Chapter 24 - Registry Editor and Registry Administration
Windows NT 4.0 includes two tools for viewing and editing the Registry, both called Registry Editor. The traditional tool, Regedt32.exe, is featured in this chapter. The new tool, Regedit.exe, written for Windows 95, has many of the same functions as Regedt32 and uses the Windows NT Explorer interface. Both tools are installed automatically when you install Windows NT on any computer.
You can use either Registry editor to add, delete, or modify Registry entries. This chapter describes the Registry editors and how to use them, with an emphasis on protecting the Registry contents and using Registry editors to monitor and maintain the system configuration on remote computers.
The following topics are included in this chapter:
It is recommended that, wherever possible, you make changes to the system configuration by using Control Panel or the applications in the Administrative Tools (Common) group.
Caution You can impair or disable Windows NT with incorrect changes or accidental deletions if you (or other users) use Registry Editor to change the system configuration. Wherever possible, you should use the Control Panel, Windows NT Diagnostics, and Administrative Tools in Windows NT to change the Registry. Registry Editor should be used only as a last resort.
To protect the system configuration, administrators can restrict users' access to the Registry, as described in "Maintaining Registry Security," later in this chapter.
Using Registry Editors and Windows NT Diagnostics
The Registry editors, Regedt32 and Regedit, do not appear in any menus or as icons in any window. However, they are installed automatically when you install Windows NT.
To run a Registry editor
Working in the Registry Editor Windows
You can use the mouse or commands to manipulate the windows and panes in a Registry editor. For example:
Table 24.1 shows some methods of using the keyboard to display data in each of the Registry Editor windows.
For more information about Regedt32 and Regedit, click Help Topics on the Help menu of either application.
Using Windows NT Diagnostics to View System Configuration Data
You can also use the Windows NT Diagnostics tool to view configuration data in the Registry. Windows NT Diagnostics (Winmsdp.exe) is installed in the Administrative Tools (Common) group on the Start menu and in Windows NT Explorer in the Systemroot\System32 directory when you set up Windows NT.
When you want to browse for system information, Windows NT Diagnostics is the best tool to choose. Figure 24.1 shows the Windows NT Diagnostics dialog box.
Figure 24.1 The Windows NT Diagnostics dialog box
In the Windows NT Diagnostics dialog box, click a tab to display data from the Registry in an easily readable format.
Tip You cannot edit value entries by using Windows NT Diagnostics, so the Registry contents are protected while you browse for information. However, you can select and copy any value if you want to paste information by using Registry Editor or a text editor.
Viewing the Registry of a Remote Computer
In the same way that you can use Event Viewer or User Manager to view details of another computer, you can use Registry Editor to view and change the contents of another computer's Registry if the Server service on the remote computer is running.
The ability to view a computer's configuration remotely means that the system administrator can examine a user's startup parameters, desktop configuration, and other parameters. So you, as the administrator, can provide troubleshooting or other support assistance over the telephone while you view settings on the other computer from your own workstation.
To view the Registry of a remote computer with Regedt32
Two Registry windows appear in Regedt32 for the remote computer, one for HKEY_USERS and one for HKEY_LOCAL_MACHINE. You can view or modify the information on keys for the remote computer if the access controls defined for the keys allow you to perform such operations. If you are logged on as a member of the Administrators group, you can perform actions on all keys.
To disconnect from the Registry of a remote computer by using Regedt32, from the Registry menu, click Close for each subtree window.
To view the Registry of a remote computer by using Regedit
An icon representing the remote computer appears in the Regedit window. Click the plus sign (+) to view the contents of the Registry. To disconnect from the Registry of a remote computer by using Regedit, from the Registry menu, click Disconnect Network Registry, click the name of the computer from which you are disconnecting, then click OK.
Loading Hives from a Remote Computer
An alternative to viewing another computer's Registry remotely is to save copies of the other computer's Registry hives and then load them into Regedt32 on your computer. You can use this method to view and change the keys and subkeys of the HKEY_LOCAL_MACHINE and HKEY_USERS hives of another computer's Registry. This enables you to investigate and repair the Registry values and value entries of a computer that is not configured properly or cannot connect to the network.
The subtrees of your computer's Registry are loaded automatically when you start the computer, and you can view its contents in a Registry editor. To view or change the contents of another computer's Registry, you must load a saved copy of all or part of its hive.
You might load the hive of another computer's Registry for the following reasons:
Please note the following rules when loading a hive from another computer's Registry by using Regedt32:
If you are unable to connect to another computer over the network, you can load a hive file from a floppy disk.
To load a hive file into Regedt32
Data from the loaded hive appears as a new subkey in the subtree selected when you loaded the hive file. A loaded hive remains in the system until you unload it.
The Load Hive command creates a new hive in the memory space of the Registry and uses the specified file as the backing hive file (Filename.log) for it. The specified file is held open, but nothing is copied to the file unless the information in a key or value entry is changed. Likewise, the Unload Hive command does not copy or create anything; it merely unloads a loaded hive.
To unload a hive from Regedt32
Saving and Restoring Keys
You can use Regedt32 or Regedit to save all or part of a Registry subtree to a file. This file can then be used to restore that Registry or the Registry of another computer by replacing a damaged key with the contents of the file. If you save the key to a file by using Regedt32, you can also load the file into Regedt32 on any computer to examine its contents or to edit it.
Regedt32 and Regedit save Registry keys in different formats and use different methods for restoring the Registry. Decide which tool you will use before beginning the process. You cannot save a key to a file with one tool and use the other tool to restore a Registry with that file.
The remainder of this section describes how to save and restore Registry keys by using Regedt32 and Regedit.
Using Regedt32 to Save and Restore Registry Keys
To save a Registry key and its subkeys to a hive file, use the Save Key command in Regedt32. You can then use the Load Hive command in Regedt32 to view and edit the file and use the Restore command to replace a Registry key with the file contents.
Note Do not confuse the hive files you create by using the Save Key command with the hive files created by the system for its own use. The system hive file of a remote computer, usually stored in Systemroot\System32\Config and Systemroot\Profiles, can be loaded or restored only while Windows NT is not running on that computer.
Changes in the Registry are saved automatically, whether you make changes by using a Registry editor or by changing settings in applications. The Save Key command is used specifically to save portions of the Registry as a file on disk.
To use the Save Key command, you need Backup permissions, which you have if you are logged on as a member of the Administrators group.
You can use the Save Key command on any key. However, you cannot save volatile keys. A volatile key is one that is created when the system starts and deleted when it stops. Some volatile keys have nonvolatile subkeys that can be saved. For example, the HKEY_LOCAL_MACHINE \Hardware key is volatile, but you can save the nonvolatile subkeys under that key. To view the entire Hardware key for debugging, save it in a text file by using the Save Subtree As command on the Registry menu, as described later in this chapter.
To save a Registry key by using Regedt32
The selected key is now saved as a file. When you use the Load Hive command, you can select the filename for any files that you saved by using the Save Key command.
For example, as part of system maintenance, you use the Save Key command to save a key as a file. When the key that you saved is ready to be returned to the system, you use the Restore command.
You can use the Restore command to make a hive file a part of the system configuration by loading the data from the hive file into an existing key. The contents of the file overwrite and replace the contents of the Registry key, except for the key name.
To use the Restore command, you need Restore permissions, which you have if you are logged on as a member of the Administrators group.
To restore a key by using Regedt32
You cannot restore a key while the system is using it or any of its subkeys. For example, you cannot restore the SAM or Security keys because the system is always using these keys. The Restore command is used only for special conditions, such as to restore user profiles on a damaged system. To switch to a backup version of a hive, use Regrest.exe, a tool distributed on the Windows NT Workstation Resource Kit CD. For more information about Regrest, see Rktools.hlp, a Help file for tools on the Windows NT Workstation Resource Kit CD.
Using Regedit to Save Registry Keys
You can save Registry keys and their subkeys by using the Export Registry command in Regedit. This command saves a specific branch or the entire Registry in a text file with a .reg filename extension. Later, you can use the Import Registry command to rebuild a key or the entire Registry from an exported Registry file.
You can run Regedit from the Regedit window within Windows NT or from a command prompt. This section describes both methods.
To save a Registry key by using the Regedit window
To save a Registry key by using Regedit from a command prompt.
Using Regedit to Restore Registry Keys
You can restore or replace a Registry key by importing a .reg file containing that key into the Registry. The contents of the Registry key are overwritten and replaced by the contents of the .reg file. If the Registry that is being restored is running on a computer that can still run Windows NT, use the Regedit window to restore the key. However, you can also run Regedit from the command prompt, if necessary.
This section describes the Regedit window interface method first, then the command prompt method.
Warning Use extreme caution in restoring keys. As with any Registry changes, an error can prevent Windows NT from loading and running, or prevent users from logging on to the system.
To restore a Registry key by using the Regedit window
To restore a Registry key by using Regedit from a command prompt
You can also import Registry keys to .reg files from a command prompt. Use the following format:
regedit /i filename.reg
– Or –
regedit /c filename.reg
The /i (import) switch is used to import .reg files that contain a part of the Registry. The Registry keys (and their contents) saved in the .reg file overwrite only the analogous keys in the Registry. Please note that this command does not have a field to specify a Registry key. All of the Registry keys (and their subkeys and values) saved in the .reg file overwrite the analogous keys in the Registry. You cannot specify that only a subset of the keys be replaced.
The /c (complete) switch assumes that the .reg file contains a copy of an entire Registry. The contents of the .reg file overwrite all keys in the Registry.
Caution Use the regedit /c command with extreme care, and only when you are sure that the .reg file specified contains a complete image of the Registry. The regedit /c command replaces the entire contents of the Registry.
Editing Registry Value Entries
Within the Registry, you can alter the value entries for a selected key or assign new value entries to keys. This section describes how to find keys and how to add, edit, or delete keys and value entries.
Finding a Key in the Registry
A Registry key might be in a different place in the tree structure of your computer's Registry than where it is described in this chapter, depending on whether a computer is running Windows NT Workstation or Windows NT Server, and on other factors as well.
You can search for a specific key name in the Registry tree. Key names appear in the left pane of the Registry Editor window. The search begins from the currently selected key. A search beginning from a predefined key searches all its descendent keys.
Each search is local to the subtree where the search begins. That is, if you search in the HKEY_LOCAL_MACHINE subtree window, the search does not include keys found under any other subtree.
To search for a key by using Regedt32
Key names are not unique. To be sure you find the key you want, it's a good idea to search for additional occurrences of a specific key name.
Tip Some key names include spaces, underscores, or a continuous string (such as KeyboardPort/PointerPort). To ensure that you find the key you want, search for a portion of the name, and make sure that the Match Whole Word Only check box in the Find dialog box is cleared .
To find specific keys or value entries related to specific topics, you can also use Regentry.hlp, the Registry Help file on the Windows NT Workstation Resource Kit CD.
In Regedt32, you can search only for keys and subkeys of the Registry. Regedit, however, has an expanded search capability: you can search for value entries and values as well as keys and subkeys. In addition, you determine the level at which Regedit searches. This can expedite a search for a subkey by preventing Regedit from looking at every value entry.
To search for a key by using Regedt32
Editing Values in the Registry
Each value entry in Registry Editor appears as a string that consists of three components, as shown in Figure 24.2.
Figure 24.2 The three components of a value entry
The following rules govern the content of these three value entry components:
The Registry preserves case as you type it for any entry but ignores case in evaluating the data. However, the data is defined by specific applications (or users), so applications that use the data might be case sensitive, depending on how the program that uses it treats the data.
To edit a value by using Regedt32 or Regedit
Information stored in a nonvolatile key remains in the Registry until you delete it. Information stored in a volatile key is discarded when you shut down the system. However, volatile keys can contain nonvolatile subkeys and nonvolatile keys can contain volatile subkeys. For example, the HKEY_LOCAL_MACHINE Hardware key is volatile, but many of its subkeys are nonvolatile.
Note As your Registry grows in size, eventually you might want to set a larger value for RegistrySizeLimit. For more information, see "Registry Size Limit" in Chapter 23, "Overview of the Windows NT Registry."
Adding a Key
You can add a key to store data in the Registry. For example, you can add a subkey under CurrentControlSet\Services to start a service process you have written or to install a device driver that doesn't have an installation program.
To do this, you must have Create Subkey access permission for the key under which you are adding a subkey, as described in "Assigning Access Rights to Registry Keys," later in this chapter.
To add a key to the Registry by using Regedt32
To add a key to the Registry with Regedit
Adding a Value Entry to a Registry Key
You can use the Registry editors to assign a new value entry to a key or edit the value entry of an existing key. When you do this, the value that you add appears in the data pane of the selected Registry window.
To determine value entries you might add, see the tuning and troubleshooting information in Regentry.hlp, which is included in the Windows NT Workstation Resource Kit CD.
To add a value entry to a Registry key by using Regedt32
To add a value entry to a Registry key by using Regedit
Deleting a Key or a Value Entry
To remove selected keys or value entries from the Registry, you can use the Delete command from the Edit menu or you can press the DELETE key. However, you cannot delete any of the predefined subtrees or change the name of a key.
Caution There is no Undo command for deletions. Registry Editor prompts you to confirm the deletions if Confirm On Delete is selected from the Options menu. When you delete a key, the message does not include the name of the key you are deleting. Check your selection carefully before proceeding. To recover a subkey of HKEY_LOCAL_MACHINE \System \CurrentControlSet, restart the computer. Press the spacebar immediately when you see the message Press spacebar now to invoke Hardware Profile/Last Known Good Menu.
In Regedt32, you can protect the Registry from accidental deletions by using the following methods:
Maintaining the Registry
Windows NT enforces access control on Registry files, so it is difficult for users to accidentally or intentionally damage or delete hives on a running system. While the system is running, hive files are reserved by the system for exclusive access on all file systems. If the Windows NT Systemroot is not on an NTFS volume, the Registry can be tampered with—specifically, users can remove keys for user profiles that are not currently loaded. With NTFS, such tampering can be prevented.
You should plan how to protect the Registry for each computer at your site that runs Windows NT. This section describes how to ensure that you will have working Registry files under most conditions.
For more details about how to ensure recoverability under all conditions, see "Making Sure the System Always Starts" in Chapter 25, "Configuration Management and the Registry."
Maintaining Registry Security
Do not allow a user to log on as a member of the Administrators group unless that individual has specific administrative duties.
You can also opt not to put Regedt32.exe on workstations, because you can easily administer any workstation from a remote computer. And you can place access controls on Regedt32.exe in Windows NT Explorer, which limits the rights of users to start this program.
This section describes the additional steps you can take to protect the Registry:
Protecting Registry Files for User Profiles
You can protect the user profiles in the Registry in the same way that you protect other files in Windows NT—by restricting access through Windows NT Explorer. If the files are stored on an NTFS volume, you can use the security features of Windows NT Explorer to assign permissions for the Registry files or Registry editors. From the File menu, click Properties, then click the Security tab. For details about using these commands, see the Windows NT Explorer Help.
Caution You should change permissions for user profiles only. The permissions for other Registry keys are maintained automatically by the system and should not be changed.
For information about safeguarding files with backups, see "Backing Up and Restoring Registry Hives," later in this chapter.
Assigning Access Rights to Registry Keys
To determine who has access to specific Registry data, set permissions on the Registry keys to specify the users and groups that can have access to that key. (This is sometimes called changing ACLs, in reference to the access control lists that govern who has access to data.) You can also add names to or remove names from the list of users or groups authorized to access the Registry keys.
You can assign access rights to Registry keys regardless of the type of file system on the partition where the Windows NT files are stored.
Caution Changing the permissions to limit access to a Registry key can have severe consequences. If, for example, you set No Access permissions on a key needed for configuration by the Network option in Control Panel, the application will fail.
At a minimum, give Administrators and the System full access to the key, thus ensuring that the system starts and that the Registry key can be repaired by an administrator.
If you change permissions on a Registry key, you should audit that key for failed access attempts. For details, see "Auditing Registry Activities," later in this chapter.
Because assigning permissions on specific keys can have serious consequences, you should reserve this action for keys that you add to accommodate custom applications or other custom settings. After you change permissions on a Registry key, be sure to turn on auditing in User Manager, and then test the system extensively through a variety of activities while logged on under different user and administrative accounts.
In Regedt32, the commands on the Security menu for assigning permission and ownership of keys work in the same way as similar commands for NTFS partitions in Windows NT Explorer for assigning access rights for files and directories. For details about these commands, see help for the Registry editor.
To assign permissions on a key
As a system administrator, you might need to take ownership of a key to protect access to that key. To take ownership of a Registry key, click Owner on the Security menu, then complete the Ownership dialog box. You add users or groups to the Permissions list by following the same procedure for managing lists of users and groups as you use throughout Windows NT.
You (or any user) can take ownership of any Registry key if you log on to the computer as a member of the Administrator group. However, if an Administrator takes ownership of a key without being assigned full control by its owner, the key cannot be given back to its original owner, and the event is audited.
Auditing Registry Activities
To audit Registry activities, you must complete these separate activities:
For each of these activities, you must be logged on as a member of the Administrators group for the specific computer you are auditing. Auditing policies are set on a per-computer basis. Before you can audit activities in Registry keys, you must turn on security auditing for the computer.
To turn on auditing
You can audit actions for a specific Registry key. For example, you can audit:
To audit user actions for a selected Registry key
To view the results of auditing
Note If you change permissions for any Registry key, you should turn on Auditing in User Manager and specify the Failure auditing option for File And Object Access. Then, if any application is not working because of changes in permissions, you can check the Security event log for details.
Backing Up and Restoring Registry Hives
You might need to restore backed-up versions of Registry hives. This can occur, for example, when a new computer replaces an old one, when a disk controller or hard disk becomes corrupted, or when an electrical failure erases large parts of a disk. This section describes how to back up and restore Registry hives.
How this restoration is done depends on what hardware is available and what file system is in use. You can, of course, restore only what you have backed up.
Important Back up all important files, including system files, frequently and consistently.
Your regular backup routine should include using Disk Administrator to create an uncompressed backup of the System hive. (In Disk Administrator, from the Partition menu, click Configuration, then click Save.) Also, the Emergency Repair Disk includes a compressed version of the System hive. For details, see Disk Administrator Help, and Chapter 20 of this book, "Preparing for and Performing Recovery."
Backing Up Registry Hives
You can make a Registry hive backup in one of four ways:
Restoring Hives from Backup Files
If you have a good set of backup files, which you update regularly, you can restore Registry hives that are damaged or missing.
But you cannot use Registry Editor to fully restore hives, because you must use the ReplaceKey operation to restore active parts of the Registry. Registry Editor cannot perform this operation.
To restore a damaged system, you must first restore the basic operating system installation. To do this, you can use the Emergency Repair Disk to restore your system to its postinstallation status, or you can simply run Windows NT Setup again. If you rerun Setup, the system starts the computer but lacks changes made since you first set it up. You can recover most of those changes if you copy files from backups by using the Windows NT Backup program for tape backups or by copying from disk backups.
Tip To update the Emergency Repair Disk after making changes that affect the Registry, use the Repair Disk Utility (Rdisk.exe), a tool included in Windows NT. If you use the rdisk command alone (no switches), it backs up the System and Software hives only. If you use rdisk /s, it backs up the SAM and Security hives as well. However, if the system includes many user accounts, the file might be too large to fit on the single floppy disk required for the Emergency Repair Disk update process.
However, you cannot merely copy the backups of Registry hive files, because those files are protected while Windows NT is running. So, after the system and all of the additional files such as device drivers are restored, you must restore the Registry. You can do this in one of the following ways, depending on which backup mechanism you used:
Compacting Registry Data
The memory used for the Registry is approximately equal to the size of a hive when it is loaded into memory. Hives vary in size on disk from 20K to more than 500K. The amount of space used depends chiefly on how many local user profiles are retained and how much information is stored in each profile.
You should remove unused or out-of-date user profiles from a computer by using the Delete User Profiles command in Windows NT Setup. (The Setup program protects you from deleting the profile for the currently logged on user.)
You can use the Save Key command to save a user hive, and then use the Restore command so you can use this smaller hive. How much space you gain depends on how much was stored in various user profiles.
This procedure is useful only for user profiles, not for the SAM, Security, Software, or System hives.
Viewing and Printing Registry Data as Text
You can examine the contents of a Registry key as text for troubleshooting. You can save a key as a text file, and you can print data from Registry Editor, including a key, its subkeys, and all of the value entries of all of its subkeys.
The Save Subtree As command on the Registry menu in Regedt32 also works for the HKEY_LOCAL_MACHINE \Hardware key, which you cannot otherwise save in its entirety as a hive file.
To save a Registry key as a text file
To print a Registry key
Summary of Administrative Tools for the Registry
Table 24.2 summarizes the tools provided with Windows NT (in addition to Registry Editor and Windows NT Diagnostics) that you can use to administer the Registry.
Table 24.3 summarizes the tools on the Windows NT Workstation Resource Kit CD that you can use to administer the Registry. For details about these and other utilities provided with the Windows NT Resource Kit, see Rktools.hlp on the Windows NT Workstation Resource Kit CD.