Registry

Critical hierarchical database storing low level settings for the OS, programs and users.

https://learn.microsoft.com/en-us/windows/win32/sysinfo/structure-of-the-registry

The tree-structure consists of main folders (root keys) in which subfolders (subkeys) with their entries/files (values) are located.

Root keys all start with HKEY.

Type of values are:

Value

Type

REG_BINARY

Binary data in any form.

REG_DWORD

A 32-bit number.

REG_DWORD_LITTLE_ENDIAN

A 32-bit number in little-endian format. Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_DWORD in the Windows header files.

REG_DWORD_BIG_ENDIAN

A 32-bit number in big-endian format. Some UNIX systems support big-endian architectures.

REG_EXPAND_SZ

A null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%"). It will be a Unicode or ANSI string depending on whether you use the Unicode or ANSI functions. To expand the environment variable references, use the ExpandEnvironmentStrings function.

REG_LINK

A null-terminated Unicode string containing the target path of a symbolic link created by calling the RegCreateKeyEx function with REG_OPTION_CREATE_LINK.

REG_MULTI_SZ

A sequence of null-terminated strings, terminated by an empty string (\0). The following is an example: String1\0String2\0String3\0LastString\0\0 The first \0 terminates the first string, the second to the last \0 terminates the last string, and the final \0 terminates the sequence. Note that the final terminator must be factored into the length of the string.

REG_NONE

No defined value type.

REG_QWORD

A 64-bit number.

REG_QWORD_LITTLE_ENDIAN

A 64-bit number in little-endian format. Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_QWORD in the Windows header files.

REG_SZ

A null-terminated string. This will be either a Unicode or an ANSI string, depending on whether you use the Unicode or ANSI functions.

HKLM

HKEY_LOCAL_MACHINE contains all settings that are relevant to the local system.

It has the following subkeys:

  • SAM

  • SECURITY

  • SYSTEM

  • SOFTWARE

  • HARDWARE

  • BCD

The HKLM registry hive is stored at C:\Windows\System32\Config\

HKCU

HKEY_CURRENT_USER contains user-specific data. It's stored at C:\Users<USERNAME>\Ntuser.dat

Run & RunOnce Registry Keys

Use Run or RunOnce registry keys to make a program run when a user logs on. The Run key makes the program run every time the user logs on, while the RunOnce key makes the program run one time, and then the key is deleted. These keys can be set for the user or the machine.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

PreviousUser Account Control (UAC)NextDynamic Libraries

Last updated