Anilrgowda

In this article we’ll dive into the Windows 2003 Registry and take a quick look at what it is, how you can configure it remotely and how to backup and restore it. This document is intended to be a reference that will help you to understand the core of Microsoft’s later generation operating system.
Introduction

Introduced with Windows 95, the Registry is a central repository for unique user and machine configuration data. In basic terms, it is a big database that holds all of the Windows 2003 configuration information – settings relative to user accounts, machine hardware and applications. Everything from user preferences (such as the background colour, screensaver, etc), to encrypted local account passwords are in there.
The registry was brought about to replace the old .INI files (that stored configuration settings in editable txt files). INI files were good because they were short and easy to edit. They did however have some restrictions such as size limitations and no support for multiple users. In came the registry to rid us of these restrictions and make it easier to recover settings after a crash, control access to and track system changes. The Registry is fault tolerant, in that, if you are installing an application that is writing a new bunch of keys to the registry and there is a power failure, everything remains intact and you can start a fresh when the system is back up and running again.

Note:
Some applications still use INI files to store custom user settings or languages for the GUI. For example, at the time of writing this article, I opened language.ini which I found in a directory of one of my installed applications and changed some of the strings. When I then opened my application, the GUI showed my text on it, instead of the default text.

The majority of the information in the Registry is placed there automatically by Windows when you install the OS. The rest comes from utilities and applications via their installation routines. It’s also possible to edit Registry data manually, allowing you to tweak, enable or fix certain settings.

WARNING!
Any changes you make to the registry using Registry Editor are permanent, there is no “undo” button, so be very careful what you do. Only mess around with the registry if you know what you are doing, the consequences of your mistakes could be disastrous (i.e.: at its worst, you will have to re-install Windows from scratch). I am not responsible for any loss or damage as a result of your tampering with the registry. Edit at your own risk, and as a rule of thumb always make a backup (discussed later on in this article).

Below is a screenshot showing the structure of the registry, which is made up of five subtrees (discussed in the next section of this article). You can browse to a key from the left and its values will be displayed in the window on the right. To open the Registry Editor, click Start > Run… and type “regedit.exe”.

Figure 1: Regedit.exe showing the structure of the registry

Setting Permissions

You can set permissions on specific subtrees or keys so that users or applications will be allowed or not allowed access. By default, users are allowed read access while administrators are allowed read/write access on most keys.
While testing a .NET application recently, I found that the installation routine was not correctly assigning permissions to a specific key, so a part of the application was failing. Once I set the correct permissions, everything worked smoothly again. In this case, it was the application vendor’s fault and luckily I was able to implement a temporary fix using regedit.exe.
To set permissions, open regedit.exe, right click a key and select “Permissions…”. This will bring up the ACL list for that key and allow you to edit permissions as you would normally do on an NTFS file or folder.

Figure 2: The ACL list for setting permissions on the SOFTWARE key

It goes without saying, but be careful who/what you allow and deny permissions to.
The Five SubTrees of the Registry

The following five sections of the registry contain a logical grouping of registry information called SubTrees. These are the five main sections of the registry and they each hold a set of sub keys. When making changes, you will most likely do most of the work in the _MACHINE and _USER subtrees.

SUBTREE

DESCRIPTION

HKEY_CLASSES_ROOT
The HKEY_CLASSES_ROOT subtree contains data that associates file types with applications and configuration for COM objects.
HKEY_LOCAL_USER
Also known to have the common abbreviation HKCU, the HKEY_LOCAL_USER subtree contains settings and preferences for the user currently logged on to the system. These settings are dynamic and unique to each user.
HKEY_LOCAL_MACHINE
Also known to have the common abbreviation HKLM, the HKEY_LOCAL_MACHINE subtree contains information about the hardware currently installed, and the settings for systems running on the machine. These are normally static for all users until a change is made.
HKEY_USERS
This subtree simply contains a pointer to HKEY_LOCAL_USER and the DEFAULT user profile (a template used when assigning a profile to new users).
HKEY_CURRENT_CONFIG
This subtree stores configuration data for the current hardware profile and points to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardwa re Profiles

Data Types defined by the Registry

On the right hand side of the Registry Editor, you will notice various data types and their values.

DATA TYPE

DESCRIPTION

REG_SZ
A simple string value. Would usually contain a URL, Path, or port number for example.
REG_BINARY
Raw binary data represented in hexadecimal format.
REG_DWORD
Another type of REG_BINARY but this one is 4 bytes long.
REG_MULTI_SZ
A character string of variable size that allows you to enter a number of parameters in this single value entry.
REG_EXPAND_SZ
This is a character string of variable size that can contain dynamic information which will change at startup (such as %username% which is of a different size for every name)

Remote Registry Configuration

Regedit.exe allows you to remotely configure another machine’s registry quickly and easily. All you need is the right permissions (Administrator permissions) to do so.

TIP:
Make sure that a group policy isn’t in place that disallows remote registry connections.

Open regedit.exe and from the File menu select “Connect Network Registry…”. Type the computer name, or press [Advanced…] and search for one, and press OK. After entering the correct credentials, the registry of the remote machine is loaded into the console, as if it was that of the local machine.
Once you’re done making changes simply select “Disconnect Network Registry…” from the file menu and regedit.exe will break the connection.
Once again, remember that any changes you make will be reflected on the remote machine immediately, or in some cases after the next restart.

Figure 3: Screenshot showing a remote registry connection

When you connect to a registry remotely, you will only be able to edit the HKEY_LOCAL_MACHINE and HKEY_USERS keys.
In this example I have, from a local machine, connected to another server called ZTABONA and am able to make the necessary changes to the above mentioned keys.
Backing up and Restoring the Registry

There are three methods of backing up the registry – or portions of it - in Windows 2003. You can backup/restore the entire Registry using the Windows Backup utility, import/export certain subtrees or keys from regedit.exe, or use a little tool called reg.exe from the command line. These are explained in more detail below.
Backup and Restore Utility (or Wizard)

From the Start menu, navigate to Programs > Accessories > System Tools and open Backup – this will start the Backup and Restore Wizard or go straight to the Backup and Restore utility (depending on your previously chosen settings).

Figure 4: The Backup and Restore utility

From the Backup tab, expand My Computer and select the System State check box.

Note:
On a domain controller, backing up the System State will also backup Active Directory, Boot Files, Certificate Server (if installed), COM object class registries, and SYSVOL, apart from the full Registry.

Browse for a location to which the backup file should be placed (ideally removable storage or another partition) and click Start Backup. A new dialog box will appear showing the status of the backup procedure. When backup is complete, press OK and close.
To restore a backup file, go to the Restore and Manage Media tab and select Tools > Catalog a backup file. Browse to the location of the backup file and select it. Choose what you want to restore (in this case it is the entire System State) and press the Start Restore button.
Importing/Exporting Registry Files

When you export a section of the registry, it is saved as a .reg file which, when executed, will add its values back to the registry. This is commonly used when a software vendor needs a client to enable “debug mode”, for example.
To export a registry file, select the desired key from the left pane in regedit.exe, right click and choose Export. Select where you want the .reg file to be saved, and press Save. Once the file has been exported, you can edit it using Notepad.exe or any text editor.
An example of a .reg file:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Control Panel\Accessibility\MouseKeys]
"Flags"="62"
"MaximumSpeed"="80"
"TimeToMaximumSpeed"="3000"

To import a reg file, simply double click it to bring up the dialog and press Yes. The information will then be added to the registry.

Figure 5: The registry editor confirmation message box

Only import information to the registry if you know exactly what the key contains.

Note:
You can also import/export a registry file using the command line tool reg.exe.

Using the Command Line

Using reg.exe you can backup and restore portions of the registry with a few simple commands. This tool will allow you to backup one subtree at a time - while the system is running.
For the purpose of this explanation I will demonstrate the uses of REG SAVE and REG RESTORE.
REG save
Use the REG save command to save root keys for future restoration. The syntax for this command is:

reg save <root_subtree> <save_location>

In my example, using the above syntax I have saved the HKEY_CLASSES_ROOT, HKEY_CLASSES_CONFIG and HKEY_CLASSES_USER subtrees, as seen below.

Figure 6: Using the command line tool reg.exe to save registry keys

The registry files will be saved to the specified directory, as shown in the screenshot below.

Figure 7: A folder for storing saved registry keys

REG restore
Using the reg restore command you can restore keys you previously saved using the reg save command. Using my example, if I wanted to restore HKEY_CLASSES_ROOT I would run the following command at the command prompt:

Reg restore hkcr c:\regbackup\hkcr

And so on and so forth for the other keys.
Conclusion

Knowing how the registry is laid out and how to backup and restore it will prove to be valuable knowledge for everyone. As a network administrator you will find that editing the registry is sometimes the only answer to many problems. As much as nobody likes to mess around with the Registry, one is sometimes left with no other choice. Don’t be scared to make changes, just be careful and know exactly what you are about to do. The risks are obvious – one false move and the game is over. I cannot stress it enough!