{
	"id": "2f82feac-de77-494f-8f4f-bca76fc2d1c1",
	"created_at": "2026-04-06T01:31:37.143196Z",
	"updated_at": "2026-04-10T03:20:23.078001Z",
	"deleted_at": null,
	"sha1_hash": "e846b16c1370e024d27f6512fd10f33de5b16542",
	"title": "Windows Registry",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 467024,
	"plain_text": "Windows Registry\r\nBy Contributors to Wikimedia projects\r\nPublished: 2004-11-13 · Archived: 2026-04-06 00:23:01 UTC\r\nWindows Registry Editor\r\nRegistry Editor, the user interface for the registry, in Windows 11\r\nOther names regedit\r\nDeveloper Microsoft\r\nInitial release April 6, 1992; 33 years ago with Windows 3.1\r\nOperating system Microsoft Windows\r\nPlatform IA-32, x86-64 and ARM (and historically DEC Alpha, Itanium, MIPS, and PowerPC)\r\nIncluded with Microsoft Windows\r\nType Hierarchical database\r\nLicense Proprietary\r\nWebsite learn.microsoft.com/en-us/windows/win32/sysinfo/registry \r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 1 of 23\n\nThe Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows\r\noperating system and for applications that opt to use the registry. The kernel, device drivers, services, Security\r\nAccounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for\r\nprofiling system performance.\r\nIn other words, the registry or Windows Registry contains information, settings, options, and other values for\r\nprograms and hardware installed on all versions of Microsoft Windows operating systems. For example, when a\r\nprogram is installed, a new subkey containing settings such as a program's location, its version, and how to start\r\nthe program, are all added to the Windows Registry.\r\nWhen introduced with Windows 3.1, the Windows Registry primarily stored configuration information for COM-based components. Windows 95 and Windows NT extended its use to rationalize and centralize the information in\r\nthe profusion of INI files, which held the configurations for individual programs, and were stored at various\r\nlocations.[1][2] It is not a requirement for Windows applications to use the Windows Registry. For example, .NET\r\nFramework applications use XML files for configuration, while portable applications usually keep their\r\nconfiguration files with their executables.\r\nPrior to the Windows Registry, .INI files stored each program's settings as a text file or binary file, often located in\r\na shared location that did not provide user-specific settings in a multi-user scenario. By contrast, the Windows\r\nRegistry stores all application settings in one logical repository (but also in a number of discrete files) and in a\r\nstandardized form. According to Microsoft, this offers several advantages over .INI files.[2][3] Since file parsing is\r\ndone much more efficiently with a binary format, it may be read from or written to more quickly than a text INI\r\nfile. Furthermore, strongly typed data can be stored in the registry, as opposed to the text information stored in\r\n.INI files. This is a benefit when editing keys manually using regedit.exe , the built-in Windows Registry\r\nEditor. Because user-based registry settings are loaded from a user-specific path rather than from a read-only\r\nsystem location, the registry allows multiple users to share the same machine, and also allows programs to work\r\nfor less privileged users. Backup and restoration is also simplified as the registry can be accessed over a network\r\nconnection for remote management/support, including from scripts, using the standard set of APIs, as long as the\r\nRemote Registry service is running and firewall rules permit this.\r\nBecause the registry is a database, it offers improved system integrity with features such as atomic updates. If two\r\nprocesses attempt to update the same registry value at the same time, one process's change will precede the other's\r\nand the overall consistency of the data will be maintained. Where changes are made to .INI files, such race\r\nconditions can result in inconsistent data that does not match either attempted update. Windows Vista and later\r\noperating systems provide transactional updates to the registry by means of the Kernel Transaction Manager,\r\nextending the atomicity guarantees across multiple key or value changes with traditional commit–abort semantics.\r\n(Note however that NTFS provides such support for the file system as well, so the same guarantees could, in\r\ntheory, be obtained with traditional configuration files.)\r\nStructure of Registry Key\r\n[edit]\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 2 of 23\n\nThe registry contains two basic elements: keys and values. Registry keys are container objects similar to folders.\r\nRegistry values are non-container objects similar to files. Keys may contain values and subkeys. Keys are\r\nreferenced with a syntax similar to Windows' path names, using backslashes to indicate levels of hierarchy. Keys\r\nmust have a case insensitive name without backslashes.\r\nThe hierarchy of registry keys can only be accessed from a known root key handle (which is anonymous but\r\nwhose effective value is a constant numeric handle) that is mapped to the content of a registry key preloaded by\r\nthe kernel from a stored \"hive\", or to the content of a subkey within another root key, or mapped to a registered\r\nservice or DLL that provides access to its contained subkeys and values.\r\nE.g. HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows refers to the subkey \"Windows\" of the subkey\r\n\"Microsoft\" of the subkey \"Software\" of the HKEY_LOCAL_MACHINE root key.\r\nThere are seven predefined root keys, traditionally named according to their constant handles defined in the\r\nWin32 API, or by synonymous abbreviations (depending on applications):[4]\r\nHKEY_LOCAL_MACHINE or HKLM\r\nHKEY_CURRENT_CONFIG or HKCC\r\nHKEY_CLASSES_ROOT or HKCR\r\nHKEY_CURRENT_USER or HKCU\r\nHKEY_USERS or HKU\r\nHKEY_PERFORMANCE_DATA (only in Windows NT, but invisible in the Windows Registry Editor)[5]\r\nHKEY_DYN_DATA (only in Windows 9x, and visible in the Windows Registry Editor)\r\nLike other files and services in Windows, all registry keys may be restricted by access control lists (ACLs),\r\ndepending on user privileges, or on security tokens acquired by applications, or on system security policies\r\nenforced by the system (these restrictions may be predefined by the system itself, and configured by local system\r\nadministrators or by domain administrators). Different users, programs, services or remote systems may only see\r\nsome parts of the hierarchy or distinct hierarchies from the same root keys.\r\nRegistry values are name/data pairs stored within keys. Registry values are referenced separately from registry\r\nkeys. Each registry value stored in a registry key has a unique name whose letter case is not significant. The\r\nWindows API functions that query and manipulate registry values take value names separately from the key path\r\nor handle that identifies the parent key. Registry values may contain backslashes in their names, but doing so\r\nmakes them difficult to distinguish from their key paths when using some legacy Windows Registry API functions\r\n(whose usage is deprecated in Win32).\r\nThe terminology is somewhat misleading, as each registry key is similar to an associative array, where standard\r\nterminology would refer to the name part of each registry value as a \"key\". The terms are a holdout from the 16-\r\nbit registry in Windows 3, in which registry keys could not contain arbitrary name/data pairs, but rather contained\r\nonly one unnamed value (which had to be a string). In this sense, the Windows 3 registry was like a single\r\nassociative array, in which the keys (in the sense of both 'registry key' and 'associative array key') formed a\r\nhierarchy, and the registry values were all strings. When the 32-bit registry was created, so was the additional\r\ncapability of creating multiple named values per key, and the meanings of the names were somewhat distorted.[6]\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 3 of 23\n\nFor compatibility with the previous behavior, each registry key may have a \"default\" value, whose name is the\r\nempty string.\r\nEach value can store arbitrary data with variable length and encoding, but which is associated with a symbolic\r\ntype (defined as a numeric constant) defining how to parse this data. The standard types are:[7]\r\nList of standard registry value types\r\nType\r\nID\r\nSymbolic type name\r\nMeaning and encoding of the data stored in\r\nthe registry value\r\n0 REG_NONE No type (the stored value, if any)\r\n1 REG_SZ\r\nA string value, normally stored and exposed in\r\nUTF-16LE (when using the Unicode version of\r\nWin32 API functions), usually terminated by a\r\nNUL character\r\n2 REG_EXPAND_SZ\r\nAn \"expandable\" string value that can contain\r\nenvironment variables, normally stored and\r\nexposed in UTF-16LE, usually terminated by a\r\nNUL character\r\n3 REG_BINARY Binary data (any arbitrary data)\r\n4\r\nREG_DWORD /\r\nREG_DWORD_LITTLE_ENDIAN\r\nA DWORD value, a 32-bit unsigned integer\r\n(numbers between 0 and 4,294,967,295 [232 – 1])\r\n(little-endian)\r\n5 REG_DWORD_BIG_ENDIAN\r\nA DWORD value, a 32-bit unsigned integer\r\n(numbers between 0 and 4,294,967,295 [232 – 1])\r\n(big-endian)\r\n6 REG_LINK\r\nA symbolic link (UNICODE) to another registry\r\nkey, specifying a root key and the path to the\r\ntarget key\r\n7 REG_MULTI_SZ\r\nA multi-string value, which is an ordered list of\r\nnon-empty strings, normally stored and exposed\r\nin Unicode, each one terminated by a null\r\ncharacter, the list being normally terminated by a\r\nsecond null character.\r\n[8]\r\n8 REG_RESOURCE_LIST\r\nA resource list (used by the Plug-n-Play\r\nhardware enumeration and configuration)\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 4 of 23\n\n9 REG_FULL_RESOURCE_DESCRIPTOR\r\nA resource descriptor (used by the Plug-n-Play\r\nhardware enumeration and configuration)\r\n10 REG_RESOURCE_REQUIREMENTS_LIST\r\nA resource requirements list (used by the Plug-n-Play hardware enumeration and configuration)\r\n11\r\nREG_QWORD /\r\nREG_QWORD_LITTLE_ENDIAN\r\nA QWORD value, a 64-bit integer (either big- or\r\nlittle-endian, or unspecified) (introduced in\r\nWindows 2000)\r\n[9]\r\nThe keys at the root level of the hierarchical database are generally named by their Windows API definitions,\r\nwhich all begin with \"HKEY\".[2] They are frequently abbreviated to a three- or four-letter short name starting with\r\n\"HK\" (e.g. HKCU and HKLM). Technically, they are predefined handles (with known constant values) to specific\r\nkeys that are either maintained in memory, or stored in hive files stored in the local filesystem and loaded by the\r\nsystem kernel at boot time and then shared (with various access rights) between all processes running on the local\r\nsystem, or loaded and mapped in all processes started in a user session when the user logs on the system.\r\nThe HKEY_LOCAL_MACHINE (local machine-specific configuration data) and HKEY_CURRENT_USER\r\n(user-specific configuration data) nodes have a similar structure to each other; user applications typically look up\r\ntheir settings by first checking for them in HKEY_CURRENT_USER\\Software\\Vendor's name\\Application's\r\nname\\Version\\Setting name , and if the setting is not found, look instead in the same location under the\r\nHKEY_LOCAL_MACHINE key. However, the converse may apply for administrator-enforced policy settings\r\nwhere HKLM may take precedence over HKCU. The Windows Logo Program has specific requirements for\r\nwhere different types of user data may be stored, and that the concept of least privilege be followed so that\r\nadministrator-level access is not required to use an application.[a][10]\r\nHKEY_LOCAL_MACHINE (HKLM)\r\n[edit]\r\nAbbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are specific to the local computer.\r\n[11]\r\nThe key located by HKLM is actually not stored on disk, but maintained in memory by the system kernel in order\r\nto map all the other subkeys. Applications cannot create any additional subkeys. On Windows NT, this key\r\ncontains four subkeys, \"SAM\", \"SECURITY\", \"SYSTEM\", and \"SOFTWARE\", that are loaded at boot time\r\nwithin their respective files located in the %SystemRoot%\\System32\\config\\ folder. A fifth subkey,\r\n\"HARDWARE\", is volatile and is created dynamically, and as such is not stored in a file (it exposes a view of all\r\nthe currently detected Plug-and-Play devices). On Windows Vista and above, a sixth and seventh subkey,\r\n\"COMPONENTS\" and \"BCD\", are mapped in memory by the kernel on-demand and loaded from\r\n%SystemRoot%\\System32\\config\\COMPONENTS or from boot configuration data, \\boot\\BCD on the system\r\npartition.\r\nThe \" HKLM\\SAM \" key usually appears as empty for most users (unless they are granted access by\r\nadministrators of the local system or administrators of domains managing the local system). It is used to\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 5 of 23\n\nreference all \"Security Accounts Manager\" (SAM) databases for all domains into which the local system\r\nhas been administratively authorized or configured (including the local domain of the running system,\r\nwhose SAM database is stored in a subkey also named \"SAM\": other subkeys will be created as needed,\r\none for each supplementary domain). Each SAM database contains all built in accounts (mostly group\r\naliases) and configured accounts (users, groups and their aliases, including guest accounts and\r\nadministrator accounts) created and configured on the respective domain, for each account in that domain,\r\nit notably contains the user name which can be used to log on that domain, the internal unique user\r\nidentifier in the domain, a cryptographic hash of each user's password for each enabled authentication\r\nprotocol, the location of storage of their user registry hive, various status flags (for example if the account\r\ncan be enumerated and be visible in the logon prompt screen), and the list of domains (including the local\r\ndomain) into which the account was configured.\r\nThe \" HKLM\\SECURITY \" key usually appears empty for most users (unless they are granted access by users\r\nwith administrative privileges) and is linked to the Security database of the domain into which the current\r\nuser is logged on (if the user is logged on the local system domain, this key will be linked to the registry\r\nhive stored by the local machine and managed by local system administrators or by the built in \"System\"\r\naccount and Windows installers). The kernel will access it to read and enforce the security policy\r\napplicable to the current user and all applications or operations executed by this user. It also contains a\r\n\"SAM\" subkey which is dynamically linked to the SAM database of the domain onto which the current\r\nuser is logged on.\r\nThe \" HKLM\\SYSTEM \" key is normally only writable by users with administrative privileges on the local\r\nsystem. It contains information about the Windows system setup, data for the secure random number\r\ngenerator (RNG), the list of currently mounted devices containing a filesystem, several numbered Control\r\nSets (such as \" HKLM\\SYSTEM\\ControlSet001 \") containing alternative configurations for system hardware\r\ndrivers and services running on the local system (including the currently used one and a backup), a\r\n\" HKLM\\SYSTEM\\Select \" subkey containing the status of these Control Sets, and a\r\n\" HKLM\\SYSTEM\\CurrentControlSet \" which is dynamically linked at boot time to the Control Set which is\r\ncurrently used on the local system. Each configured Control Set contains:\r\nan \"Enum\" subkey enumerating all known Plug-and-Play devices and associating them with\r\ninstalled system drivers (and storing the device-specific configurations of these drivers),\r\na \"Services\" subkey listing all installed system drivers (with non device-specific configuration, and\r\nthe enumeration of devices for which they are instantiated) and all programs running as services\r\n(how and when they can be automatically started),\r\na \"Control\" subkey organizing the various hardware drivers and programs running as services and\r\nall other system-wide configuration,\r\na \"Hardware Profiles\" subkey enumerating the various profiles that have been tuned (each one with\r\n\"System\" or \"Software\" settings used to modify the default profile, either in system drivers and\r\nservices or in the applications) as well as the Hardware Profiles\\Current subkey which is\r\ndynamically linked to one of these profiles.\r\nThe \" HKLM\\SOFTWARE \" subkey contains software and Windows settings (in the default hardware profile). It\r\nis mostly modified by application and system installers. It is organized by software vendor (with a subkey\r\nfor each), but also contains a \"Windows\" subkey for some settings of the Windows user interface, a\r\n\"Classes\" subkey containing all registered associations from file extensions, MIME types, Object Classes\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 6 of 23\n\nIDs and interfaces IDs (for OLE, COM/DCOM and ActiveX), to the installed applications or DLLs that\r\nmay be handling these types on the local machine (however these associations are configurable for each\r\nuser, see below), and a \"Policies\" subkey (also organized by vendor) for enforcing general usage policies\r\non applications and system services (including the central certificates store used for authenticating,\r\nauthorizing or disallowing remote systems or services running outside the local network domain).\r\nThe \" HKLM\\SOFTWARE\\Wow6432Node \" key is used by 32-bit applications on a 64-bit Windows OS, and is\r\nequivalent to but separate from \" HKLM\\SOFTWARE \". The key path is transparently presented to 32-bit\r\napplications by WoW64 as HKLM\\SOFTWARE\r\n[12]\r\n (in a similar way that 64-bit applications see\r\n%SystemRoot%\\Syswow64 as %SystemRoot%\\System32 )\r\nHKEY_CLASSES_ROOT (HKCR)\r\n[edit]\r\nAbbreviated HKCR, HKEY_CLASSES_ROOT contains information about registered applications, such as\r\nfile associations and OLE Object Class IDs, tying them to the applications used to handle these items. On\r\nWindows 2000 and above, HKCR is a compilation of user-based HKCU\\Software\\Classes and machine-based HKLM\\Software\\Classes . If a given value exists in both of the subkeys above, the one in\r\nHKCU\\Software\\Classes takes precedence.[13]\r\n The design allows for either machine- or user-specific\r\nregistration of COM objects.\r\nAbbreviated HKU, HKEY_USERS contains subkeys corresponding to the HKEY_CURRENT_USER\r\nkeys for each user profile actively loaded on the machine, though user hives are usually only loaded for\r\ncurrently logged-in users.\r\nHKEY_CURRENT_USER (HKCU)\r\n[edit]\r\nAbbreviated HKCU, HKEY_CURRENT_USER stores settings that are specific to the currently logged-in\r\nuser.\r\n[14]\r\n The HKEY_CURRENT_USER key is a link to the subkey of HKEY_USERS that corresponds to\r\nthe user; the same information is accessible in both locations. The specific subkey referenced is (HKU)\\\r\n(SID)\\... where (SID) corresponds to the Windows SID; if the \"(HKCU)\" key has the following suffix\r\n(HKCU)\\Software\\Classes\\... then it corresponds to (HKU)\\(SID)_CLASSES\\... i.e. the suffix string\r\n\"_CLASSES\" is appended to the (SID).\r\nOn Windows NT systems, each user's settings are stored in their own files called NTUSER.DAT and\r\nUSRCLASS.DAT inside their own Documents and Settings subfolder (or their own Users sub folder in\r\nWindows Vista and above). Settings in this hive follow users with a roaming profile from machine to\r\nmachine.\r\nHKEY_PERFORMANCE_DATA\r\n[edit]\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 7 of 23\n\nThis key provides runtime information into performance data provided by either the NT kernel itself, or\r\nrunning system drivers, programs and services that provide performance data. This key is not stored in any\r\nhive and not displayed in the Registry Editor, but it is visible through the registry functions in the Windows\r\nAPI, or in a simplified view via the Performance tab of the Task Manager (only for a few performance data\r\non the local system) or via more advanced control panels (such as the Performances Monitor or the\r\nPerformances Analyzer which allows collecting and logging these data, including from remote systems).\r\nThis key is used only in Windows 95, Windows 98 and Windows ME.\r\n[15]\r\n It contains information about\r\nhardware devices, including Plug and Play and network performance statistics. The information in this hive\r\nis also not stored on the hard drive; the Plug and Play information is gathered and configured at startup and\r\nis stored in memory.\r\n[16]\r\nEven though the registry presents itself as an integrated hierarchical database, branches of the registry are actually\r\nstored in a number of disk files called hives.\r\n[17]\r\n (The word hive constitutes an in-joke.)[18]\r\nSome hives are volatile and are not stored on disk at all. An example of this is the hive of the branch starting at\r\nHKLM\\HARDWARE . This hive records information about system hardware and is created each time the system boots\r\nand performs hardware detection.\r\nIndividual settings for users on a system are stored in a hive (disk file) per user. During user login, the system\r\nloads the user hive under the HKEY_USERS key and sets the HKCU (HKEY_CURRENT_USER) symbolic\r\nreference to point to the current user. This allows applications to store/retrieve settings for the current user\r\nimplicitly under the HKCU key.\r\nNot all hives are loaded at any one time. At boot time, only a minimal set of hives are loaded, and after that, hives\r\nare loaded as the operating system initializes and as users log in or whenever a hive is explicitly loaded by an\r\napplication.\r\nThe registry is physically stored in several files, which are generally obfuscated from the user-mode APIs used to\r\nmanipulate the data inside the registry. Depending upon the version of Windows, there will be different files and\r\ndifferent locations for these files, but they are all on the local machine. The location for system registry files in\r\nWindows NT is %SystemRoot%\\System32\\config\\ ; the user-specific HKEY_CURRENT_USER user registry\r\nhive is stored in Ntuser.dat inside the user profile. There is one of these per user; if a user has a roaming\r\nprofile, then this file will be copied to and from a server at logout and login respectively. A second user-specific\r\nregistry file named UsrClass.dat contains COM registry entries and does not roam by default.\r\nWindows NT systems store the registry in a binary file format which can be exported, loaded and unloaded by the\r\nRegistry Editor in these operating systems. The following system registry files are stored in\r\n%SystemRoot%\\System32\\config\\ :\r\nSam – HKEY_LOCAL_MACHINE\\SAM\r\nSecurity – HKEY_LOCAL_MACHINE\\SECURITY\r\nSoftware – HKEY_LOCAL_MACHINE\\SOFTWARE\r\nSystem – HKEY_LOCAL_MACHINE\\SYSTEM\r\nDefault – HKEY_USERS\\.DEFAULT\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 8 of 23\n\nUserdiff – Not associated with a hive. Used only when upgrading operating systems.[19]\r\nThe following file is stored in each user's profile folder:\r\n%USERPROFILE%\\Ntuser.dat – HKEY_USERS\\\u003cUser SID\u003e (linked to by HKEY_CURRENT_USER)\r\nFor Windows 2000, Server 2003 and Windows XP, the following additional user-specific file is used for file\r\nassociations and COM information:\r\n%USERPROFILE%\\Local Settings\\Application Data\\Microsoft\\Windows\\Usrclass.dat (path is localized)\r\n– HKEY_USERS\\\u003cUser SID\u003e_Classes ( HKEY_CURRENT_USER\\Software\\Classes )\r\nFor Windows Vista and later, the path was changed to:\r\n%USERPROFILE%\\AppData\\Local\\Microsoft\\Windows\\Usrclass.dat (path is not localized) alias\r\n%LocalAppData%\\Microsoft\\Windows\\Usrclass.dat – HKEY_USERS\\\u003cUser SID\u003e_Classes\r\n( HKEY_CURRENT_USER\\Software\\Classes )\r\nWindows 2000 keeps an alternate copy of the registry hives (.ALT) and attempts to switch to it when corruption is\r\ndetected.[20] Windows XP and Windows Server 2003 do not maintain a System.alt hive because NTLDR on\r\nthose versions of Windows can process the System.log file to bring up to date a System hive that has become\r\ninconsistent during a shutdown or crash. In addition, the %SystemRoot%\\Repair folder contains a copy of the\r\nsystem's registry hives that were created after installation and the first successful startup of Windows.\r\nEach registry data file has an associated file with a \".log\" extension that acts as a transaction log that is used to\r\nensure that any interrupted updates can be completed upon next startup.[21] Internally, Registry files are split into\r\n4 kB \"bins\" that contain collections of \"cells\".[21]\r\nThe registry files are stored in the %WINDIR% directory under the names USER.DAT and SYSTEM.DAT with the\r\naddition of CLASSES.DAT in Windows ME. Also, each user profile (if profiles are enabled) has its own USER.DAT\r\nfile which is located in the user's profile directory in %WINDIR%\\Profiles\\\u003cUsername\u003e\\ .\r\nThe only registry file is called REG.DAT and it is stored in the %WINDIR% directory.\r\nTo access the registry files, the device needs to be set in a special mode using either: \r\nWpInternals (Put the device into flash mode.)\r\nInterOp Tools (Mount the MainOS Partition with MTP.)\r\nIf any of the above methods worked, the device's registry files can be found in the following location:\r\n {Phone}\\EFIESP\\Windows\\System32\\config\r\nThe registry contains important configuration information for the operating system, for installed applications as\r\nwell as individual settings for each user and application. A careless change to the operating system configuration\r\nin the registry could cause irreversible damage, so it is usually only installer programs which perform changes to\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 9 of 23\n\nthe registry database during installation/configuration and removal. If a user wants to edit the registry manually,\r\nMicrosoft recommends that a backup of the registry be performed before the change.[22] When a program is\r\nremoved from control panel, it may not be completely removed and, in case of errors or glitches caused by\r\nreferences to missing programs, the user might have to manually check inside directories such as program files.\r\nAfter this, the user might need to manually remove any reference to the uninstalled program in the registry. This is\r\nusually done by using RegEdit.exe .\r\n[23]\r\n Editing the registry is sometimes necessary when working around\r\nWindows-specific issues e.g. problems when logging onto a domain can be resolved by editing the registry.\r\n[24]\r\nWindows Registry can be edited manually using programs such as RegEdit.exe , although these tools do not\r\nexpose some of the registry's metadata such as the last modified date.\r\nThe registry editor for the 3.1/95 series of operating systems is RegEdit.exe and for Windows NT it is\r\nRegEdt32.exe ; the functionalities are merged in Windows XP. Optional and third-party tools similar to\r\nRegEdit.exe are available for many Windows CE versions.\r\nRegistry Editor allows users to perform the following functions:\r\nCreating, manipulating, renaming[25] and deleting registry keys, subkeys, values and value data\r\nImporting and exporting .REG files, exporting data in the binary hive format\r\nLoading, manipulating and unloading registry hive format files (Windows NT systems only)\r\nSetting permissions based on ACLs (Windows NT systems only)\r\nBookmarking user-selected registry keys as Favorites\r\nFinding particular strings in key names, value names and value data\r\nRemotely editing the registry on another networked computer\r\n.REG files (also known as Registration entries) are text-based human-readable files for exporting and importing\r\nportions of the registry using an INI-based syntax. There are two main versions of REG files:\r\nWindows 9x and NT 4.0 REG files are ANSI-based. They start with the string REGEDIT4 .\r\n[26]\r\nWindows 2000 and later REG files are Unicode-based. They start with the string Windows Registry Editor\r\nVersion 5.00.\r\nWindows 9x format .REG files can be imported by Windows 2000 and later.\r\n[26]\r\n These later systems also allow\r\nexporting .REG files in Windows 9x/NT format.[citation needed]\r\nData is stored in .REG files using the following syntax:[26]\r\n[\u003cHive name\u003e\\\u003cKey name\u003e\\\u003cSubkey name\u003e]\r\n\"Value name\"=\u003cValue type\u003e:\u003cValue data\u003e\r\nThe Default Value of a key can be edited by using @ instead of \"Value Name\":\r\n[\u003cHive name\u003e\\\u003cKey name\u003e\\\u003cSubkey name\u003e]\r\n@=\u003cValue type\u003e:\u003cValue data\u003e\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 10 of 23\n\nString values do not require a \u003cValue type \u003e (see example), but backslashes ( \\ ) need to be written as a double-backslash ( \\\\ ), and quotes ( \" ) as backslash-quote ( \\\" ). (The requirement for escaping is not totally\r\nconsistent: files containing strings with unescaped leading backslash do exist and are accepted by the system for\r\nimporting.)[27]\r\nFor example, to add the values \"Value A\", \"Value B\", etc. to the HKLM\\SOFTWARE\\Foobar key:\r\nWindows Registry Editor Version 5.00\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Foobar]\r\n\"Value A\"=\"\u003cString value data with escape characters\u003e\"\r\n\"Value B\"=hex:\u003cBinary data (as comma-delimited list of hexadecimal values)\u003e\r\n\"Value C\"=dword:\u003cDWORD value integer\u003e\r\n\"Value D\"=hex(0):\u003cREG_NONE (as comma-delimited list of hexadecimal values)\u003e\r\n\"Value E\"=hex(1):\u003cREG_SZ (as comma-delimited list of hexadecimal values representing a UTF-16LE NUL-t\r\n\"Value F\"=hex(2):\u003cExpandable string value data (as comma-delimited list of hexadecimal values represe\r\n\"Value G\"=hex(3):\u003cBinary data (as comma-delimited list of hexadecimal values)\u003e; equal to \"Value B\"\r\n\"Value H\"=hex(4):\u003cDWORD value (as comma-delimited list of 4 hexadecimal values, in little endian byte\r\n\"Value I\"=hex(5):\u003cDWORD value (as comma-delimited list of 4 hexadecimal values, in big endian byte o\r\n\"Value J\"=hex(7):\u003cMulti-string value data (as comma-delimited list of hexadecimal values representing\r\n\"Value K\"=hex(8):\u003cREG_RESOURCE_LIST (as comma-delimited list of hexadecimal values)\u003e\r\n\"Value L\"=hex(a):\u003cREG_RESOURCE_REQUIREMENTS_LIST (as comma-delimited list of hexadecimal values)\u003e\r\n\"Value M\"=hex(b):\u003cQWORD value (as comma-delimited list of 8 hexadecimal values, in little endian byte\r\nData from .REG files can be added/merged with the registry by double-clicking these files or using the /s switch\r\nin the command line. REG files can also be used to remove registry data.\r\nTo remove a key (and all subkeys, values and data), the key name must be preceded by a minus sign ( - ).[26]\r\nFor example, to remove the HKLM\\SOFTWARE\\Foobar key (and all subkeys, values and data),\r\n[-HKEY_LOCAL_MACHINE\\SOFTWARE\\Foobar]\r\nTo remove a value (and its data), the values to be removed must have a minus sign ( - ) after the equal sign ( = ).\r\n[26]\r\nFor example, to remove only the \"Value A\" and \"Value B\" values (and their data) from the\r\nHKLM\\SOFTWARE\\Foobar key:\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Foobar]\r\n\"Value A\"=-\r\n\"Value B\"=-\r\nTo remove only the Default value of the key HKLM\\SOFTWARE\\Foobar (and its data):\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 11 of 23\n\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Foobar]\r\n@=-\r\nLines beginning with a semicolon are considered comments:\r\n; This is a comment. This can be placed in any part of a .reg file\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Foobar]\r\n\"Value\"=\"Example string\"\r\nWindows group policies can change registry keys for a number of machines or individual users based on policies.\r\nWhen a policy first takes effect for a machine or for an individual user of a machine, the registry settings specified\r\nas part of the policy are applied to the machine or user settings.\r\nWindows will also look for updated policies and apply them periodically, typically every 90 minutes.[28]\r\nThrough its scope a policy defines to which machines and users the policy is to be applied. Whether a machine or\r\nuser is within the scope of a policy or not is defined by a set of rules which can filter on the location of the\r\nmachine or user account in organizational directory, specific users or machine accounts or security groups. More\r\nadvanced rules can be set up using Windows Management Instrumentation expressions. Such rules can filter on\r\nproperties such as computer vendor name, CPU architecture, installed software, or networks connected to.\r\nFor instance, the administrator can create a policy with one set of registry settings for machines in the accounting\r\ndepartment and policy with another (lock-down) set of registry settings for kiosk terminals in the visitors area.\r\nWhen a machine is moved from one scope to another (e.g., changing its name or moving it to another\r\norganizational unit), the correct policy is automatically applied. When a policy is changed it is automatically re-applied to all machines currently in its scope.\r\nThe policy is edited through a number of administrative templates which provides a user interface for picking and\r\nchanging settings. The set of administrative templates is extensible and software packages which support such\r\nremote administration can register their own templates.\r\nCommand line editing\r\n[edit]\r\nreg\r\nDeveloper Microsoft\r\nOperating system Microsoft Windows\r\nType Command\r\nLicense Proprietary commercial software\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 12 of 23\n\nWebsite docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg\r\nregini\r\nDeveloper Microsoft\r\nOperating system Microsoft Windows\r\nType Command\r\nLicense Proprietary commercial software\r\nWebsite docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini\r\nThe registry can be manipulated in a number of ways from the command line. The Reg.exe and RegIni.exe\r\nutility tools are included in Windows XP and later versions of Windows. Alternative locations for legacy versions\r\nof Windows include the Resource Kit CDs or the original Installation CD of Windows.\r\nAlso, a .REG file can be imported from the command line with the following command:\r\nRegEdit.exe /s file\r\nThe /s means the file will be silent merged to the registry. If the /s parameter is omitted the user will be asked to\r\nconfirm the operation. In Windows 98, Windows 95 and at least some configurations of Windows XP the /s\r\nswitch also causes RegEdit.exe to ignore the setting in the registry that allows administrators to disable it. When\r\nusing the /s switch RegEdit.exe does not return an appropriate return code if the operation fails, unlike\r\nReg.exe which does.\r\nRegEdit.exe /e file\r\nexports the whole registry in V5 format to a UNICODE .REG file, while any of\r\nRegEdit.exe /e file HKEY_CLASSES_ROOT[\\\u003ckey\u003e]\r\nRegEdit.exe /e file HKEY_CURRENT_CONFIG[\\\u003ckey\u003e]\r\nRegEdit.exe /e file HKEY_CURRENT_USER[\\\u003ckey\u003e]\r\nRegEdit.exe /e file HKEY_LOCAL_MACHINE[\\\u003ckey\u003e]\r\nRegEdit.exe /e file HKEY_USERS[\\\u003ckey\u003e]\r\nexport the specified (sub)key (which has to be enclosed in quotes if it contains spaces) only.\r\nRegEdit.exe /a file\r\nexports the whole registry in V4 format to an ANSI .REG file.\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 13 of 23\n\nRegEdit.exe /a file \u003ckey\u003e\r\nexports the specified (sub)key (which has to be enclosed in quotes if it contains spaces) only.\r\nIt is also possible to use Reg.exe . Here is a sample to display the value of the registry value Version:\r\nReg.exe QUERY HKLM\\Software\\Microsoft\\ResKit /v Version\r\nOther command line options include a VBScript or JScript together with CScript, WMI or WMIC.exe and\r\nWindows PowerShell.\r\nRegistry permissions can be manipulated through the command line using RegIni.exe and the SubInACL.exe\r\ntool. For example, the permissions on the HKEY_LOCAL_MACHINE\\SOFTWARE key can be displayed using:\r\nSubInACL.exe /keyreg HKEY_LOCAL_MACHINE\\SOFTWARE /display\r\nPowerShell commands and scripts\r\n[edit]\r\nUsing PowerShell to navigate the registry\r\nWindows PowerShell comes with a registry provider which presents the registry as a location type similar to the\r\nfile system. The same commands used to manipulate files and directories in the file system can be used to\r\nmanipulate keys and values of the registry.\r\n[29]\r\nAlso like the file system, PowerShell uses the concept of a current location which defines the context on which\r\ncommands by default operate. The Get-ChildItem (also available through the aliases ls , dir or gci )\r\nretrieves the child keys of the current location. By using the Set-Location (or the alias cd ) command the user\r\ncan change the current location to another key of the registry.\r\n[29]\r\n Commands which rename items, remove items,\r\ncreate new items or set content of items or properties can be used to rename keys, remove keys or entire sub-trees\r\nor change values.\r\nThrough PowerShell scripts files, an administrator can prepare scripts which, when executed, make changes to the\r\nregistry. Such scripts can be distributed to administrators who can execute them on individual machines. The\r\nPowerShell Registry provider supports transactions, i.e. multiple changes to the registry can be bundled into a\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 14 of 23\n\nsingle atomic transaction. An atomic transaction ensures that either all of the changes are committed to the\r\ndatabase, or if the script fails, none of the changes are committed to the database.[29][30]\r\nPrograms or scripts\r\n[edit]\r\nThe registry can be edited through the APIs of the Advanced Windows 32 Base API Library (advapi32.dll).[31]\r\nList of registry API functions:\r\nRegCloseKey\r\nRegConnectRegistry\r\nRegCreateKey\r\nRegCreateKeyEx\r\nRegDeleteKey\r\nRegDeleteValue\r\nRegEnumKey\r\nRegEnumKeyEx\r\nRegEnumValue\r\nRegFlushKey\r\nRegGetKeySecurity\r\nRegLoadKey\r\nRegNotifyChangeKeyValue\r\nRegOpenKey\r\nRegOpenKeyEx\r\nRegQueryInfoKey\r\nRegQueryMultipleValues\r\nRegQueryValue\r\nRegQueryValueEx\r\nRegReplaceKey\r\nRegRestoreKey\r\nRegSaveKey\r\nRegSetKeySecurity\r\nRegSetValue\r\nRegSetValueEx\r\nRegUnLoadKey\r\nMany programming languages offer built-in runtime library functions or classes that wrap the underlying\r\nWindows APIs and thereby enable programs to store settings in the registry (e.g. Microsoft.Win32.Registry in\r\nVB.NET and C#, or TRegistry in Delphi and Free Pascal). COM-enabled applications like Visual Basic 6 can\r\nuse the WSH WScript.Shell object. Another way is to use the Windows Resource Kit Tool, Reg.exe by\r\nexecuting it from code,[32] although this is considered poor programming practice.\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 15 of 23\n\nSimilarly, scripting languages such as Perl (with Win32::TieRegistry ), Python (with winreg), Tcl (which comes\r\nbundled with the registry package),[33] Windows Powershell and Windows Scripting Host also enable registry\r\nediting from scripts.\r\nThe offreg.dll[34] available from the Windows Driver Kit offers a set of APIs for the creation and manipulation of\r\ncurrently not loaded registry hives similar to those provided by advapi32.dll.\r\nIt is also possible to edit the registry (hives) of an offline system from Windows PE or Linux (in the latter case\r\nusing open source tools).\r\nCOM self-registration\r\n[edit]\r\nPrior to the introduction of registration-free COM, developers were encouraged to add initialization code to in-process and out-of-process binaries to perform the registry configuration required for that object to work. For in-process binaries such as .DLL and .OCX files, the modules typically exported a function called DllInstall()[35]\r\n that\r\ncould be called by installation programs or invoked manually with utilities like Regsvr32.exe;[36] out-of-process\r\nbinaries typically support the commandline arguments /Regserver and /Unregserver that created or deleted the\r\nrequired registry settings.[37] COM applications that break because of DLL Hell issues can commonly be repaired\r\nwith RegSvr32.exe or the /RegServer switch without having to re-invoke installation programs.[38]\r\nAdvanced functionality\r\n[edit]\r\nWindows exposes APIs that allows user-mode applications to register to receive a notification event if a particular\r\nregistry key is changed.[39] APIs are also available to allow kernel-mode applications to filter and modify registry\r\ncalls made by other applications.[40]\r\nWindows also supports remote access to the registry of another computer via the RegConnectRegistry\r\nfunction[41] if the Remote Registry service is running, correctly configured and its network traffic is not\r\nfirewalled.[42]\r\nEach key in the registry of Windows NT versions can have an associated security descriptor. The security\r\ndescriptor contains an access control list (ACL) that describes which user groups or individual users are granted or\r\ndenied access permissions. The set of registry permissions include 10 rights/permissions which can be explicitly\r\nallowed or denied to a user or a group of users.\r\nRegistry permissions\r\nPermission Description\r\nQuery Value The right to read the registry key value.\r\nSet Value The right to write a new value\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 16 of 23\n\nCreate Subkey The right to create subkeys.\r\nEnumerate Subkeys Allow the enumeration of subkeys.\r\nNotify The right to request change notifications for registry keys or subkeys.\r\nCreate Link Reserved by the operating system.\r\nDelete The right to delete a key.\r\nWrite DACL The right to modify permissions of the container's DACL.\r\nWrite Owner The right to modify the container's owner.\r\nRead Control The right to read the DACL.\r\nAs with other securable objects in the operating system, individual access control entries (ACE) on the security\r\ndescriptor can be explicit or inherited from a parent object.[43]\r\nWindows Resource Protection is a feature of Windows Vista and later versions of Windows that uses security to\r\ndeny Administrators and the system WRITE access to some sensitive keys to protect the integrity of the system\r\nfrom malware and accidental modification.[44]\r\nSpecial ACEs on the security descriptor can also implement mandatory integrity control for the registry key and\r\nsubkeys. A process running at a lower integrity level cannot write, change or delete a registry key/value, even if\r\nthe account of the process has otherwise been granted access through the ACL. For instance, Internet Explorer\r\nrunning in Protected Mode can read medium and low integrity registry keys/values of the currently logged on\r\nuser, but it can only modify low integrity keys.[45]\r\nOutside security, registry keys cannot be deleted or edited due to other causes. Registry keys containing NUL\r\ncharacters cannot be deleted with standard registry editors and require a special utility for deletion, such as\r\nRegDelNull.\r\n[46][47]\r\nBackups and recovery\r\n[edit]\r\nDifferent editions of Windows have supported a number of different methods to back up and restore the registry\r\nover the years, some of which are now deprecated:\r\nSystem Restore can back up the registry and restore it as long as Windows is bootable, or from the\r\nWindows Recovery Environment (starting with Windows Vista).\r\nNTBackup can back up the registry as part of the System State and restore it. Automated System Recovery\r\nin Windows XP can also restore the registry.\r\nOn Windows NT, the Last Known Good Configuration option in startup menu relinks the\r\nHKLM\\SYSTEM\\CurrentControlSet key, which stores hardware and device driver information.\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 17 of 23\n\nWindows 98 and Windows ME include command line (Scanreg.exe) and GUI (Scanregw.exe) registry\r\nchecker tools to check and fix the integrity of the registry, create up to five automatic regular backups by\r\ndefault and restore them manually or whenever corruption is detected.[48] The registry checker tool backs\r\nup the registry, by default, to %Windir%\\Sysbckup Scanreg.exe can also run from MS-DOS.\r\n[49]\r\nThe Windows 95 CD-ROM included an Emergency Recovery Utility (ERU.exe) and a Configuration\r\nBackup Tool (Cfgback.exe) to back up and restore the registry. Additionally Windows 95 backs up the\r\nregistry to the files system.da0 and user.da0 on every successful boot.\r\nWindows NT 4.0 included RDISK.EXE , a utility to back up and restore the entire registry.\r\n[50]\r\nWindows 2000 Resource Kit contained an unsupported pair of utilities called Regback.exe and\r\nRegRest.exe for backup and recovery of the registry.\r\n[51]\r\nPeriodic automatic backups of the registry are now disabled by default on Windows 10 May 2019 Update\r\n(version 1903). Microsoft recommends System Restore be used instead.[52]\r\nWindows 2000 and later versions of Windows use Group Policy to enforce registry settings through a registry-specific client extension in the Group Policy processing engine.[53]\r\n Policy may be applied locally to a single\r\ncomputer using gpedit.msc or to multiple users and computers in a domain using gpmc.msc .\r\nWith Windows 95, Windows 98, Windows ME and Windows NT 4.0, administrators can use a special file to be\r\nmerged into the registry, called a policy file ( POLICY.POL ). The policy file allows administrators to prevent non-administrator users from changing registry settings like, for instance, the security level of Internet Explorer and\r\nthe desktop background wallpaper. The policy file is primarily used in a business with a large number of\r\ncomputers where the business needs to be protected from rogue or careless users.\r\nThe default extension for the policy file is .POL . The policy file filters the settings it enforces by user and by\r\ngroup (a \"group\" is a defined set of users). To do that the policy file merges into the registry, preventing users\r\nfrom circumventing it by simply changing back the settings. The policy file is usually distributed through a LAN,\r\nbut can be placed on the local computer.\r\nThe policy file is created by a free tool by Microsoft that goes by the filename poledit.exe for Windows\r\n95/Windows 98 and with a computer management module for Windows NT. The editor requires administrative\r\npermissions to be run on systems that uses permissions. The editor can also directly change the current registry\r\nsettings of the local computer and if the remote registry service is installed and started on another computer it can\r\nalso change the registry on that computer. The policy editor loads the settings it can change from .ADM files, of\r\nwhich one is included, that contains the settings the Windows shell provides. The .ADM file is plain text and\r\nsupports easy localization by allowing all the strings to be stored in one place.\r\nINI file virtualization\r\n[edit]\r\nWindows NT kernels support redirection of INI file-related APIs into a virtual file in a registry location such as\r\nHKEY_CURRENT_USER using a feature called \"InifileMapping\".[54] This functionality was introduced to allow\r\nlegacy applications written for 16-bit versions of Windows to be able to run under Windows NT platforms on\r\nwhich the System folder is no longer considered an appropriate location for user-specific data or configuration.\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 18 of 23\n\nNon-compliant 32-bit applications can also be redirected in this manner, even though the feature was originally\r\nintended for 16-bit applications.\r\nRegistry virtualization\r\n[edit]\r\nWindows Vista introduced limited registry virtualization, whereby poorly written applications that do not respect\r\nthe principle of least privilege and instead try to write user data to a read-only system location (such as the\r\nHKEY_LOCAL_MACHINE hive), are silently redirected to a more appropriate location, without changing the\r\napplication itself.\r\nSimilarly, application virtualization redirects all of an application's invalid registry operations to a location such as\r\na file. Used together with file virtualization, this allows applications to run on a machine without being installed\r\non it.\r\nLow integrity processes may also use registry virtualization. For example, Internet Explorer 7 or 8 running in\r\n\"Protected Mode\" on Windows Vista and above will automatically redirect registry writes by ActiveX controls to a\r\nsandboxed location in order to frustrate some classes of security exploits.\r\nThe Application Compatibility Toolkit[55] provides shims that can transparently redirect\r\nHKEY_LOCAL_MACHINE or HKEY_CLASSES_ROOT Registry operations to HKEY_CURRENT_USER to\r\naddress \"LUA\" bugs that cause applications not to work for users with insufficient rights.\r\nCritics labeled the registry in Windows 95 a single point of failure, because re-installation of the operating system\r\nwas required if the registry became corrupt. However, Windows NT uses transaction logs to protect against\r\ncorruption during updates. Current versions of Windows use two levels of log files to ensure integrity even in the\r\ncase of power failure or similar catastrophic events during database updates.[56] Even in the case of a non-recoverable error, Windows can repair or re-initialize damaged registry entries during system boot.[56]\r\nRichard WM Jones, author of libguestfs and hivex (tool to read and write the registry from systems other than the\r\nhost Windows installation, including non-Windows systems), makes the following critiques:[27]\r\nCompared to a database with features such as indexed columns, the registry with its concepts of directories\r\n(keys), files (values), and extended attributes (permissions) is more of a file system, and an incomplete one\r\nat that. Lack of column indexing has led to the proliferation of oddly-named keys such as\r\n\\ControlSet001\\Control\\CriticalDeviceDatabase\\pci#ven_1af4\u0026dev_1001\u0026subsys_00000000 .\r\nThe hive format is based on the struct layout of the original compiler in the 1990s. The reader\r\nimplementation in Windows performs insufficient validation, being easy to make to hang or crash by\r\nincorrect pointer structures (reference loops, out-of-range pointers). The writer implementation does not\r\nproperly zero out unused memory, leaking kernel data structures into unused parts of the registry.\r\nDifferent versions of Windows have different ideas about what each \"type\" in the registry refers to. String\r\ntypes such as REG_SZ were originally stored in 7-bit ASCII, before being switched to UTF-16LE later, so\r\nto properly read and write a hive one would need to know the Windows version it is associated with.\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 19 of 23\n\nEquivalents and alternatives\r\n[edit]\r\nIn Windows, use of the registry for storing program data is a matter of developer's discretion. Microsoft provides\r\nprogramming interfaces for storing data in XML files (via MSXML) or database files (via SQL Server Compact)\r\nwhich developers can use instead. Developers are also free to use non-Microsoft alternatives or develop their own\r\nproprietary data stores.\r\nIn contrast to Windows Registry's binary-based database model, some other operating systems use separate plain-text files for daemon and application configuration, but group these configurations together for ease of\r\nmanagement.\r\nIn Unix-like operating systems (including Linux) that follow the Filesystem Hierarchy Standard, system-wide configuration files (information similar to what would appear in HKEY_LOCAL_MACHINE on\r\nWindows) are traditionally stored in files in /etc/ and its subdirectories, or sometimes in\r\n/usr/local/etc/ . Per-user information (information that would be roughly equivalent to that in\r\nHKEY_CURRENT_USER) is stored in hidden directories and files (that start with a period/full stop)\r\nwithin the user's home directory. However XDG-compliant applications should refer to the environment\r\nvariables defined in the Base Directory specification.[57]\r\nIn macOS, system-wide configuration files are typically stored in the /Library/ folder, whereas per-user\r\nconfiguration files are stored in the corresponding ~/Library/ folder in the user's home directory, and\r\nconfiguration files set by the system are in /System/Library/ . Within these respective directories, an\r\napplication typically stores a property list file in the Preferences/ sub-directory.\r\nRISC OS (not to be confused with MIPS RISC/os) uses directories for configuration data, which allows\r\napplications to be copied into application directories, as opposed to the separate installation process that\r\ntypifies Windows applications; this approach is also used on the ROX Desktop for Linux.[58] This\r\ndirectory-based configuration also makes it possible to use different versions of the same application, since\r\nthe configuration is done \"on the fly\".[59] If one wishes to remove the application, it is possible to simply\r\ndelete the folder belonging to the application.[60][61] This will often not remove configuration settings\r\nwhich are stored independently from the application, usually within the computer's !Boot structure, in\r\n!Boot Choices or potentially anywhere on a network fileserver. It is possible to copy installed programs\r\nbetween computers running RISC OS by copying the application directories belonging to the programs,\r\nhowever some programs may require re-installing, e.g. when shared files are placed outside an application\r\ndirectory.\r\n[59]\r\nIBM AIX (a Unix variant) uses a registry component called Object Data Manager (ODM). The ODM is\r\nused to store information about system and device configuration. An extensive set of tools and utilities\r\nprovides users with means of extending, checking, correcting the ODM database. The ODM stores its\r\ninformation in several files, default location is /etc/objrepos .\r\nThe GNOME desktop environment uses a registry-like interface called dconf for storing configuration\r\nsettings for the desktop and applications.\r\nThe Elektra Initiative provides alternative back-ends for various different text configuration files.\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 20 of 23\n\nWhile not an operating system, the Wine compatibility layer, which allows Windows software to run on a\r\nUnix-like system, also employs a Windows-like registry as text files in the WINEPREFIX folder:\r\nsystem.reg (HKEY_LOCAL_MACHINE), user.reg (HKEY_CURRENT_USER) and userdef.reg.[62] The\r\nformat is virtually the same as those of Windows .REG files, except that the header line is changed to\r\n\"WINE REGISTRY Version 2\" and paths (keys) do not start with the name of the hive.\r\nRegistry cleaner\r\nLogparser – SQL-like querying of various types of log files\r\nList of shell icon overlay identifiers\r\nRansomware attack that uses Registry\r\n1. ^ When applications fail to execute because they request more privileges than they require (and are denied\r\nthose privileges), this is known as a limited user application (LUA) bug.\r\n1. ^ Esposito, Dino (November 2000). \"Windows 2000 Registry: Latest Features and APIs Provide the Power\r\nto Customize and Extend Your Apps\". MSDN Magazine. Microsoft. Archived from the original on April 15,\r\n2003. Retrieved July 19, 2007.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \"The System Registry\".\r\n3. ^ \"Windows 95 Architecture Components\". www.microsoft.com. Archived from the original on February 7,\r\n2008. Retrieved April 29, 2008. “The following table shows other difficulties or limitations caused by using\r\n.INI files that are overcome by using the Registry.”\r\n4. ^ Hipson 2002, p. 5, 41–43.\r\n5. ^ Richter, Jeffrey; Nasarre, Christophe (2008). Windows Via C/C++ (Fifth ed.). Microsoft Press.\r\nISBN 9780735642461. Retrieved August 28, 2021.\r\n6. ^ Raymond Chen, \"Why do registry keys have a default value?\"\r\n7. ^ Hipson 2002, pp. 207, 513–514.\r\n8. ^ Hipson 2002, pp. 520–521.\r\n9. ^ Hipson 2002, p. 7.\r\n10. ^ \"Designed for Windows XP Application Specification\". Microsoft. August 20, 2002. Retrieved April 8,\r\n2009.\r\n11. ^ \"HKEY_LOCAL_MACHINE\". Gautam. 2009. Retrieved April 8, 2009.\r\n12. ^ \"Registry Keys Affected by WOW64 (Windows)\". Msdn.microsoft.com. Retrieved April 10, 2014.\r\n13. ^ \"Description of the Microsoft Windows registry\". Retrieved September 25, 2008.\r\n14. ^ \"HKEY_CURRENT_USER\". Microsoft. 2009. Retrieved April 8, 2009.\r\n15. ^ \"Description of the HKEY_DYN_DATA Registry Key in Windows 95, Windows 98, and Windows 98 SE\".\r\nsupport.microsoft.com.\r\n16. ^ \"A Closer Look at HKEY_DYN_DATA\". rinet.ru. Archived from the original on May 9, 2008.\r\n17. ^ \"Registry hives\". Retrieved July 19, 2007.\r\n18. ^ Chen, Raymond (August 8, 2011). \"Why is a registry file called a \"hive\"?\". The Old New Thing.\r\nRetrieved July 29, 2011.\r\n19. ^ \"Overview of the Windows NT Registry\". Retrieved December 2, 2011.\r\n20. ^ \"Inside the Registry\". Retrieved December 28, 2007.\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 21 of 23\n\n21. ^ Jump up to: a\r\n \r\nb\r\n Norris, Peter (February 2009). \"The Internal Structure of the Windows Registry\" (PDF).\r\nCranfield University. Archived from the original (PDF) on May 29, 2009.\r\n22. ^ \"Incorrect Icons Displayed for .ico Files\". November 15, 2009. Retrieved March 31, 2012.\r\n23. ^ \"How to Completely Uninstall / Remove a Software Program in Windows without using 3rd Party\r\nSoftware? - AskVG\". www.askvg.com. August 26, 2011.\r\n24. ^ \"You may receive a \"STOP 0x00000035 NO_MORE_IRP_STACK_LOCATIONS\" error message when\r\nyou try to log on to a domain\". October 9, 2011. Retrieved March 31, 2012. This page tells the user to edit\r\nthe registry when resolving the issue.\r\n25. ^ key renaming is implemented as removal and add while retaining subkeys/values, as the underlying APIs\r\ndo not support the rename function directly\r\n26. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \"How to add, modify, or delete registry subkeys and values by using a .reg file\".\r\nsupport.microsoft.com.\r\n27. ^ Jump up to: a\r\n \r\nb\r\n \"Why the Windows Registry sucks … technically\". Richard WM Jones. February 18,\r\n2010.\r\n28. ^ \"Applying Group Policy\". Microsoft.\r\n29. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Payette, Bruce; Siddaway, Richard (2018). Windows PowerShell in Action (Third ed.).\r\nManning Publications. pp. 7–8, 24, 608, 708–710. ISBN 9781633430297. Retrieved August 28, 2021.\r\n30. ^ Warner, Timothy L. (May 2015). Windows PowerShell in 24 Hours, Sams Teach Yourself. Sams\r\nPublishing. p. 19, 211. ISBN 9780134049359. Retrieved August 28, 2021.\r\n31. ^ \"Reading and Writing Registry Values with Visual Basic\". Retrieved July 19, 2007.\r\n32. ^ \"REG command in Windows XP\". Retrieved July 19, 2007.\r\n33. ^ \"registry manual page – Tcl Bundled Packages\". www.tcl.tk. Retrieved December 14, 2017.\r\n34. ^ \"Offline Registry Library\". Retrieved June 4, 2014.\r\n35. ^ \"DllInstall Function\". Microsoft. March 7, 2012. Retrieved March 22, 2012.\r\n36. ^ \"Regsvr32\". Microsoft. Retrieved March 22, 2012.\r\n37. ^ \"How to: Register Automation Servers\". Microsoft. Retrieved March 22, 2012.\r\n38. ^ \"How to re-register PowerPoint 2000, PowerPoint 2003, PowerPoint 2007 and PowerPoint 2010\".\r\nMicrosoft. January 2012. Retrieved March 22, 2012.\r\n39. ^ \"RegNotifyChangeKeyValue function\". Microsoft.\r\n40. ^ \"Registering for Notifications\". Microsoft.\r\n41. ^ \"RegConnectRegistry function\". Microsoft.\r\n42. ^ \"How to Manage Remote Access to the Registry\". Microsoft.\r\n43. ^ Gibson, Darril (June 28, 2011). \"Chapter 4: Securing Access with Permissions\". Microsoft Windows\r\nsecurity : essentials. Indianapolis, Ind.: Wiley. ISBN 978-1-118-01684-8.\r\n44. ^ \"Application Compatibility: Windows Resource Protection (WRP)\". Microsoft. Retrieved August 8, 2012.\r\n45. ^ Marc Silbey, Peter Brundrett. \"Understanding and Working in Protected Mode Internet Explorer\".\r\nRetrieved August 8, 2012.\r\n46. ^ \"RegDelNull v1.1\". November 1, 2006. Retrieved August 8, 2012.\r\n47. ^ \"Unable to delete certain registry keys – Error while deleting key\". March 23, 2010. Retrieved August 8,\r\n2012. Microsoft Support page.\r\n48. ^ \"Description of the Windows Registry Checker Tool (Scanreg.exe)\".\r\n49. ^ \"Command-Line Switches for the Registry Checker Tool\".\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 22 of 23\n\n50. ^ \"How To Backup, Edit, and Restore the Registry in Windows NT 4.0\". support.microsoft.com.\r\n51. ^ \"Technical Reference to the Registry: Related Resources\". Microsoft. Retrieved September 9, 2011.\r\n52. ^ Whitwam, Ryan (July 2019). \"Microsoft Kills Automatic Registry Backups in Windows 10\". ExtremeTech.\r\nRetrieved July 1, 2019.\r\n53. ^ \"How Core Group Policy Works\". Microsoft. September 2, 2009. Retrieved August 13, 2012.\r\n54. ^ \"Chapter 26 – Initialization Files and the Registry\". Microsoft. Retrieved March 3, 2008.\r\n55. ^ \"Microsoft Application Compatibility Toolkit 5.0\". Microsoft. Retrieved July 26, 2008.\r\n56. ^ Jump up to: a\r\n \r\nb\r\n Ionescu, Mark Russinovich, David A. Solomon, Alex (2012). \"Registry Internals\".\r\nWindows internals (6th ed.). Redmond, Wash.: Microsoft Press. ISBN 978-0-7356-4873-9. {{cite book}} :\r\nCS1 maint: multiple names: authors list (link)\r\n57. ^ \"XDG Base Directory Specification\". standards.freedesktop.org.\r\n58. ^ \"Application directories\". Archived from the original on May 27, 2012. Retrieved May 17, 2012.\r\n59. ^ Jump up to: a\r\n \r\nb\r\n \"Case Studies Of The Top 132 Annoyances With Operating Systems Other Than RISC\r\nOS\". Retrieved April 3, 2012. Page from the riscos.com website. Mentioned in points 82 and 104.\r\n60. ^ \"RISC OS tour\". Retrieved July 19, 2007.\r\n61. ^ \"The RISC OS Products Directory\". November 2, 2006. Retrieved April 1, 2012. {{cite web}} : CS1\r\nmaint: deprecated archival service (link)\r\n62. ^ 3.2. Using the Registry and Regedit (Wine User Guide)\r\nHipson, Peter (2002). Mastering Windows XP Registry. Wiley. ISBN 0-7821-2987-0. Retrieved August 28,\r\n2021.\r\nRussinovich, Mark E.; Solomon, David A. (2005). Microsoft Windows Internals (Fourth ed.). Microsoft\r\nPress. pp. 183–236. ISBN 978-0-7356-1917-3.\r\nWindows Registry info \u0026 reference in the MSDN Library\r\nSource: https://en.wikipedia.org/wiki/Windows_Registry\r\nhttps://en.wikipedia.org/wiki/Windows_Registry\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Windows_Registry"
	],
	"report_names": [
		"Windows_Registry"
	],
	"threat_actors": [],
	"ts_created_at": 1775439097,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e846b16c1370e024d27f6512fd10f33de5b16542.pdf",
		"text": "https://archive.orkl.eu/e846b16c1370e024d27f6512fd10f33de5b16542.txt",
		"img": "https://archive.orkl.eu/e846b16c1370e024d27f6512fd10f33de5b16542.jpg"
	}
}