When Is the Current Control Set the Last Known Good Control Set?

At some point in the boot process, the current control set is copied into the Last Known Good control set. In Windows XP, the process of replacing the Last Known Good control set is done after the initial logon is performed. This allows the system to catch any problems related to the logon process.

HKEY_USERS: Settings for Users

Let's take a closer look at SIDs. No, despite what you may think, SID is not the kid down the street; SID is short for Security Identifier. The SID, which Windows XP uses to identify a user, contains information about user rights and privileges, settings, and any other information that is specific to that particular user.

The Anatomy of a SID

A SID always begins with the letter S, which denotes that this object is a SID, followed by long number separated with hyphens. The number consists of three to seven groups of numerals expressed in hexadecimal. For example, a valid SID might be this: S-1-5-21-1234567890-1234567890-1234567890-123 This SID consists of eight separate parts separated by hyphens. After the S, the next three parts are the version number, authority, and subauthority values. The following three identify the specific installation each Windows installation has different installation identifiers. The final part indicates the type of SID. As mentioned, the number immediately following the S is a revision (or version) number. Windows XP (and all previous versions of Windows that used SIDs) have a number 1 in this position. Perhaps some day in the future, a version of Windows will have a version number that is not 1; however, it seems that the version number, and SIDs in general, are very stable objects.

The SID Identifier Authority

The field immediately following the S-1 in a SID is the Identifier Authority. The meaning of the Identifier Authority varies somewhat on the following fields (the subauthority values). Table 3.1 shows some typical Identifier Authority values and their modifiers.

New! SID Authority values greater than 5 are undefined in Windows XP. Subauthority values greater than 32 are not documented. Note that both Local Service and Network Service Authorities are new to Windows XP. SIDs Used by Windows XP Current user configurations are saved in HKEY_USERS, which contains at least three keys. These keys are SIDs. The first key, .DEFAULT, is the default user profile. This profile is used when no user is currently logged on. Once a user logs on, their profile is loaded and stored as the second and third keys found in HKEY_USERS. The second key, the user profile for the user who is currently logged on, appears as something like this:

   S-1-5-21-45749729-16073390-2133884337-500

This key is a specific user's profile either the user's own profile or copied from the default user profile (found in %SystemDrive%\Documents and Settings\All Users) if the user has not established his or her own profile. The third key looks something like this:

   S-1-5-21-45749729-16073390-2133884337-500_Classes

This key contains information about the various classes specifically registered for the current user. In these keys, or SIDs, the ending three- or four-digit number identifies both the user, and for some users, the type of user. Table 3.2 lists a number of general user types that might be assigned. In this tutorial, the most commonly seen value is 500, which is assigned to me, the system Administrator account.

General users might be assigned SIDs ending in four-digit numbers starting at 1000. My domain has a user called Pixel, whose SID ends in 1003, and another user, Long, whose SID ends in 1006. Get the picture?

Naturally, there are many more SID codes and definitions. Tables 3.2 through 3.4 simply show a few of the more commonly used SIDs. Note Remember to differentiate between the HKEY_USERS hive and the HKEY_CURRENT_USER hive. HKEY_CURRENT_USER contains a pointer that references the current user in HKEY_USERS.

The content of a user's profile, as it is found in the HKEY_USERS hive, is interesting. For example, the following keys are present in a typical user's profile (usually, there is nothing to guarantee that they will all be present, or that others might not be added): AppEvents Contains information about events (an event is an action like closing, minimizing, restoring, or maximizing) in a key called EventLabels. This information includes a text label for the event, such as the label "Close program" for the event close. These labels are used for a number of purposes, but one that most of us see is in the Control Panel's Sounds applet. A second section in AppEvents is Schemes, which lists labels for each application that uses specific sounds for its own events. Console Contains the default command-prompt configuration. This configuration may be customized for each command prompt individually, or it is possible in this key to change the global default, which would be used for all new command prompts that are created. For an example of command-prompt customization, open a command window and select Properties from the System menu. There are more settings that may be configured in the registry than are found in the Properties dialog box. Control Panel Contains information saved by many of the Control Panel's applets. Typically, these are default, or standard, values that are saved here, not user settings, which are stored elsewhere. Environment Contains the user environment variables for a user. Generally, the System Properties applet, Environment tab, is used to set user and system environment values. EUDC Not implemented in Windows XP. Windows 2000 has the EUDC key, which contains the definitions and other information about End User Defined Characters (EUDC). The program eudcedit.exe lets users edit/design characters that are specific to their needs. Identities Contains the information to link users and software configurations. Most configurations are Microsoft based, such as Outlook Express. Keyboard Layout Contains the keyboard configuration. Most users, at least those in the U.S., will have few or no substitutions. However, users who are using special keyboards or non– U.S. English keyboards will have some substitutions for special characters found in their languages. Network Contains mappings for each network drive connected to the computer. Information about the connections includes the host (server), remote path, and username used for the connection. The Network key is not typically found in the .DEFAULT key because users with no user profile are not automatically connected to a remote drive. Printers Contains mappings for each remote (network) printer connected to the computer. Information about the printer connection includes the host (server) and the DLL file used to manage the connection. The Printers key is typically not found in the .DEFAULT key because users with no user profile are not automatically connected to a remote printer. RemoteAccess Contains the various remote access configurations. The connections are managed using the Control Panel's Network and Dial-up Connections applet.

New! SessionInformation New to Windows XP, the SessionInformation subkey, ProgramCount, indicates the number of Windows applications that are loaded and running. This count does not include command prompt windows. Software Contains information about software installed, including components such as Schedule, Notepad, and so on. Also included in Software is Windows XP itself, with configuration information specific to the currently logged-on user. System Contains information about items such as backup configurations and files that are not to be backed up. UNICODE Program Groups Contains information about program groups that use Unicode. More commonly found on computers configured for languages other than English, Unicode is the scheme for displaying characters from both English and non-English alphabets on computers. Volatile Environment Contains information about the logon server that will be placed in the environment. One typical item is the logonserver environment variable. All items in Volatile Environment are dynamic; that is, they are created each time a user logs on. Other dynamic environment information might be contained in this key as well.

HKEY_CURRENT_CONFIG: The Current Configuration Settings

The registry hive HKEY_CURRENT_CONFIG is created from two registry keys, HKEY_LOCAL_ MACHINE\System and HKEY_LOCAL_MACHINE\Software. As it is created dynamically, there is little value in modifying any of the objects found in the HKEY_CURRENT_CONFIG hive. The HKEY_CURRENT_CONFIG hive is composed of two major subkeys: Software Contains current configurations for some software components. A typical configuration might have keys under Software for Microsoft Internet Explorer, for example. System Contains information about hardware. The most common device found in this key is the video display adapter (found in virtually all configurations) and sometimes information about the default video modes as well. The video mode settings contained here are typical for any video system: resolution, panning, refresh rates (didn't you wonder where refresh rates were saved?), and BitsPerPel (color depth). Generally, you would modify the source settings for a hardware device in HKEY_LOCAL_MACHINE\ System\ControlSet001\Hardware Profiles\Current\System\CurrentControlSet\Services\ <device>\Device0, where <device> is the device being modified. For example, my Matrox Millennium is listed under the device name MGA64. Tip For more information about the source for HKEY_CURRENT_CONFIG, take a look at HKEY_LOCAL_MACHINE, described earlier in this tutorial.

HKEY_PERFORMANCE_DATA: The Performance Monitor Settings

Ever wonder where the Windows XP Performance Monitor information is contained? There is a final "hidden" registry hive, named HKEY_PERFORMANCE_DATA. This hive, which is simply not accessible except to applications written specifically to access performance data, is primarily dynamic in nature. To find the answer to this question, check out tutorial 11.

NTUSER: The New User Profile

Windows XP's installation process creates a default user profile and configuration. This information is located in %SystemDrive%\Documents and Settings\Default User. Whenever a new user logs on to a workstation or domain, this default user profile is copied to the user's profile. After that, the user modifies their profile to their own requirements and needs. Note Windows XP's Default User folder has the hidden attribute set, making it invisible unless the View All Files option is turned on. As an example, Windows XP's default language is typically U.S. English. (There are other language editions of Windows XP; for this example, I'm assuming the U.S. English version.) Whenever a new user logs on, the user will have U.S. English as his or her language, even if the system administrator has selected a different, non-English locale. The default user profile is saved in the disk directory at \Documents and Settings\Default User [WINNT], where WINNT is the directory that Windows XP is installed. (In Windows NT 4, the default user information was stored in %SystemRoot%\Profiles\Default User.) User information is always saved in a file named ntuser.dat. There is an entire configuration for new users in this directory check out the Start menu, Desktop, and other directories, too. You will find that interesting modifications can be made that enable new users to become proficient quickly without spending too much time customizing their computers. Warning This technique is an advanced use of the Registry Editor, and you must exercise care not to inadvertently modify the wrong registry or the wrong keys. Back up the registry before doing the following. First, to make this new user profile accessible to remote users (that is, all users other than those who log on locally), you must copy the Default User directory to the share named Netlogon. This share is typically located in the directory at %SystemRoot%\SysVol\SysVol\in Windows Server, in a directory that is named for the server. (For Windows NT 4 users, look in %SystemRoot%\System32\Repl\Import.) One way to copy these files is to create a new custom profile and copy the new custom profile using the User Profiles tab in the Control Panel's System applet. If there are BDCs (Backup Domain Controllers), you would actually edit the file in the Export directory (same initial path) because this directory is locally replicated to the Import directory and to the other BDC Import directories, although it might be located elsewhere. The NetLogon share can be located quickly by typing the following command:

   net share 

at a command prompt. The computer's shares will be displayed.

Follow these steps to modify the default new user profile in your new Default User directory (remember to create a new Default User directory, saving the current Default User directory as a backup): 1. Start the Registry Editor using either a command prompt or the Start menu's Run command. 2. Click the title bar of the HKEY_USERS on Local Machine window to make the window active. 3. Choose File → Load Hive from the Registry Editor menu. 4. Open the hive found in %SystemRoot%\Profiles\Default User or %SystemDrive%\Documents and Settings\Default User. This hive has the filename ntuser.dat. 5. The Registry Editor prompts you for a new key name. Type the name NTUSER. 6. Change whatever keys in NTUSER need to be modified. There will be a slew of changeable items in the new profile, including AppEvents, Console, Control Panel, Environment, Keyboard Layout, Software, and Unicode Program Groups. When adding new keys, do be careful to ensure that all users have at least read access to the new keys. No read access means that the key won't be accessible to the user. Tip To set the permissions for a key, select the key, and then select Edit → Permissions from the Registry Editor menu. Ensure that the group Everyone has at least read access. Resist the urge to give everyone more than read access to this key, too. Too much power can be a dangerous thing! 7. After making all modifications to NTUSER, choose File → Unload Hive from the Registry Editor menu. 8. Exit the Registry Editor. Once this profile is saved in the NetLogon share location, new users will get this new profile each time they log on.