pool settings. |
| Create a control set to initialize the computer | HKLM\SYSTEM\Select defines which control set in HKLM\SYSTEM should be used. There is more than one control set so there is redundancy if one has a fault: A hardware progile is loaded: HKCC has a handle pointing to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\ |
| Load (but don’t initialise) low-level (boot-class) device drivers | Start = 0 HKLM\SYSTEM\CurrentControlSet\Services\ServiceName HKLM\SYSTEM\CurrentControlSet\ControlServiceGroupOrder defines the loading order. |
| Load the file system | |
| Initialize the loaded device drivers | |
| Load and initialize other device drivers | Start = 1 Loading order is stored in HKLM\SYSTEM\CurrentControlSet\Services |
| Start programs which should run before starting any services | |
| Load and initialize system services | Includes the paging pool which holds the Registry hives. |
| Create the paging file (Pagefile.sys) | |
| Start all the needed Windows subsystems | Session Manager Configuration in HKLM\CurrentControlSet\Control\Session Manager) |
| The Configuration Manager finds the ondisk hives | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist contains the list of hive files. |
| Check if drives were shutdown correctly | |
| Create environment variables | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment |
| Start kernel-mode and user-mode Windows subsystems (e.g. Win32k and Win32) | |
| Start virtual memory paging files | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management |
| Windows Logon Manager (winlogon) | |
| Activity | Registry involvement |
| Run graphical logon screen: Credential Provider for Vista and 7 ; Graphical identification and authentication (GINA) for XP. | |
| The Begin Logon prompt appears | |
| Read per-user settings e.g. menu and icon arrangement | |
| Run services | HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce and RunServices |
| Load other services and drivers | |
| Network related componenets load asynchronously | |
| Load user profile | A successful logon loads the user profile into HKCU. Read HKLM\SAM\ |
| Activate the shell | Command prompt settings in HKCU\Console Environment settings in HKCU\Environment Unicode settings in HKCU\Unicode |
| Detect new devices (Plug and Play) | Updates the Registry. HKLM\System\Enum has keys for each class of hardware HKLM\System\Hardware\ HKLM\System\Network\ |
| Update the control sets when logon is successful | Last Known Good Configuration is updated to reflect the current state. |
| Starts programs. | Read system settings e.g. installed components. Read per-user settings e.g. window size, recently opened files. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce and Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load and Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run and RunOnce %ALLUSERSPROFILE%\Start Menu\Programs\Startup\ and %USERPROFILE%\Start Menu\Programs\Startup\ were localized on non-English XP. |
| Optionally, lock the computer when the screensaver runs | |
Answers to some other common questions
What is the maximum size of a registry element?
It is interesting that a registry value can store up to 1MB but a separate file is recommended if it is more than 1 or 2 KB.What is the maximum size of a registry hive?
The original Windows 3.1 registry was a single-node flat file REG.DAT. The System registry hive was introduced for Windows 95.| Table 7 - Registry size limits | ||
| Windows Version | Registry size | System registry size |
| Windows 3.1 | 16KB | na |
| Windows 9x | ||
| Windows ME | 16MB | |
| Windows NT 4 | ~154MB | |
| Windows 2000 | ~296MB ~ 80% of the paged pool | 12MB |
| Windows XP | ~376MB ~ 80% of the paged pool | 200MB |
| Windows Vista, 7, 8 | 2GB ~ half physical memory1 ~75% of the paged pool | 400MB x86 1.5GB x64 ~ half physical memory |
How much of the Registry can be loaded into memory?
Normally the entire registry should be loaded into memory. If it is not then it will be paged to disk and your PC will run noticeably slower.originally from http://www.techsupportalert.com
0 nhận xét:
Đăng nhận xét