Register base

The register base is a Database used by the Operating system Windows. It contains the data of system requirements of exploitation and others Logiciel S installed wishing to make use of it. Microsoft uses today rather the term Registre Windows to speak about this database.

Generally, the users modify register base in a transparent way, via an graphical interface. There exist cases where no graphical interface is prévue ; it is then necessary to use the tool Regedit , but in this case, there is no parapet, the software does not check any the parameters modified by the user…

History

Files .ini of Windows 3.x to current register base

Register base appeared on Windows 3.x, but is then very restricted and is exclusively used to associate a file (a Extension of file) with the application and makes it possible to publish it or visualize it. In 1993, with the first version of NT, it is wide and then includes/understands a whole of hierarchical keys and values. The physical safeguard of the base in the form of files is then called “hive” ( hive ); a hive corresponds to a file. Register base was then included in Windows 95, in 1995. This database of configuration replaces the majority of the multiple files of extension .ini of Windows 3.x and its predecessors (NB: in 2005, the most known exception is boot.ini,… etc).

Of SAM of NT with Activates Directory of Windows 2000

One of the greatest parts of register base under Windows NT and its successors is the SAM (Security Account Manager). It contains in particular the passwords; under Windows NT, by defect, the passwords were not encrypted.

Under Windows NT 4, register base was used at the same time for the local users and the controllers as field. From Windows 2000, the controllers of field are based on Active Directory and either on SAM.

The utility syskey of Microsoft to make safe SAM

Safety by defect of SAM under Windows NT was particularly weak. From the pack 3 of Windows NT, the utility " syskey" of Microsoft allows to reinforce the encoding of the passwords.

The chopping of the passwords was based initially on MD4 (Message Digest), then in the last versions, Microsoft passed to MD5.

In 2005, the utility " syskey" is always useful with the last versions of Windows : Windows Server 2003, Windows XP (32 bits or Itanium 64 bits)… etc

The rdisk of NT and its disappearance in the later versions

The rdisk.exe of Windows NT 4 made it possible to make a safeguard of the register on a Disquette 1.44 Mo (only one…).

This utility is not included any more in the later versions of Windows because the size of register base became higher than the size of the diskette.

To safeguard register base, it is possible to use ntbackup.exe of Microsoft (Microsoft copyright and Veritas Software Corporation), by notching the box " All information on this ordinateur" ; the extension of file is " .BKF" for the backup file. By defect, the peripheral of exit is the diskette (1,44 Mo), which is too petit ; it is necessary to indicate another peripheral (Clé USB of 1 Go or other).

Utility regedit

Until Windows 2000, there were 2 slightly different utilities regedit and regedt32 to modify register base. regedit was more convivial, whereas regedt32 made it possible to make more pointed modifications.

With Windows XP, Microsoft unified the 2 utilitaires : from now on, the 2 orders call the same tool.

The current graphical interface of regedit of Microsoft allows:

To modify register base
to allot specific rights on the keys of the base register; the graphical interface to modify the rights is similar to that which makes it possible to modify the rights NTFS.

Recent version of regedit: 5.1 (number 2600: service pack2) for Windows XP.

Utility regmaid and scanreg of Microsoft

The utilities " regmaid" and " scanreg" of Microsoft had been created to solve specific problems. They became a priori obsolete with the last versions of Windows.

Repertory of register base

Under Windows Server 2003, Windows XP, Windows Server 2000 and NT

By defect, it is in the repertory %SystemRoot% \ System32 \ Config that the files of hive suivants are stored;:

SAM (Security Account Manager)
Security
Software
System

Information concerning a user is stored in the repertory corresponding to the variable of environment %UserProfile%. For example, for a user whose login is " dupont" , the value %UserProfile% will be by defect " C:\Documents and settings\dupont " . There is a file of hive NTUSER.DAT by user.

The repertory %SystemRoot% \ repair contains a safeguard of the base of registre ; it is used by Windows for certain cases of figure. Moreover, under Windows XP, the restoration of the system stores them the repertory \ System Volume Information of the disc system.

Files newspapers (extension .LOG) and backup files (extension .SAV) are used in-house by Windows to mitigate inopportune power cuts, or any other form of brutal stop.

The physical sites of the various hives used at the time of the last boot are indicated under the key hivelist of ] \ Control \ .

Here a typical example of the contents of hivelist :

\ \ REGISTRY \ \ MACHINE \ \ HARDWARE" ="
\ \ REGISTRY \ \ MACHINE \ \ SECURITY" =" \ \ Device \ \ HarddiskVolume1 \ \ WINDOWS \ \ system32 \ \ config \ \ SECURITY
\ \ REGISTRY \ \ MACHINE \ \ SOFTWARE" =" \ \ Device \ \ HarddiskVolume1 \ \ WINDOWS \ \ system32 \ \ config \ \ software
\ \ REGISTRY \ \ MACHINE \ \ SYSTEM" =" \ \ Device \ \ HarddiskVolume1 \ \ WINDOWS \ \ system32 \ \ config \ \ system
\ \ REGISTRY \ \ TO USE \ \ .DEFAULT" =" \ \ Device \ \ HarddiskVolume1 \ \ WINDOWS \ \ system32 \ \ config \ \ default
\ \ REGISTRY \ \ MACHINE \ \ SAM " =" \ \ Device \ \ HarddiskVolume1 \ \ WINDOWS \ \ system32 \ \ config \ \ SAM
\ \ REGISTRY \ \ TO USE \ \ S-1-5-20" =" \ \ Device \ \ HarddiskVolume1 \ \ Documents and Settings \ \ NetworkService \ \ NTUSER.DAT
\ \ REGISTRY \ \ TO USE \ \ S-1-5-20_Classes" =" \ \ Device \ \ HarddiskVolume1 \ \ Documents and Settings \ \ NetworkService \ \ Local Settings \ \ Application Dated \ \ Microsoft \ \ Windows \ \ UsrClass.dat
\ \ REGISTRY \ \ TO USE \ \ S-1-5-19" =" \ \ Device \ \ HarddiskVolume1 \ \ Documents and Settings \ \ LocalService \ \ NTUSER.DAT
\ \ REGISTRY \ \ TO USE \ \ S-1-5-19_Classes" =" \ \ Device \ \ HarddiskVolume1 \ \ Documents and Settings \ \ LocalService \ \ Local Settings \ \ Application Dated \ \ Microsoft \ \ Windows \ \ UsrClass.dat
\ \ REGISTRY \ \ TO USE \ \ S-1-5-21-123456789-1234567890-123456789-500" =" \ \ Device \ \ HarddiskVolume1 \ \ Documents and Settings \ \ Administrator \ \ ntuser.dat
\ \ REGISTRY \ \ TO USE \ \ S-1-5-21-123456789-1234567890-123456789-500_Classes" =" \ \ Device \ \ HarddiskVolume1 \ \ Documents and Settings \ \ Administrateur \ \ Local Settings \ \ Application Dated \ \ Microsoft \ \ Windows \ \ UsrClass.dat

Under Windows 95 and 98, repertory of register base

The files containing register base are User.dat and System.dat ; their repertory by defect is \ Windows.

Under Windows Me, repertory of register base

The files containing register base are User.dat and System.dat and Classes.dat ; their repertory by defect is \ Windows.

Contents of register base

2 basic Hkey

Register base is shared in various logical sections. They are generally known by the names defining them when one reaches it via the graphical interface of Windows; the names begin all with “HKEY” (an abbreviation of Handle to has KEY , manager of key).

2 basic HKEY sont :

HKEY_LOCAL_MACHINE ( HKLM ) contains information which is general with all the users of the ordinateur :

Material
Safety
SAM (Security Account Manager)
Software, the subbranch " Classes" corresponds to HKEY_CLASSES_ROOT
Système, it contains in particular the subbranch CurrentControlSet (NB: CurrentControlSet \ Control \ Class contains information on the classes).

HKEY_USERS contains information specific to each user. The subbranch corresponding to the user running is the equivalent of HKEY_CURRENT_USER .

The 5 other HKEY are

HKEY_CURRENT_CONFIG contains information which is updated in Real-time, they are regenerated after each boot.

HKEY_CLASSES_ROOT ( HKCR ) contains information on the recorded applications; that amongst other things includes associations between extensions of files and identifiers of class of object OLE, which makes it possible to launch the achievable one automatically corresponding. That corresponds to HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes . Example: " .bat " and " XML " are respectively associated with " batfile " and " XML script engine ".

HKEY_CURRENT_USER ( HKCU ) contains information concerning the connected user. It is only one subbranch of HKEY_USERS.

HKEY_PERFORMANCE_DATA dynamically generated (REGEDIT does not post it)

HKEY_DYN_DATA dynamically generated (REGEDIT does not post it)

Each one of these keys is divided into under-key (S), which can contain of other (S) under-key (S) and so on, constituting a whole tree structure.

Typing of the values

Each key can contain typified values: there exists about fifteen of the type of possible data,

1) binary REG_BINARY , possible creation with Whole REGEDIT

2) dword REG_DWORD , 32 bits, possible creation with REGEDIT

3) REG_DWORD_BIG_ENDIAN , to see Endianness
4) REG_DWORD_LITTLE_ENDIAN

5) QWORD REG_QWORD 64 bits

6) REG_QWORD_BIG_ENDIAN
7) REG_QWORD_LITTLE_ENDIAN

Character string

8) simple Chain REG_SZ , creation possible with REGEDIT
9) extensible Chain REG_EXPAND_SZ , makes it possible to use variable of environment, creation possible with REGEDIT
10) multiple Chain REG_MULTI_SZ , creation possible with REGEDIT

11) NUN, REG_NONE: mean not typified data!
Resource

12) REG_RESOURCE_LIST
13) REG_RESOURCE_REQUIREMENTS_LIST
14) REG_FULL_RESOURCE_DESCRIPTOR

15) REG_LINK

GUID (and CLSID)

A great number of keys and values of keys are posted by Regedit under a format similar to {3F2504E0-4F89-11D3-9A0C-0305E82C3301}. In fact, it is about the format GUID (Globally Unique To identify) (16 bytes).

Programming

Language C

winreg.h is the include necessary to use the register in Langage C.

Language C #

With the Language C #, it is possible to read and modify register base; the various methods are

CreateSubKey
OpenSubKey and Close
GetValue and SetValue

Language Java

JNDI is the API necessary to use the register with the Langage Java.

Tiny and capital

Contrary to what is usual under Windows, of different breakages of characters give different results. Example: the values " no" and " No" can give very different results.

Space in the names of keys

The space character (" ") can be used in the names of keys, although it is rare (example: the optional key Uses Search ESA ).

Notice on safety

The service Remote access to the Register

Among the Windows services, there exists a service " Remote access to the Register " ( RemoteRegistry ). It not only makes it possible to read, but also to modify remote register base. For safety reasons, it is advisable to put the parameter " Mode of starting " with the value " Decontaminated " ; the 2 other possible values are disadvised: " Manual " and " Automatic ".

This service belongs to the services launched via the order " svchost.exe - K LocalService " (Process Service HOST for the account corresponding to local user). He uses the service RPC (Remote Procedure Call).

Syskey of Microsoft to make safe SAM, in 2005

The utility syskey of Microsoft is recommended if one wants to protect oneself from a person having a physical access to the room where the PC is.

In 2005, this utility is always useful with the last versions of Windows : Windows Server 2003, Windows XP (32 bits or Itanium 64 bits)… etc the last version uses MD5 (Message Digest) for the chopping of the passwords.

Comparison with Unix (and GNU/Linux)

Files of configuration of Windows and Unix

The contents of register base under Windows correspond to the files of the repertories etc of Unix or Linux.

The system of Windows is more powerful, it uses indexed files (derivatives of the Jet engine of Microsoft Access), which allows an access optimized to information of the base. The structure makes it possible to create a configuration multi-user in a transparent way.

On the other hand, Unix uses simple textual files which can contain explanations relating to each parameter. Moreover, each parameter is modifiable with a simple text editor.

One can as notice as the parameters of register base are sometimes in language binary or hexadecimal, which can make difficult a modification.

In practice, the register base of Windows resembles a “gas works”, whereas under Unix, there are files of configuration separated for each software. In the event of corruption of the base file of register, it is more delicate to restore the data, contrary at Unix where multiple files form the configuration of the programs installed.

How to repair an error of parameter setting on each of the 2 operating systems

At the time of errors of parameter setting, the flashback is possible under Windows : Windows automatically makes a safeguard of register base, called Point of restoration .

At the time of a problem not blocking, the user can use rstrui.exe in graphic mode to return to the one of the preceding points of restoration. This utility is presented by defect during starting in “mode without failure”.
At the time of a blocking problem, the user can return to the last known configuration.
While launching the CD-ROM of installation of Windows, one can reach the “console of recovery” of Windows, making it possible to act as mode comforts for the desperate cases.

Under Unix (or Linux), there is no autosaving of the files of configuration. If the user makes an error on one of his files of configuration, it will have to possibly pass at the minimum level of init, then, in all the cases, it will have to correct the files of configuration with a basic text editor.

GConf of the graphical interface GNOME

GConf is the equivalent of register base for the applications based on GNOME (one of the graphical interfaces Open source).
The data are stored with the format XML. The modifications of the data are made via a demon. There is a graphic tool are equivalent to regedit .

The license is LPG.

ODM, the register for AIX

The operating system AIX uses to him also an equivalent of register base, under the name of ODM (Object Data Manager).

The project Elektra for a register base under linux

The purpose of the project Elektra of Avi Alkalay is to centralize all the parameters of configuration under Linux in the same structure. It is the equivalent of register base under linux.

The 2 possible formats of storage (the backend ) are XML (even format that for GConf) or Berkeley DB. The modifications of the data are made directly, without passing by a demon.

The Elektra project is under License BSD; it is lodged by SourceForge.

NetInfo of Mac OS X

On Mac OS X, the equivalent of register base is the NetInfo database (see).

Utility

Utilities to safeguard/restore register base

rstrui.exe of Microsoft

It makes it possible to create a point of restoration (the equivalent of a safeguard) or to return at a point of restoration (the equivalent of a restoration). The points of restoration are stored in a repertory " System Information" Volume;.

In the graphical interface of Windows XP, by defect, it is called " Restoration of the système" and is arranged among the Accessories/Outils system (Accessories/System tools) and not among the tools of administration.

"regedit" of Microsoft allows to make a safeguard/restoration of register base, partial or complete.

via the graphical interface
possibly, in line of order, with regedit /e c:\SAVE _REGISTRE.reg

It is also possible to use ntbackup.exe of Microsoft (Microsoft copyright and Veritas Software Corporation).

the freeware " Erunt" (Emergency Recovery Utility NT). The version the most recent date of the second quarters 2005. Author: Lars Hederer

Utilities in line of order to modify register base

The utility in Ligne of order REGINI.EXE of Microsoft makes it possible to modify register base according to a file with the format INI (modifiable with any text editor (Notepad or other).

The utility REGEDIT of Microsoft can also be used in line of order with the option " /s" ; in this case, the file of the modifications to be carried out must be with the format .RÉG.

The utility RSTRUI.EXE of Microsoft can also be used in line of order. If one adds the parameter MAKEFIRSTRESTOREPOINT , this tool also makes it possible to create a point of restoration.

The utility REGSVR32.EXE makes it possible to declare a DLL in register base.

The shareware RegAlyzer : a REGEDIT improved

Regalyzer is a shareware which is comparable with REGEDIT : it offers an graphical interface to modify register base.

It offers additional functionalities, in particular on the search for character strings; examples:

research with REGALYZER provides a list, whereas with REGEDIT , one is obliged to sweep each element one by one.
One can use characters Joker: '*" and "? "

Caution: by defect, research is sensitive to breakage.

Utilities eliminating the software spies from register base

See the article Spyware.

Utilities to remove the unutilised entries of register base

There exist also software to eliminate the unutilised entries from the base of registre :
The software " regclean" of Microsoft is a priori obsolete, it goes back to December 1997.

Other examples of software in this field

regsupreme
regclea' ner' (not to confuse with the regclea' of Microsoft)
EasyCleaner de Toniarte
CleanMyPC Registry Cleaner
RegSeeker de Hover Inc.
Ccleaner

Utilities to compact, optimize register base

Exemple :

Registry Defragmenter & Compactor de Acelogix
freeware ntregopt (NT REGistry Optimize) Author: Lars Hederers

Utilities to journalize the modifications of the register

It can be useful to journalize the modifications of register base,

either punctually, after the installation of a software,
or with the current.

That can be used for example to facilitate the cable television of software.

Example of software:

RegSnap de ShareUp
WineXposeRegistry
Activates Registry Monitor
Advanced Registry Tracer of Elcomsoft
Regmon (Registry monitor) of sysinternals

Emulator for register base

Certain emulators of Windows make it possible to make tests on register base. Example of emulator:

WINE under Linux
VPC (Virtual PC) of Microsoft

For example, to test achievable doubtful origin, one launches it on an emulator and one can see which part of register base was modified. If the achievable one proves to be dangerous, it is enough stop-to start again the emulator and all becomes again normal.

See Register in WINE

Other tools

RegVac
Advanced Doctor Pro
jv16
regrun
Spy Studio To supervise the activity.

syskey of Microsoft to make safe SAM (Security Account Manager), to see preceding paragraphs
Registry Repair Pro
TuneUp Utilities of TuneUp Software GMBH

Random links: