The Windows Registry 5

 

 

 

 

 

Registry Files

 

Applications can save part of the registry in a file and then load the contents of the file back into the registry. A registry file is useful when a large amount of data is being manipulated, when many entries are being made in the registry, or when the data is transitory and must be loaded and then unloaded again. Applications that back up and restore parts of the registry are likely to use registry files. To save a key and its subkeys and values to a registry file, an application can call the RegSaveKey() or RegSaveKeyEx() function. RegSaveKey() and RegSaveKeyEx() create the file with the archive attribute. The file is created in the current directory of the process for a local key, and in the %systemroot%\system32 directory for a remote key.

As mentioned before, registry files have the following two formats: standard and latest. The standard format is the only format supported by Windows 2000. It is also supported by later versions of Windows for backward compatibility. RegSaveKey() creates files in the standard format. The latest format is supported starting with Windows XP. Registry files that are created in this format cannot be loaded on Windows 2000. RegSaveKeyEx() can save registry files in either format by specifying either REG_STANDARD_FORMAT or REG_LATEST_FORMAT. Therefore, it can be used to convert registry files that use the standard format to the latest format. To write the registry file back to the registry, an application can use the RegLoadKey(), RegReplaceKey(), or RegRestoreKey() functions as follows.

 

  1. RegLoadKey() loads registry data from a specified file into a specified subkey under HKEY_USERS or HKEY_LOCAL_MACHINE on the calling application's computer or on a remote computer. The function creates the specified subkey if it does not already exist. After calling this function, an application can use the RegUnLoadKey() function to restore the registry to its previous state.
  2. RegReplaceKey() replaces a key and all its subkeys and values in the registry with the data contained in a specified file. The new data takes effect the next time the system is started.
  3. RegRestoreKey() loads registry data from a specified file into a specified key on the calling application's computer or on a remote computer. This function replaces the subkeys and values below the specified key with the subkeys and values that follow the top-level key in the file.

 

The RegConnectRegistry() function establishes a connection to a predefined registry handle on another computer. An application uses this function primarily to access information from a remote registry on other machines in a network environment, which you can also do by using the Registry Editor. You might want to access a remote registry to back up a registry or regulate network access to it. Note that you must have appropriate permissions to access a remote registry using this function.

 

Registry Key Security and Access Rights

 

The Windows security model enables you to control access to registry keys. You can specify a security descriptor for a registry key when you call the RegCreateKeyEx() or RegSetKeySecurity() function. If you specify NULL, the key gets a default security descriptor. The ACLs in a default security descriptor for a key are inherited from its direct parent key. In order to get the security descriptor of a registry key, call the GetNamedSecurityInfo() or GetSecurityInfo() function. The valid access rights for registry keys include the DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Registry keys do not support the SYNCHRONIZE standard access right. The following table lists the specific access rights for registry key objects.

 

String Constant (Value)

Meaning

KEY_ALL_ACCESS (0xF003F)

Combines the STANDARD_RIGHTS_REQUIRED, KEY_QUERY_VALUE, KEY_SET_VALUE, KEY_CREATE_SUB_KEY, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, and KEY_CREATE_LINK access rights.

KEY_CREATE_LINK (0x0020)

Reserved for system use.

KEY_CREATE_SUB_KEY (0x0004)

Required to create a subkey of a registry key.

KEY_ENUMERATE_SUB_KEYS (0x0008)

Required to enumerate the subkeys of a registry key.

KEY_EXECUTE (0x20019)

Equivalent to KEY_READ.

KEY_NOTIFY (0x0010)

Required to request change notifications for a registry key or for subkeys of a registry key.

KEY_QUERY_VALUE (0x0001)

Required to query the values of a registry key.

KEY_READ (0x20019)

Combines the STANDARD_RIGHTS_READ, KEY_QUERY_VALUE, KEY_ENUMERATE_SUB_KEYS, and KEY_NOTIFY values.

KEY_SET_VALUE (0x0002)

Required to create, delete, or set a registry value.

KEY_WOW64_32KEY (0x0200)

Indicates that an application on 64-bit Windows should operate on the 32-bit registry view.

This flag must be combined using the OR operator with the other flags in this table that either query or access registry values. Windows 2000:  This flag is not supported.

KEY_WOW64_64KEY (0x0100)

Indicates that an application on 64-bit Windows should operate on the 64-bit registry view.

This flag must be combined using the OR operator with the other flags in this table that either query or access registry values. Windows 2000:  This flag is not supported.

KEY_WRITE (0x20006)

Combines the STANDARD_RIGHTS_WRITE, KEY_SET_VALUE, and KEY_CREATE_SUB_KEY access rights.

 

When you call the RegOpenKeyEx() function, the system checks the requested access rights against the key's security descriptor. If the user does not have the correct access to the registry key, the open operation fails. If an administrator needs access to the key, the solution is to enable the SE_TAKE_OWNERSHIP_NAME privilege and open the registry key with WRITE_OWNER access. You can request the ACCESS_SYSTEM_SECURITY access right to a registry key if you want to read or write the key's system access control list (SACL). To view the current access rights for a key, including the predefined keys, use the Registry Editor (Regedt32.exe). After navigating to the desired key, go to the Edit menu and select Permissions.

 

32-bit and 64-bit Application Data in the Registry

 

On 64-bit Windows, portions of the registry entries are stored separately for 32-bit application and 64-bit applications and mapped into separate logical registry views using the registry redirector and registry reflection, because the 64-bit version of an application may use different registry keys and values than the 32-bit version. There are also shared registry keys that are not redirected or reflected. The parent of each 64-bit registry node is the Image-Specific Node or ISN. The registry redirector transparently directs an application's registry access to the appropriate ISN subnode. Redirection subnodes in the registry tree are created automatically by the WOW64 component using the name Wow6432Node. As a result, it is essential not to name any registry key you create Wow6432Node.

The KEY_WOW64_64KEY and KEY_WOW64_32KEY flags enable explicit access to the 64-bit registry view and the 32-bit view, respectively. To disable and enable registry reflection for a particular key, use the RegDisableReflectionKey() and RegEnableReflectionKey() functions. Applications should disable reflection only for the registry keys that they create and not attempt to disable reflection for the predefined keys such as HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER. To determine which keys are on the reflection list, use the RegQueryReflectionKey() function.

 

 

 

 

< Windows Registry 4 | Windows Registry Index | Win32 Programming | Windows Registry 6 >