The Windows NT 4.0 Registry

Lance Jensen
Executive Software Technical Support
John Sankey

The Registry is NT's management information system, a unified database containing information about hardware, installed software, and the settings for their use, set up in a tree hierarchy. It is normally maintained by programs such as Control Panel and program installs. However, viewing it can often help to trace a problem, and editing it directly can be very useful in special cases. Introduced with NT, essentially the same structure, and many of the same names, are used in Me (updated 98), 2000 (updated NT), XP and Vista.

Warning: Neither of the authors (nor Microsoft for that matter) accepts any responsibility whatsoever for changes you make directly to a registry. You can easily make a mistake while using the registry editors, and they will not warn you if you do. Editing the registry can disrupt your system to the point where your only option is to re-install Windows. Even if you know exactly what you are doing and are completely certain what the results will be, you should always back up your registry before making any changes, using NTBackup or the Windows NT Resource Kit programs regback.exe and regrest.exe.

The old registry editor regedit.exe has a complete search capability (the new one, regedt32.exe, only searches keys, not values) but regedit cannot be used to edit the new EXPAND_SZ or MULTI_SZ value types or to implement registry auditing. So, you have to use regedit to find values in the Registry, then switch to regedt32 to make these changes. Regedt32 also has a read-only switch (Menu, Options) which is a good safety feature to prevent changes from being made until you are ready for it - regedit doesn't. Hopefully, in NT5 the two teams will get their act together.

Each major set of keys is called a hive. Within each hive there are keys, which may have sub-keys, and sub-sub-keys, and so on. At the lowest level there is a value entry comprised of a name, a data type, and a value. Data types are BINARY (16 bits!), DWORD (4 bytes, displayed in binary, hexadecimal or decimal), SZ (text string), EXPAND_SZ (expandable text string that contains a variable such as %systemroot%), and MULTI_SZ (multiple line string; each "line" is separated by a null). Each hive is rooted at the top of the Registry hierarchy, and most are backed by a main file, a save file and a log file in the folder %systemroot%\system32\config. The main file has no extension, the others have the extensions .sav and .log. Exceptions are LOCAL_MACHINE\HARDWARE, which has no files, and CURRENT_USER, which stores its files in %systemroot%\Profiles\%username%.

The following facts concerning the registry are in the same format as you see them in the registry editors. Setup your browser on one side of the screen, and a registry editor the other, to keep track of things. Q numbers refer to Microsoft Knowledge Base articles.

LOCAL_MACHINE holds information about the local machine, hardware and installed software. It contains five hives:

CURRENT_CONFIG points to LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current.


USERS contains the user profiles of all users currently loaded on the system, and of the default user. File names: default, default.sav and default.log This is almost entirely Control Panel data. Basically, these define how Windows NT looks and runs when you are logged in. Each user has a separate tree of entries, so each of the following has to be set for each existing user. Each new user will pick up the default entry to start with.

CURRENT_USER - Points to the USERS entry of the user who is currently active. File names: ntuser.dat and ntuser.dat.log

Version 1.04 - 9 October 2000