Overview of the Windows Registry

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The registry is a hierarchical database that stores the values of variables in Windows and the applications and services that run on Windows. The operating system and other programs also use the registry to store data about users and about the current configuration of the system and its components. Because the registry is available whenever the system is running, programs that start and stop can keep persistent data in the registry.

Structure of the Registry

Much of the registry consists of nested containers known as subtrees, keys, and subkeys, which are like folders. The actual data is stored in the registry entries, the lowest level element in the registry. The entries are like files. The series of nested containers make up a path to each entry. Because entry names are unique only within a path, entries are referenced by their full registry path and name.

The following figure shows the registry of a typical computer, as viewed with the registry editor Regedit.exe. The figure shows the terminology that this reference uses to refer to different parts of the registry.

Subtree

Subtrees are the root, or primary divisions, of the registry.

The Windows Server 2003 registry is divided into five subtrees. Subtrees themselves do not contain configuration data; they contain the keys, subkeys, and entries in which the data is stored.

Click the name of a subtree to see its description:

Key

Keys are the next level down from subtree, which contain at least one subkey (for example, Hardware Key). Some subtrees do not have keys.

Subkey

Subkeys are the next level down from keys or subtrees (if the subtree has no keys). Subkeys store entries and other subkeys.

Entry

Entries are the lowest-level element in the registry. They appear in the right pane of the registry editor window. Each entry consists of the entry name, its Data Types in the Registry (which defines the length and format of data that the entry can store), and a field known as the value of the registry entry. Data is stored in the value. Entries are referenced by their registry path and name.

Entries store the actual configuration data for the operating system and the programs that run on the system. As such, they are different from subtrees, keys, and subkeys, which are merely containers.

Hive Files

The permanent parts of the registry are stored as a set of files called the hive files. You can find a list of locations for these files in the hivelist subkey in HKLM\SYSTEM\CurrentControlSet\Control. These files are saved in systemroot\System32\Config and updated with each login. They consist of the following files, which store four of the five keys in HKEY_LOCAL_MACHINE and one key in HKEY_USERS:

  • SAM Contains information stored in the key HKLM\SAM about the Security Accounts Manager (SAM) service.

  • SECURITY Contains the security information stored in the key HKLM\SECURITY.

  • SOFTWARE Contains information stored in the key HKLM\SOFTWARE about the computer's software configuration.

  • SYSTEM Contains information stored in the HKLM\SYSTEM about the computer's system configuration.

  • DEFAULT Contains the default system information that is stored in the key HKEY_USERS\.DEFAULT.

HKEY_LOCAL_MACHINE\HARDWARE is not stored as a file, because it is recreated each time the system starts.

Variability of the Registry

No two registries are exactly alike. Because the registry stores data about the hardware and software that is installed on and available to your computer, the values of many registry entries are specific to the computer and its current configuration. In addition, some of the registry content is created anew each time you start the operating system or log on. As a result, many changes to the registry are lost when you restart the computer, or when you log off and log on again.

The location of registry entries can change. Entries for programs sometimes move when the program is updated. Some programs move entire sections of the registry to a new location when a service or feature is enabled.

Because of the variability of the registry, it is not prudent to refer directly to a registry entry in any program or script. If you do, the program or script might not operate correctly with future versions of the operating system. To retrieve, add, delete, or change a registry entry, use the standard Win32 application programming interfaces (APIs). The APIs are updated with each version of the system to find the data you need.

How Registry Data is Used

Programs store many types of data in registry entries. Typically, programs use standard Win32 APIs to retrieve data from the registry. The program specifies an entry by its path and name, and the API returns the value of the entry. Programs also use standard APIs to add and delete registry content, and to change the values of registry entries.

After it retrieves and reads the data in the value of an entry, each program interprets the data and implements its result independently, depending on how the program is written. For example, a value of 1 might indicate to a program that an optional feature is enabled or disabled, or it might force the program to wait for one millisecond or one day before taking action. A file location stored in a registry entry might tell the program where to find a file, or it might instruct the program to move the file to the specified location.

Windows Server 2003 operating system components and programs use the registry in the following ways:

  • Setup Both the Windows Server 2003 Setup program and other setup programs (for programs or hardware) add configuration data to the registry. For example, new information is added when you install a new SCSI adapter or change the settings for your display. Setup also reads information from the registry to determine if the prerequisite components are installed.

  • Recognizer Each time you start the computer, the recognizer places hardware configuration data in the registry. This data includes a list of hardware detected in your system. Hardware detection is done by the hardware recognizer (Ntdetect.com) and the Windows Server 2003 kernel (Ntoskrnl.exe) programs.

  • Kernel During system startup, the kernel extracts information from the registry, such as which device drivers to load and their load order. The kernel also passes information about itself (such as its version number) to the registry.

  • Device drivers Device drivers send and receive load parameters and configuration data from the registry. A device driver must report the system resources that it uses, such as hardware interrupts and DMA channels, so that the system can add this information to the registry. Programs and device drivers can access this registry information to provide users with smart installation and configuration programs.

Because programs are so variable, it is very difficult to predict how a specific program will interpret the registry data. It is important to remember that the registry belongs to programs, not to users. Therefore, unless you are very familiar with the program or the registry entry, do not attempt to modify the registry.

Users and the Registry

Most users never need to view or edit the registry. The administrative tools and Windows interface enable users to safely change their preferences and the services and features of the operating system. However, in rare instances, the only way to change an operating system variable is by editing the registry. For more information, see Editing the Registry.

For More Information About the Registry

The registry topics in Help and Support Center for Windows Server 2003 provide essential background information, including procedures for viewing and editing the registry. Also see the Windows Deployment and Resource Kits Web site link below.