Download - Your Friend and Mine
Your Friend and MineYour Friend and MineThe Windows RegistryThe Windows Registry
What is the Registry?What is the Registry?
► Think of as a giant 411 switchboardThink of as a giant 411 switchboard► Simple idea of centralized one-stop Simple idea of centralized one-stop
shopping for all of Windows’ needsshopping for all of Windows’ needs► Everything else is a GUI for it:Everything else is a GUI for it:
Windows Control PanelWindows Control Panel File AssociationsFile Associations Startup FolderStartup Folder
► Information about WHAT and WHERE things Information about WHAT and WHERE things are but not specifics on HOW to run themare but not specifics on HOW to run them
Why Edit the Registry?Why Edit the Registry?►Registry is the Registry is the ULTIMATEULTIMATE authority authority►Editing it directly allows greater Editing it directly allows greater
control over what windows doescontrol over what windows does►Allows control over some features that Allows control over some features that
don’t have a GUIdon’t have a GUI►When things go bad…When things go bad…
Editing the Registry:Editing the Registry: The Choice is Simple The Choice is Simple
► Regedit.exeRegedit.exe Designed for single Designed for single
user registries.user registries. Cleaner interfaceCleaner interface Available in all Available in all
supported versions supported versions of Windowsof Windows
► Regedt32.exeRegedt32.exe Designed primarily Designed primarily
for networked for networked registriesregistries
Available in Windows Available in Windows 2000, and NT2000, and NT
Merged with Merged with regedit.exe in regedit.exe in Windows XPWindows XP
Registry BasicsRegistry Basics►Keys and Subkeys(Folders)Keys and Subkeys(Folders)►Reg_Dword (Numbers)Reg_Dword (Numbers)
Hexadecimal (decimal)Hexadecimal (decimal)►0x0000001 (1)0x0000001 (1)
True =1 False =0True =1 False =0►Reg_SZ (String)Reg_SZ (String)
Stores strings (paths to files, etc.)Stores strings (paths to files, etc.) Can be encryptedCan be encrypted
Backup First!!Backup First!!►The registry stores everything that The registry stores everything that
windows knows about the computer…windows knows about the computer…let that sink in.let that sink in.
►Backup first!Backup first!►File =>Export or File =>BackupFile =>Export or File =>Backup►““Scanreg /backup” and System Scanreg /backup” and System
RestoreRestore►MISTAKE=FORMATMISTAKE=FORMAT!!
Organization of the RegistryOrganization of the Registry
CurrentConfig
ClassesRoot Users
Current User
LocalMachine
Registry(Hkey)
The forgotten one-The forgotten one- HKey_Current_Config\HKey_Current_Config\
►Stores temporary information about Stores temporary information about computer’s settingscomputer’s settings
►Barely implementedBarely implemented► \Microsoft\Windows\CurrentVersion\InternetSettings\Microsoft\Windows\CurrentVersion\InternetSettings (proxy (proxy
enable)enable)
The User DatabaseThe User Database► Personalized Personalized
Settings for WindowsSettings for Windows ThemesThemes AccessibilityAccessibility PreferencesPreferences
► The Cycle- DB The Cycle- DB ► Saved on ExitSaved on Exit► Edit only Edit only
Current_UserCurrent_User
All Users (2k/Me/XP)
Current User
HKey_Users
Important Stuff in HKCUImportant Stuff in HKCU►AppEvents= Themes (Event Sounds)AppEvents= Themes (Event Sounds)►ControlPanel = duh!ControlPanel = duh!
►Screen SaverScreen Saver►DesktopDesktop
►Software=User PreferencesSoftware=User Preferences►\Microsoft\Office\x.y\ (office prefs)\Microsoft\Office\x.y\ (office prefs)
►These keys are usually These keys are usually systemsystem safe to safe to deletedelete
Important Stuff in HKCUImportant Stuff in HKCU►AppEvents= Themes (Event Sounds)AppEvents= Themes (Event Sounds)►ControlPanel = duh!ControlPanel = duh!
►Screen SaverScreen Saver►DesktopDesktop
►Software=User PreferencesSoftware=User Preferences►\Microsoft\Office\x.y\ (office prefs)\Microsoft\Office\x.y\ (office prefs)
►These keys are usually These keys are usually systemsystem safe to safe to deletedelete
Hkey_Classes_Root:Hkey_Classes_Root: What should I do with that? What should I do with that?
► Handles file Handles file extensions/ extensions/ associations and associations and links to methodslinks to methods
► Choose what Choose what opens with what opens with what (remove old (remove old apps)apps) Who wins with Who wins with
multiple appsmultiple apps .mp3 => .mp3 =>
MMJB.mp3 and MMJB.mp3 and mp3filemp3file
► .EXE’s + Viruses.EXE’s + Viruses
.mp3
(Default) ContentType OpenWithList
MMJB.mp3
Icon
Command
Icon Command
Hkey_Classes_Root:Hkey_Classes_Root: What should I do with that? What should I do with that?
► Handles file Handles file extensions/ extensions/ associations and associations and links to methodslinks to methods
► Choose what Choose what opens with what opens with what (remove old (remove old apps)apps) Who wins with Who wins with
multiple appsmultiple apps .mp3 => .mp3 =>
MMJB.mp3 and MMJB.mp3 and mp3filemp3file
► .EXE’s + Viruses.EXE’s + Viruses
.mp3
(Default) ContentType OpenWithList
MMJB.mp3
Icon
Command
Icon Command
Hkey_Classes_Root:Hkey_Classes_Root: What should I do with that? What should I do with that?
► Handles file Handles file extensions/ extensions/ associations and associations and links to methodslinks to methods
► Choose what Choose what opens with what opens with what (remove old (remove old apps)apps) Who wins with Who wins with
multiple appsmultiple apps .mp3 => .mp3 =>
MMJB.mp3 and MMJB.mp3 and mp3filemp3file
► .EXE’s + Viruses.EXE’s + Viruses
.mp3
(Default) ContentType OpenWithList
MMJB.mp3
Icon
Command
Icon Command
Hkey_Local_MachineHkey_Local_Machine
HKey_Local_Machine
Software System Hardware
\Microsoft\Windows Control Sets/HW ProfilesApplications
► Software- Application SettinsgSoftware- Application Settinsg► System- Control SetsSystem- Control Sets
Control Sets = Windows HW ProfilesControl Sets = Windows HW Profiles► Otherwise leave it alone!Otherwise leave it alone!
Hkey_Local_MachineHkey_Local_Machine
HKey_Local_Machine
Software System Hardware
\Microsoft\Windows Control Sets/HW ProfilesApplications
► Software- Application SettingsSoftware- Application Settings► System- Control SetsSystem- Control Sets
Control Sets = Windows HW ProfilesControl Sets = Windows HW Profiles► Otherwise leave it alone!Otherwise leave it alone!
\CurrentControlSet\CurrentControlSet► \Enum\ – same as Device Mgr\Enum\ – same as Device Mgr► \Control\Class- Driver Database\Control\Class- Driver Database► HKLM\System\CurrentControlSet\ServicesHKLM\System\CurrentControlSet\Services
This is the source of a lot of errorsThis is the source of a lot of errors► \Services\VxD\Services\VxD
Those pesky VxD’s are stored hereThose pesky VxD’s are stored here
\Software\Microsoft\Windows\Current \Software\Microsoft\Windows\Current VersionVersion
► /AppPath – points to registered apps/AppPath – points to registered apps► /Run/ vs /Run-//Run/ vs /Run-/► /Setup/ /Setup/
Change install pathChange install path Finding CD keys (shhh!)Finding CD keys (shhh!)
Registry TricksRegistry Tricks►Backup first!Backup first!► If you can’t find it – Search!If you can’t find it – Search!►Copy to regedit.com if you’re infected Copy to regedit.com if you’re infected
by virus.by virus.►www.regedit.comwww.regedit.com for more info for more info