Windows Registry
An introduction to registry editor
�What is the Windows Registry?
A hierarchical database of computer system settings, hardware configurations, and user preferences. The Windows Registry stores:
Software settings Windows configuration settings User profiles Password Hashes and account settings
�Registry Terminology
The registry is created when windows boots using data from several files Each file stores one or more hives Each hive is made up of keys and subkeys Each key has one or more values and value data
�Windows Registry
Hives are a logical group of keys, subkeys and values
HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS
1) 2) 3) 4)
5)
HKEY_CURRENT_CONFIG
�Windows Registry Hives
HKEY_CLASSES_ROOT (HKCR)- Contains information about file types, filename extensions, and other details related to files
It tells Windows how to handle different file types, and controls basic interface options like double-clicking and context menus.
�Windows Registry Hives
HKEY_CURRENT_USER (HKCU) - Contains configuration information about the setup of the person currently logged into Windows
It controls the desktop, as well as Windows specific appearance and behavior for that individual user, including screen colors and the arrangement of the desktop
It also manages the connections to the network and to devices like digital cameras or printers.
�Windows Registry Hives
HKEY_LOCAL_MACHINE (HKLM)- Contains information about the computer itself, as well as the operating system
It includes specific details about all hardware, including the keyboard, printer ports, and storage devices It also has information about security settings, installed software, system startup, drivers, and other services, like the ability to automatically connect to wireless networks.
�Windows Registry Hives
HKEY_USERS (HKU)- Contains information about every user profile on the system
HKEY_CURRENT_CONFIG (HKCC)- Contains information about the systems current hardware setup, in the same way that HKEY_CURRENT_USER contains information about whoevers logged into the system at the moment. It has details like the type of hard disk installed in your PC.
�Windows Registry
A list of active hives is listed in the registry itself at
HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\hivelist
�Windows Registry Files
The following table lists the standard hives and their supporting files:
Registry hive HKEY_CURRENT_CONFIG HKEY_CURRENT_USER HKEY_LOCAL_MACHINE\SAM HKEY_LOCAL_MACHINE\Security HKEY_LOCAL_MACHINE\Software HKEY_LOCAL_MACHINE\System
Supporting files
System, System.alt, System.log, System.sav Ntuser.dat, Ntuser.dat.log Sam, Sam.log, Sam.sav Security, Security.log, Security.sav Software, Software.log, Software.sav System, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULT
Default, Default.log, Default.sav
These files are located in %systemroot%\System32\Config and at %userprofile%\Username
�Windows Registry Files
The following table lists the registry files extensions and what they mean:
.alt A backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file.
.log A transaction log of changes to the keys and value entries in the hive.
.sav
Copies of the hive files as they looked at the end of the text-mode stage in Setup.
�Windows Registry
Values names have data assigned to them
The data type can be:
String
Binary DWORD Multi-String Expandable String
�Windows Registry Data Types
Data type String
A string consists of plain readable text. String values are the most common values used in the Registry All string values are indicated by an AB icon, which makes sense since the data type is readable text
There are 3 types of STRING: REG_SZ, REG_EXPAND_SZ and REG_MULTI_SZ
�Windows Registry Data Types
Data type String (REG_SZ)
This is the main type of string data used in the registry "YES" or "NO" are common Reg_SZ values, as are command line strings such as "C:\Program Files\Outlook Express" or even phrases or complete sentences (like error messages) A string can also consist of numbers. Colors, for example, are usually stated numerically in the registry Examples of numeric string values are at HKEY_CURRENT_USER\Control Panel\Colors
�Windows Registry Data Types
Data type Expandable String (REG_EXPAND_SZ)
This is an "expandable" string value holding a variable. Example: %SystemRoot% and %UserName% are variables that are used to indicate the System folder and the name of the logged in user. Windows will replace (or EXPAND) the variable with the full path when the command is called. By using a variable, you do not need to know the drive letter the user has Windows installed on.
�Windows Registry Data Types
Data type: Multi - String (REG_MULTI_SZ)
A multiple string array type made up of characters and numbers - used for entering more than one value, each one separated by a NULL character. Example: This multi string value consists of 4 entries: eqnclass.dll,CoInstallClass spxcoins.dll,SpxClassCoInstaller dgsetup.dll,DigiMultiPortCoInstaller dgrpsetu.dll,DigiMultiPortCoInstaller Note: Due to the NULL character being used to separate values, entering these from the keyboard can be difficult. It is often easier to copy and existing multi-string and edit it.
�Windows Registry Data Types
Data type Binary (REG_BINARY)
Binary is used most commonly with hardware and configuration settings. The data is usually displayed in hex format
�Windows Registry Data Types
Data type DWORD (REG_DWORD)
Dword data types also consist of binary data, but two points distinguish them from binary types. 1. The binary data that can be entered is limited to 32 bits (4 bytes) in length. 2. The binary data can be entered in hexadecimal or decimal format.
�Editing the Windows Registry
Windows comes with a utility called Regedit for editing the registry data:
You can start regedit by going to the Start button, Choosing Run and then entering regedit
�Editing the Windows Registry
The Regedit Edit menu for creating, renaming and searching the registry data:
From the Edit menu, you can create new keys, subkeys, values and data. You can also: Modify the permissions to registry elements Search for keys, subkeys, values and data
�Editing the Windows Registry
The Regedit File menu for importing and exporting the registry data:
From the File menu, you can import one or many registry keys, subkeys, values and data. You can also: Export registry data for backup or copying to another computer Load a Hive file from another computer or user that is not logged in.
�Editing the Windows Registry
As an example edit, here is how to change the settings for Internet Explorer so that pop-up windows are allowed from all websites in the *.ncsu.edu domain: The objective is to create a value and data in this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow
�Editing the Windows Registry
The objective is to create a value and data in this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow First double click on keys in the HKEY_LOCAL_MACHINE hive until you get to the Microsoft key:
�Editing the Windows Registry
The objective is to create a value and data in this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow Then create keys for Internet Explorer, New Windows and Allow
�Editing the Windows Registry
The objective is to create a value and data in this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow\*.ncsu.edu"="*.ncsu.edu" Then create a String Value called *.ncsu.edu
�Editing the Windows Registry
The objective is to create a value and data in this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow\*.ncsu.edu"="*.ncsu.edu" Then enter data of *.ncsu.edu
�Editing the Windows Registry
The objective is to create a value and data in this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow\*.ncsu.edu"="*.ncsu.edu" Then enter data of *.ncsu.edu
�Editing the Windows Registry
As a second example edit, here is how to change the settings for Remote Desktop so it uses a different port than the default, 3389: The objective is to alter a data value at this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP-Tcp\PortNumber
�The objective is to alter a data value at this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDPTcp\PortNumber
Backing Up the Windows Registry
Since this key already exists, make a backup of the current values using the File | Export menu. Enter a name for the backup like RDP-orig
�Editing the Windows Registry
The objective is to alter a data value at this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP-Tcp\PortNumber Double click on PortNumber and select Decimal
�Editing the Windows Registry
The objective is to alter a data value at this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP-Tcp\PortNumber Enter a new number, like 3903
�Editing the Windows Registry
Note: For this change to work, also change the PortNumber in this key: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
This will change RDP to use port 3903 instead of 3389.
Next change the firewall to allow the connections to the new port.
�Editing the Windows Registry
Next change the firewall to allow the connections to the new port, 3903. You could use the Windows Firewall configuration tool, but as you might expect, the firewall settings are stored in the registry at these keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\StandardProfile HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\DomainProfile
�Editing the Windows Registry
Create a port exception for port TCP 3903:
In Regedit, goto this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\StandardProfile\GloballyOpenPorts\List Create a string value named 3903:TCP
�Editing the Windows Registry
Create a port exception for port TCP 3903:
In Regedit, goto this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\StandardProfile\GloballyOpenPorts\List Enter value data of 3903:TCP:*:Enabled:Remote Desktop
�Editing the Windows Registry
- Modify the Windows Firewall configuration settings for both the Standard Profile at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\StandardProfile
- And the Domain Profile at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\DomainProfile
-These edits will work with Windows XP and Windows Vista
�Importing and Exporting Windows Registry Data
-When you export data with the File | Export option, the data from the selected key or subkey is written to a file with a .reg extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Domai nProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Domai nProfile\GloballyOpenPorts]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Domai nProfile\GloballyOpenPorts\List] "21264:TCP"="21264:TCP:152.1.7.0/255.255.255.0:Enabled:Trend Micro OfficeScan Listener" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa rdProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa rdProfile\GloballyOpenPorts] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa rdProfile\GloballyOpenPorts\List] "21264:TCP"="21264:TCP:152.1.7.0/255.255.255.0:Enabled:Trend Micro OfficeScan Listener
Example .reg file to update the Windows Firewall for Officescan
�Editing the Windows Registry using .REG files
When you double click or import a .reg file, the settings in the file are copied into the registry keys named in the file. Registry keys and sub keys are created using the tree structure described in the .reg file. The values listed in the .reg file are created and assigned the data given in the .reg file.
If the keys or values with the same names already exist, they are replaced with the information in the .reg file.
If the keys already exist, the values in the .reg file are merged with those in the registry
�Editing the Windows Registry using .REG files
It is possible to delete keys or values by placing a minus sign in front of the key name or equal sign:
[-HKEY_LOCAL_MACHINE\Software\Test]
HKEY_LOCAL_MACHINE\Software\Test "TestValue"=If a key in a .reg file is preceeded by a minus sign, the key, its' sub-keys, and Value Names are deleted If a ValueName=- line is presetn in a .reg file, the Value Name is deleted To rename a key or value using a .reg file, first delete the item and then add the data with a new name
To rename a key or value using regedit, select the item, right click and choose rename
To avoid the Are you sure? prompt when importing, use the /s option in your script: regedit /s test.reg Export the registry with this command: regedit /e full.reg would export the full registry to the full.reg file. To export individual registry keys: regedit /e software.reg "HKEY_LOCAL_MACHINE\Software"
�Searching the Windows Registry
If you need to find occurences of a particular string in registry key names, values or data, Use the Edit | Find menu of regedit.exe:
The search will start from the highlighted position and go downward in the registry window You may need to select My Computer to search through all hives
�Searching the Windows Registry
If you need to replace all occurrences of a registry string with another string, you may be able to accomplish this by: Exporting the keys to a .REG file Search and replace the strings in the text file with a text editor Import the .REG file.
There are also third party utilities to do this such as Registry Toolkit from https://www.funduc.com Registry Search + Replace (also from funduc.com) Beware that there are lots Registry Cleaner type programs that are trojans
�Searching the Windows Registry
Finding settings in the Windows Registry can be difficult due to the fact that there is no standard naming convention for registry keys, values and data The website jsiinc.com was a good online resource for finding what registry keys control a setting You may find search engine results that refer to jsiinc.com. These are usually very helpful The JSI website is still available on the internet archive site, web.archive.org The Microsoft knowledge base is also a good source for clues about what registry keys do
�Registry Permissions
Like files and directories, Registry keys have security permissions to control who can view, alter and delete registry data
You can view/change the permissions for a key by selecting the key and using the Edit | Permissions menu
�Registry Permissions
The general permissions are Read, Full Control and Special Permissions These Special Permissions can be configured using the advanced button: Permission QV Query Value SV Set Value CS Create Subkey ES Enumerate Subkeys NT Notify DE Delete WD Write DAC CL Create Link WO Write Owner RC Read Control Definition
allows assigned user or group to read the settings of a value entry located in the Registry
allows assigned user or group to set the value of a value entry located in the subkey allows assigned user or group to create a subkey located in this selected subkey. allows assigned user or group to identify all the subkeys in the selected subkey. allows assigned user or group to receive audit notifications from this subkey. allows assigned user or group the right to delete the subkey. allows assigned user or group the right to read the discretionary access control list for the selected subkey. allows assigned user or group to create a symbolic link to this subkey. allows assigned user or group the right to take ownership of the subkey. allows assigned user or group the right to read the access control list
When a key is created, it inherits its permissions from its parent key As with file and directories, it is possible set the permissions of a key different from its parent key and to break the inheritance of permissions if needed. Values do not have permissions only keys and subkeys have permissions
�Registry Permissions
Since password hashes and other security data is stored in the SAM hive, keys in the SAM hive have special permissions You must run regedit as the SYSTEM user to view the SAM hive: Start a SYSTEM shell with: at 22:08 /interactive c:\windows\regedit.exe Where 22:08 is a time a minute or more in the future and Windows is installed at c:\windows At the time specified in the command, regedit will run and you will be able to see the SAM information on the computer
�Registry Permissions
Notice the Administrator has no access, only the SYSTEM user is supposed to read SAM information
�Useful Registry Edits
Here are some things you can change with Registry edits:
Alter the DNS Cache time from the default of 1 Day to 30 minutes [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters] "MaxCacheTtl"=dword:00000708
Turn on file name completion in the DOS window
[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor] "CompletionChar"=dword:00000009 "EnableExtensions"=dword:00000001 "PathCompletionChar"=dword:00000040 Disable Dynamic DNS in the TCP/IP Parameters [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DisableDynamicUpdate"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DisableReverseAddressRegistrations"=dword:00000001
�Useful Registry Edits
Here are some things you can change with Registry edits:
Find a list of programs that run at startup in these Run keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKCU\Software\Microsoft\Windows\CurrentVersion\Load HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\Load The values of these keys and others that control startup programs are listed on the Startup tab of the msconfig utility. However, you can not change them from that program. If you see a path not found or file not found error at login, it maybe because one of the Run key values has the wrong filename or directory. This can be corrected with Regedit.
�Useful Registry Edits
Here are some things you can change with Registry edits: The uninstall path for applications is stored at: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall If you are having trouble getting the uninstalled to run, perhaps because a drive letter changed or a directory name changed, you can fix the problem by editing the path in the Uninstall key.
�Useful Registry Edits
Here are some things you can change with Registry edits:
Windows can synchronize time with the government NIST time server
Enter the name of the time server in the following key: HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProvider\NtpClient\NtpServer = hostname, 0x1
�Registry Forensics
The registry stores all kinds of information about how Windows is being used and what a user is doing when logged in. The registry stores:
List of terms entered into the Windows File Search tool History of command entered in the Start | Run menu choice History of mapped drives History of mounted USB devices (cameras, flash drives, printers) Recent file lists for Microsoft Word, Excel, Powerpoint, Access, and Wordpad URLs typed into Internet Explorer, Windows Media Player and Firefox Internet Explorer saved passwords and URL pairs List of wireless network used Other information listed at: http://windowsxp.mvps.org/RegistryMRU.htm The registry also stores a list of all applications run on the computer and a count of how many times each was launched. This includes applications run by double-clicking on a document, shortcut or Control Panel Applet. Along with the cound mentioned above, the registry stores the last time the application was run. Using this information, it is possible to see what program was launched, when it was launched and how many times it was launched. For a list of registry keys and how to read them, see: http://www.forensicswiki.org/wiki/Windows_Registry
�Loading Offline Registry Hives
The Windows Registry is stored in several files located in the Windows folders and in users profile space
There are also backups of the registry in Windows restore points located in the \System Volume Information Folder
Registry backups have the word _REGISTRY_ in the file name These hive files can be loaded into regedit
�Loading Offline Registry Hives
Here is how to load a hive from a file: Run regedit and select the HKEY_LOCAL_MACHINE hive to activate the LOAD HIVE menu
After selecting Load Hive browse to the hive file and open it
When prompted for a Key Name, enter something to describe the hive
�Loading Offline Registry Hives
Here an ntuser.dat file has been loaded with the Key Name default-user:
The hive will show up in regedit under the HKEY_LOCAL_MACHINE hive If you make changes to the loaded hive and want to save them: Select the Key Name of the loaded hive (default-user in the example above)
Choose File | Unload Hive
�Registry Backup Tools
There are several ways to backup the registry:
One way is to copy the files (SAM, Security, Software, System and Default) from the \Windows\system32\config directory These cannot be copied when Windows is running, but can be copied from Recovery Console
A second way to make a registry backup is to manually create a Windows restore point
To create a restore point in Windows XP: 1. 2. 3. 4. Click Start, click Run, type %SystemRoot%\system32\restore\rstrui.exe, and then click OK. On the Welcome to System Restore page, click Create a restore point, and then click Next . On the Create a Restore Point page, type a name for the restore point and then click Create After the restore point has been created, click Close.
�Registry Backup Tools
To restore the registry in Windows XP:
1. 2. Click Start, click Run, type %SystemRoot%\System32\Restore\Rstrui.exe, and then click OK. On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next .
1.
On the Select a Restore Point page, click the system checkpoint. In the On this list select the restore point area, click an entry that is named "Guided Help (Registry Backup)," and then click Next. If a System Restore message appears that lists configuration changes that System Restore will make, click OK.
On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration and then restarts the computer. Log on to the computer. When the System Restore confirmation page appears, click OK.
�Registry Backup Tools
To backup the registry in Windows Vista using a restore point: 1. 2. Click Start, type systempropertiesprotection in the Start Search box, and then press ENTER. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow. Wait for Windows to search for available disks and most recent restore points. In the System Properties dialog box, on the System Protection tab, click Create Type a name for the restore point and then click Create. After the restore point has been created successfully, click OK two times.
3.
4. 5.
Note If System Restore is turned off, click to select the local disk, click Apply and then click Create.
�Registry Backup Tools
To restore the registry in Windows Vista using a restore point:
1. Click Start, type systempropertiesprotection in the Start Search box, and then press ENTER.
2.
If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
In the System Properties dialog box, on the System Protection tab, click System Restore, In the System Restore dialog box select Choose a different restore point, and then click Next Select the restore point that you want to use, and then click Next. Confirm your restore point, and then click Finish System restore restores the selected Windows Vista configuration and then restarts the computer.
3. 4. 5. 6.
7.
Log on to the computer. When the System Restore confirmation page appears, click OK.
�Registry Backup Tools
There are several ways to backup the registry: Another is to make a System state backup and then restore it to an Alternate location
�Registry Backup Tools
When you restore the System state backup, you can restore to the running system (this is the default) or to an alternate location. If you want to edit or view the registry copy, restore to an alternate location:
Note: There is a copy of the registry from the last System state backup in \Windows\Repair
