The Windows Registry 3

 

 

 

 

 

Registry Hives

 

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile. This is called the user profile hive. A user's hive contains specific registry information pertaining to the user's application settings, desktop, environment, network connections, and printers. User profile hives are located under the HKEY_USERS key. Registry files have the following two formats: standard and latest. The standard format is the only format supported by Windows 2000. It is also supported by later versions of Windows for backward compatibility. The latest format is supported starting with Windows XP. On versions of Windows that support the latest format, the following hives still use the standard format:

 

  1. HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE\SAM
  2. KEY_LOCAL_MACHINE\Security, and
  3. HKEY_USERS\.DEFAULT;

 

All other hives use the latest format. Most of the supporting files for the hives are in the %SystemRoot%\System32\Config directory. These files are updated each time a user logs on. The file name extensions of the files in these directories, or in some cases a lack of an extension, indicate the type of data they contain. The following table lists these extensions along with a description of the data in the file.

 

Extension

Description

none

A complete copy of the hive data.

.alt

A backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file.

.log

A transaction log of changes to the keys and value entries in the hive.

.sav

Copies of the hive files as they looked at the end of the text-mode stage in Setup. Setup has two stages: text mode and graphics mode. The hive is copied to a .sav file after the text-mode stage of setup to protect it from errors that might occur if the graphics-mode stage of setup fails. If setup fails during the graphics-mode stage, only the graphics-mode stage is repeated when the computer is restarted; the .sav file is used to restore the hive data.

 

The following table lists the standard hives and their supporting files.

 

Registry hive

Supporting files

HKEY_CURRENT_CONFIG

System, System.alt, System.log, System.sav

HKEY_CURRENT_USER

Ntuser.dat, Ntuser.dat.log

HKEY_LOCAL_MACHINE\SAM

Sam, Sam.log, Sam.sav

HKEY_LOCAL_MACHINE\Security

Security, Security.log, Security.sav

HKEY_LOCAL_MACHINE\Software

Software, Software.log, Software.sav

HKEY_LOCAL_MACHINE\System

System, System.alt, System.log, System.sav

HKEY_USERS\.DEFAULT

Default, Default.log, Default.sav

 

A list of all active hives can be found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

 

A list of all active hives can be found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

 

HKEY_LOCAL_MACHINE\HARDWARE has no corresponding file because it is a volatile key that is created (and built) by the kernel at system start.

 

 

 

 

< Windows Registry 2 | Windows Registry Index | Win32 Programming | Windows Registry 4 >