The Windows 2000 Registry

Materials:
Working complete PC
Blank Diskette
Student Diskette, "New Boot A Ver 2.0+"
Student CD-ROM, "Room 6359"
Objectives:
The student will become familiar with the Windows 2000 Registry including,
The location and identity of the Registry files,
The Windows 2000 Registry editing tools and how to use them,
and how to use the Windows 2000 Backup utility to backup the Registry.
Competency:
The student will learn the nature, function, location, and identity of the Windows 2000 Registry files and how to start and use the Windows 2000 Registry editing tools in order to be able to competently use the operating system and all of its settings, features and fixes many of which are only available through modifying Registry settings. The student will learn how to properly backup and restore the Registry using the Backup Utility.
    The Registry Files

  1. The Windows 2000 registry consists of six files located in the C:\WINDOWS\SYSTEM32\Config folder assuming a normal installation on the C: drive in the default WINDOWS directory. This location is listed in documentation as %SystemRoot%\SYSTEM32\Config. This term %SystemRoot% is the name of the environmental variable that the OS uses in order to locate itself and is what makes Windows capable of being installed on any drive and into a directory with any name. The six registry files are:

  2. In addition to these files as stated already the file NTUSER.DAT holds the users individual settings and can be found in C:\WINDOWS\Profiles\UserName. Note that in Windows XP and Windows Server 2003 there is another file in this folder named USRCLASS.DAT which also holds settings for the HKEY_CURRENT_USER key.

  3. The OS automatically creates some backups of some of the critical registry files. These are found in the same directory (C:\WINDOWS\SYSTEM32\Config):

  4. The other files that are stored here end in the file extension .EVT and if you set up Windows 2000 to keep log files these will be stored here as well and end in .LOG. The .EVT files are event logs but do not store information in plain ASCII text and must be read using the Event Viewer. The .LOG files are stored as plain ASCII text and can be viewed by any text editor or text displaying utility. (Link to Using the Event Viewer and Setting Up Logs pending...)

  5. The main issues concerning the registry in Windows 2000 are the same as they are for Windows 98:

  6. The Registry Editing Tools

  7. There are two independent Registry Editors included in Windows 2000. The first one is very similar to the one included with Windows 98: REGEDIT.EXE. Click Start > Run > "regedit" > OK:



  8. At a casual glance this utility does in fact appear to be the same as the one in Windows 98 but there are very subtle and very important (read: potentially catastrophic) differences that you will have to remember. First, this Registry Editor should NEVER be used to actually edit the Registry in Windows 2000. The Windows 2000 Registry files are significantly different in nature from the Win9x family as far as the storage of values within the databases. This Registry editor can corrupt an entry and therefore should never be used to write to the Registry. It is included because it has a better looking interface than the other one (easier to read) and because it has a much better Find function within the Edit main menu. So this one is used to find a particular value that the user wants to modify and the other is used to modify it.

  9. Minimize this Registry Editor and click Start > Run > "regedt32" > OK. This will open the second Registry Editor included with Windows 2000. This one as you can see has the old style Windows 3.11 looking tree views and it will also fail to find items when you try to search for them. This one however, is capable of properly modifying values because it has been designed specifically to handle all of the new data types that the Windows 2000 Registry database now holds:



  10. The differences between REGEDIT.EXE and REGEDT32.EXE:

    FeatureREGEDITREGEDT32
    16-bit DOS ModeYesNo
    Separate Window for each HiveNoYes
    Search value names and dataYesNo(Keys only)
    Handles complex variable typesNoYes
    Can run in Read-Only ModeNoYes
    Supports security modesNoYes
    Import text REG FilesYesNo
    Import/Export Binary REG FilesNoYes
    Create/Rename/Delete Hive KeysNoYes
    Opens up to last accessed keyYes(ME/W2K/XP)No

  11. With REGEDIT search for "Control Panel" use [F3] until you find the one under .DEFAULT Now click on the "colors" key under this one and then click Registry > Export Registry... Save the file as "logonbackground" and it will automatically give it the .REG file extension and save it into My Documents. Open My Documents and right click on the file and click Edit. Highlight and delete all lines under the keyname except for the one that says: "background"="53 110 165" Save the changes and close Notepad. Now that you know the full path as displayed in REGEDIT's status bar, navigate to this key in REGEDT32. Now open the "colors" key and double click on the "background" value name in the right hand window pane. In the editing box that opens change the values displayed to "80 0 80" then click OK.

  12. The Registry is a database stored in more than one file that is accessed individually by whatever OS subsystem that needs to. Applications access the Registry through a published interface so that the application never actually has to open a particular file like NTUSER.DAT. The application will simply ask the operating system for the data of a specific value or key and the operating system will fetch it for the application. This keeps the Registry from getting corrupted in structure but of course does not keep it from getting filled up with junk value/data pairs.

  13. So the Registry is navigated through the keys similarly to folders within a directory hence the usage of the folder icon to represent them. A key may contain more keys or value/data pairs. What is confusing to the beginning Registry tweaker is that the mere existence of a key within a certain key having a certain name is often the piece of information that a subsystem needs in order to accomplish a desired effect. Likewise the mere existence of a value (name) may be sufficient regardless of its content. And finally the existence of a specific piece of data within a certain key regardless of the value's name may also be the piece of information that is necessary. Traditionally one would expect that a specific piece of data within a specific value name within a specific key would be needed. While this is often true it is not always the case.

  14. The Registry Data Types

  15. The keys therefore are fixed in nature. All keys are created with a "default" or nameless value within them that can be assigned data or be left empty depending on the key and whether a subsystem needs the default value or not. Value (names) are also fixed in nature and can be created within any key. The data type that is stored within a particular value can be one of many different types:

    Type NameData TypeREGEDIT
    REG_ERRORCustomNo
    REG_NULLNull(empty)No
    REG_SZNull terminated fixed size stringYes
    REG_EXPAND_SZsee notes belowNo
    REG_BINARYPure raw binary bytesYes
    REG_DWORD32-bit binary integerYes
    REG_DWORD_LITTLE_ENDIAN32-bit binary numberNo
    REG_DWORD_BIG_ENDIAN32-bit binary integerNo
    REG_LINKSymbolic Unicode LinkNo
    REG_MULTI_SZArray of REG_SZNo
    REG_RESOURCE_LISTSymbolic referenceNo
    REG_FULL_RESOURCE_DESCRIPTORSymbolic referenceNo
    REG_RESOURCE_REQUIREMENTS_LISTSymbolic referenceNo

    In the table above, a "Yes" in the REGEDIT column means that REGEDIT can be used to create data of that type and can be used to edit a value containing this data type safely. A No in the column means that it cannot be used to create a value containing this data type and cannot be safely used to edit a value containing data of this type.

    See Little Endian for a discussion of how these data types are stored in the Registry. A REG_DWORD without additional data typing appears to be stored as a REG_DWORD_LITTLE_ENDIAN. The REG_EXPAND_SZ data type is like this: It may appear that the data reads "%windir%" When an application reads this data it will be delivered "C:\WINDOWS" hence the string will have environmental variables automatically expanded, hence the name. The four types that speak of "Symbolic" mean that the Key name "HKEY_LOCAL_MACHINE\SOFTWARE\Classes" will be replaced by the symbol "^1" for example (not literal just the concept).

  16. Close both registry editors and click Start > Shutdown. Choose Log off as Administrator and click OK. You will be presented with a wonderful "plum" background for the log on box. Log back in and open My Documents. Double-click on the logonbackground.reg file and accept the offer to merge the contents into the Registry. Click OK to the message that the merge was successful. Log off again and the background color should be back to the default color. From this exercise we can see that another function of the old REGEDIT that is still useful is that it will successfully export and import (the merge function when it is not actually open) .REG files as it does in Windows 98.

  17. Backing up and Restoring the Registry

  18. First press [Ctrl]+[Alt]+[Delete] and select "Change Password..." Enter the old password, then the new one and confirm it. For simplicity sake and to avoid forgetting it change it from "admin" to "password" and click OK. Once the system confirms the password change Cancel the task manager launcher to return to the desktop. Now open My Computer > C: drive > WINNT > Repair and observe the size of the SAM file. This file is the system's own backup and until a backup is actually performed the Registry files in this folder will be the ones created during setup. This means that the new password change is not reflected yet in this copy of the SAM file. All files in this folder are locked by the OS and cannot be copied, deleted, opened, etc. This is part of the operating system's security measures. Now open C:\WINNT\System32\Config and observe the reported size of the SAM file here. There should be some discrepancy since the Administrator's password was just changed and the change takes effect immediately meaning that this file holds the new password. This folder contains all of the components of the active working Registry and the Security system's event logs. As such all files in this folder are also completely locked by the OS as well and cannot be accessed except through their proper tools: REGEDIT, Regedt32, Control Panel, and Event Viewer (to name the most important avenues of proper access).

  19. Since the system has locked all of the Registry files and if it is running on the NTFS file system, there would seem to be no way to access these files in order to back them up safely elsewhere to removable media or a network drive. However, there are four methods that can be used to access these files:

  20. WARNING! Do not perform the exercise from steps #14 to #16 if your copy of Windows 2000 is SP4 or later. You will be permanently locked out of the machine and be forced to reinstall! (This includes all versions of Windows XP).

  21. First we will use the Registry Key method of moving the SAM file from its expected location to another location. Since the SAM file contains all of the security information for the system including all users passwords we would expect all security to either be absent after moving it or the OS will simply fail. Upon investigation it has been determined that the system does NOT create a new empty SAM file instead it copies the empty one created at installation time that was saved into the C:\WINNT\Repair folder and then uses it. This one only has the Administrator account (no other users) and the Administrator has no password. After applying Service Pack 4 which apparently has a security fix, Windows 2000 will not allow the Administrator account to logon with a blank password despite the fact that this is the correct password according to the new SAM file. Therefore this exercise will lock the Administrator out if SP4 has been applied or if the installation was a slip stream version.

  22. Open Regedt32 and dig down to the key: HKLM\SYSTEM\CurrentControlSet\Session Manager With this key open add a new value/data pair in the right hand pane and name it PendingFileRenameOperations make it data type REG_MULTI_SZ and then double-click it. In the data editing box that appears type in the following value on the first line:

    \??\C:\WINNT\System32\Config\SAM

    Press [Enter] and type in the following on the second line:

    !\??\C:\Temp\SAM

    Click OK and close Regedt32. Be sure to open My Computer and create the folder Temp in the root of the C: drive. Upon reboot, the instruction will be carried out and the SAM file will be moved from its expected location into the folder C:\Temp. Moments later the system will need the file and discover that it is gone. It was earlier surmised that Windows creates a new empty SAM file; this is NOT the case. What it actually does here is to copy the backup in the C:\WINNT\Repair folder back into the C:\WINNT\System32\Config folder and then uses it. The confusion occurs in the fact that the backups in this folder are created at installation time and the system is not updating the Repair folder when the backup is run as described below so the Repair folder's SAM file has only an Administrator account with no password.

  23. Reopen Regedt32 and create the key again. This time make it copy the original SAM from the Temp folder back to where it belongs. Close Regedt32 and restart the system. Did it work?

  24. This is certainly not the method that Microsoft wants the user to use in order to save the Registry since it is moving the file and forcing the system to use backups in the Repair folder. Microsoft's prefered method of backing up the Registry is to use the Backup Utility. Click Start > Programs > Accessories > System Tools > Backup:



  25. Place a blank floppy diskette in the A: drive and click on Emergency Repair Disk. Place a check in the checkbox on the resultant screen:



  26. This is the operation that Microsoft claims will create a fresh copy of all the Registry files in the System32\Config folder placing the new copies into the Repair folder. Now click OK and the system will place a file called SETUP.LOG on the floppy which is the significant information that the repair utility in the setup disks will try to use to rebuild the critical components of the system. (See Create the Windows 2000 Installation Diskettes) However, the more important event that took place was that the Registry files were also copied to the Repair folder. Open the Repair folder and check the size of the SAM file, then compare this with the size of the file in the System32\Config folder. Addendum! This operation does not appear to work! The system insists on backing up the Registry backups that are already in the Repair folder into the folder C:\WINNT\Repair\Regback These files do not contain the information from the actual Registry.

  27. It appears that the system has no effective native methods with which to backup and/or restore the Registry. To solve this problem alternate access to the drive will be needed. By far the best method is to attach the drive as a slave to another system and then copy the Registry files to a backup folder on the booting system. Then if the system ever fails due to a corrupted or lost Registry then reattach to the other system and boot to that system and copy the files back to the System32\Config folder. The drive that is not booting is dormant and therefore all files are perfectly accessible with no OS locks imposed on them. This partition's OS installation is referred to as being "off-line" in this type of scenario.

  28. Now the Windows 2000 Recovery Console will be used to perform a full and complete registry backup and restore. Once the entire procedure has been performed in the Recovery Console tutorial, then proceed with the following instructions.

  29. Reboot to Windows 2000 and cut and paste the following into Notepad and save it as backup.bat in My Documents and save it to a floppy diskette as well:

    set NoCopyPrompt = TRUE
    COPY C:\DOCUME~1\DEFAUL~1\NTUSER.DAT C:\REGBACK\DEFAULT.DAT 
    COPY C:\DOCUME~1\ADMINI~1\NTUSER.DAT C:\REGBACK\NTUSER.DAT 
    COPY C:\DOCUME~1\ALLUSE~1\NTUSER.POL C:\REGBACK\NTUSER.POL 
    COPY C:\WINNT\SYSTEM32\CONFIG\APPEVENT.EVT C:\REGBACK\APPEVENT.EVT 
    COPY C:\WINNT\SYSTEM32\CONFIG\DEFAULT C:\REGBACK\DEFAULT 
    COPY C:\WINNT\SYSTEM32\CONFIG\DEFAULT.SAV C:\REGBACK\DEFAULT.SAV 
    COPY C:\WINNT\SYSTEM32\CONFIG\SAM C:\REGBACK\SAM 
    COPY C:\WINNT\SYSTEM32\CONFIG\SECEVENT.EVT C:\REGBACK\SECEVENT.EVT 
    COPY C:\WINNT\SYSTEM32\CONFIG\SECURITY C:\REGBACK\SECURITY 
    COPY C:\WINNT\SYSTEM32\CONFIG\SOFTWARE C:\REGBACK\SOFTWARE 
    COPY C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.SAV C:\REGBACK\SOFTWARE.SAV 
    COPY C:\WINNT\SYSTEM32\CONFIG\SYSEVENT.EVT C:\REGBACK\SYSEVENT.EVT 
    COPY C:\WINNT\SYSTEM32\CONFIG\SYSTEM C:\REGBACK\SYSTEM 
    COPY C:\WINNT\SYSTEM32\CONFIG\SYSTEM.ALT C:\REGBACK\SYSTEM.ALT 
    COPY C:\WINNT\SYSTEM32\CONFIG\SYSTEM.SAV C:\REGBACK\SYSTEM.SAV 
    COPY C:\WINNT\SYSTEM32\CONFIG\USERDIFF C:\REGBACK\USERDIFF 
    
  30. Now cut and paste this and save it as restore.bat in My Documents and the same floppy:

    set NoCopyPrompt = TRUE
    COPY C:\REGBACK\DEFAULT.DAT C:\DOCUME~1\DEFAUL~1\NTUSER.DAT
    COPY C:\REGBACK\NTUSER.DAT C:\DOCUME~1\ADMINI~1\NTUSER.DAT
    COPY C:\REGBACK\NTUSER.POL C:\DOCUME~1\ALLUSE~1\NTUSER.POL
    COPY C:\REGBACK\APPEVENT.EVT C:\WINNT\SYSTEM32\CONFIG\APPEVENT.EVT
    COPY C:\REGBACK\DEFAULT C:\WINNT\SYSTEM32\CONFIG\DEFAULT
    COPY C:\REGBACK\DEFAULT.SAV C:\WINNT\SYSTEM32\CONFIG\DEFAULT.SAV
    COPY C:\REGBACK\SAM C:\WINNT\SYSTEM32\CONFIG\SAM
    COPY C:\REGBACK\SECEVENT.EVT C:\WINNT\SYSTEM32\CONFIG\SECEVENT.EVT
    COPY C:\REGBACK\SECURITY C:\WINNT\SYSTEM32\CONFIG\SECURITY
    COPY C:\REGBACK\SOFTWARE C:\WINNT\SYSTEM32\CONFIG\SOFTWARE
    COPY C:\REGBACK\SOFTWARE.SAV C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.SAV
    COPY C:\REGBACK\SYSEVENT.EVT C:\WINNT\SYSTEM32\CONFIG\SYSEVENT.EVT
    COPY C:\REGBACK\SYSTEM C:\WINNT\SYSTEM32\CONFIG\SYSTEM
    COPY C:\REGBACK\SYSTEM.ALT C:\WINNT\SYSTEM32\CONFIG\SYSTEM.ALT
    COPY C:\REGBACK\SYSTEM.SAV C:\WINNT\SYSTEM32\CONFIG\SYSTEM.SAV
    COPY C:\REGBACK\USERDIFF C:\WINNT\SYSTEM32\CONFIG\USERDIFF
    
  31. Now cut and paste the following into notepad and save it as sets.bat in C:\WINNT:

    set AllowWildCards = TRUE
    set AllowAllPaths = TRUE
    set AllowRemovableMedia = TRUE
    
  32. Now start the Recovery Console and when you reach the C:\WINNT prompt type the following:

    C:\WINNT>batch sets.bat



    C:\WINNT>_

  33. Now move to the root and create the folder REGBACK. Insert the floppy that has the batch files on it then launch the backup batch file:

    C:\WINNT>cd \
    C:\>md REGBACK
    C:\>batch a:\backup.bat
      1 file(s) copied.

      1 file(s) copied.

      1 file(s) copied.

      1 file(s) copied.

      ...

    C:\>_

  34. Type Exit to restart the PC and launch Windows. Open the Regback directory and your entire registry should be there. Note that you must rename the file ntuser.dat in each user's "home" directory to their username which was done with the default user in the batch files in this example, and this must be done for all users on the machine so as to preserve their individual registry settings. To restore the registry perform the same process but type "batch a:\restore.bat" instead. This is the only truly reliable method of fully backing up the Registry files without having to take the PC apart that I have been able to find so far!

Back to Top

Copyright©2000-2004 Brian Robinson ALL RIGHTS RESERVED