Data Values

A value may contain one or, in some instances, more than one data item. The only type of multiple-item value entry that the registry editor can handle is REG_MULTI_SZ, which may contain zero, one, or more strings.

Data is stored in a number of different formats. Generally the system uses only a few simple formats, while applications, drivers, and so forth may use more complex types defined for a specific purpose. For example, REG_RESOURCE_LIST is a complex registry type used primarily by drivers. Though it would be inefficient, all registry data could be considered to be REG_BINARY data. Data types for value entries include:

• REG_BINARY
   
• REG_COLOR_RGB
   
• REG_DWORD
   
• REG_DWORD_BIG_ENDIAN
   
• REG_DWORD_LITTLE_ENDIAN
   
• REG_EXPAND_SZ
   
• REG_FILE_NAME
   
• REG_FILE_TIME
   
• REG_FULL_RESOURCE_DESCRIPTOR
   
• REG_LINK
   
• REG_MULTI_SZ
   
• REG_NONE
   
• REG_QWORD
   
• REG_QWORD_LITTLE_ENDIAN
   
• REG_RESOURCE_LIST
   
• REG_RESOURCE_REQUIREMENTS_LIST
   
• REG_SZ
   
• REG_UNKNOWN
 

Note REG_QWORD was new to Windows 2000 and is a quad-word (64-bit) numeric entry; REG__QWORD_LITTLE_ENDIAN is the same as REG_QWORD. Applications may access each of these data types. Additionally, some applications store data in formats that only they understand. Actually, a provision in the registry allows the storing application to assign a specific type to the registry data. Any application or component that doesn't understand the format would simply treat the data as a REG_UNKNOWN type and read the data as binary. Note Oops, did I say something special? Yes! Don't forget that applications can and do store data in the registry, and that data needn't be one of the established registry data types.

How the Registry Is Used

How does Windows XP use the registry? When is the registry first opened and used?

What Is Windows XP?

Windows XP comes in a number of versions, including a Home version and a Professional version. Windows XP Home is configured for home users. Windows XP Professional, which is configured to work as a workstation client, is a somewhat more powerful configuration for

business users. Throughout this tutorial, I'll point out any differences in usage between the Home and Professional versions. While not the focus of this tutorial, Windows XP also comes in a number of server versions named Windows XP .NET. Microsoft has planned several server product offerings, including Windows XP .NET Server and Windows XP .NET Advanced Server. We don't expect that there will be major changes in .NET's use of the registry. The registry is a tree-based hierarchical system that offers quick access to data stored in almost any format. Actually, the registry is a rather flexible database. Registry information comes from a number of sources:

• From installing Windows XP

• From booting Windows XP

• From applications, systems, and user interaction

Every component of Windows XP uses the registry, without exception. A set of APIs allows both Windows XP and other applications to access registry information easily and quickly. Windows XP starts to use the registry at the very beginning stages of system bootup. The Windows XP boot process is based on which file format is installed, though the important parts are identical in either case. The unimportant parts are the loading of the specific drivers to read the NTFS file system. Note Throughout this tutorial, I'm referring to Windows XP installed on an Intel x86 platform. There are differences in the boot process on RISC-based systems (such as the Digital Alpha system), though these differences are not terribly significant, considering how the registry is used. However, it seems that non-Intel systems are becoming very unusual, and they probably will receive little or no support from Microsoft in the future. The Windows XP boot process consists of the following steps:

1. The system is powered up, the video is initialized, and the hardware self-tests are performed. The BIOS performs these tests, which are called POSTs (power-on selftests). Usually, the memory test is the most visible one; its progress is shown on most computer screens.

2. After running POST, the system initializes each adapter. If the adapter has its own built-in BIOS, the adapter's BIOS is called to perform its own initialization. For IDE adapters (most computers have either two or four IDE adapters), each connected drive (there may be up to two drives for each IDE adapter, allowing for a total maximum of eight IDE type drives) is queried for its specifications and access method. Some adapters, such as Adaptec's SCSI adapters, display messages and allow the user to interact. Some adapters that don't have a BIOS aren't initialized until Windows XP loads their drivers much later in the boot-up process.

3. After all the adapters that have a BIOS have been initialized, the system boot loader reads in the sector located at the very beginning of the first bootable disk drive and passes commands to this code. This sector is called the boot sector, or the MBR (Master Boot Record), and it is written by the operating system when the operating system is installed.

4. The code in the MBR then loads the NTLDR file. (This file has no extension, though it is an executable file.) Once loaded, the MBR passes control to the code in NTLDR.

5. NTLDR then switches into 32-bit mode. (Remember, an Intel x86 processor always boots into 16-bit real mode.) It then loads a special copy of the necessary file system I/O files and reads in the file boot.ini.

6. The file boot.ini has information about each operating system that can be loaded. Remember, Windows XP supports multiboot configurations. It is trivial to create a Windows XP installation that can boot Windows NT, Windows XP, and Windows 95 or Windows 98. The boot loader can even boot two different copies of Windows XP with either the same or different version numbers. NTLDR then processes boot.ini, displaying boot information that allows the user to select which operating system will be loaded. At this point, let's assume that Windows XP will be loaded.

7. When you select Windows XP to be loaded, NTLDR loads the file ntdetect.com. This program then collects information about the currently installed hardware and saves this information for the registry. Most of this information is stored in the HKEY_LOCAL_MACHINE hive.

8. Once NTDETECT has detected the hardware, control is passed back to NTLDR, and the boot process continues. At this point, the registry has been substantially updated with the current hardware configuration, which is stored in HKEY_LOCAL_MACHINE\Hardware.

9. The prompt to select the configuration is then presented. This prompt, "Press spacebar now to invoke Hardware Profile/Last Known Good menu," allows you to force Windows XP to use a specific configuration as stored in the registry hive HKEY_LOCAL_MACHINE.

10. Following the detection of NTDETECT, NTLDR loads and initializes the Windows NT kernel, loads the services, and then starts Windows.

11. When the kernel is loaded, the HAL is also loaded. (The HAL Hardware Abstraction Layer is used to manage hardware services.) Next, the registry system subkey HKEY_LOCAL_MACHINE\_System is loaded into memory. Windows XP scans the registry for all drivers with a start value of zero. This includes those drivers that should be loaded and initialized at boot time.

12. You can see the beginning of the next stage, kernel initialization. The screen switches to a blue background, and you see a message about the Windows XP build number and the number of system processors. Again, the system scans the registry and finds all drivers that must be started at the kernel initialization stage.

13. From this point, Windows XP starts various components and systems. Each component and system reads the registry and performs various tasks and functions. In the final stage, the program that manages the user logon, WinLogon, starts. WinLogon allows the user to log on and use Windows XP. Once Windows XP is booted, both the operating system and applications use the registry. The registry is dynamic, but usage of the registry may be dynamic or static. That is, some registry items are read one time and never reread until the system is restarted. Other items are read every time they are referenced. There is no fixed rule as to what is read each time it is needed and what is not, but to be on the safe side, follow these guidelines:

• Application-related data is probably read when the application starts. If you change application-based data, restart the application. In fact, the best path to follow is this: do not change application-based data while the application is running.

• User-interface data is sometimes dynamic, sometimes static. With user-interface data, the way to go is to change the data and wait to see the results of the change. If the change doesn't appear, try logging on again.

• System data is usually either static or otherwise buffered. Many system-related registry changes won't become effective until the system is restarted. Some system data is rewritten, or created, at startup time, precluding changes by users. Many of the items in HKEY_LOCAL_MACHINE may be reset at system boot time, especially those items that are hardware related.

A Note on Terminology

The registry is made up of hives, keys, subkeys, and value entries. Well, actually, depending on the source, you may be faced with hives and data keys, or keys and items, or just data keys, or who knows what else. There is some indication that Microsoft wants to drop the original term for a registry section the hive and replace this term with the word key. In the Windows NT Resource Kit, Microsoft makes the following definition: The registry is divided into parts called hives. A hive is a discrete body of keys, subkeys, and values rooted at the top of the registry hierarchy. Hives are distinguished from other groups of keys in that they are permanent components of the registry; they are not created dynamically when the system starts and deleted when it stops. Thus, HKEY_LOCAL_MACHINE\Hardware, which is built dynamically by the Hardware Recognizer when Windows NT starts, is not a hive. In the Windows XP documentation, Microsoft says a hive is: A section of the registry that appears as a file on your hard disk... These definitions are absolute and state exactly what is a hive and what is not. However, in the real world, no one follows this exact definition. Many authors call all holders of information hives (or subhives) and call data objects keys. Others never refer to hives at all, and instead call all holders keys, or subkeys, and refer to data objects as values. Virtually every definition leaves something to be desired. To call the thing that holds data a "value entry" sometimes makes it awkward to refer to the contents. Consider these examples: The value entry named asdf contains the value 1234. The value called asdf contains the value 1234. The following example is much more readable: The value entry asdf is a REG_DWORD with a value of 1234.

Is there a need to distinguish between what Microsoft calls a "hive" (a top-level, permanent, registry component) and what Microsoft calls a "key"? When does a hive become a key, and is this important? I can't think of any context in which anything is gained by making this distinction. Referring to the top-level objects as hives certainly frees up the term key to be used elsewhere, but why not stick to one term?