In tutorial 1, we talked a little about what the registry is and the terminology used for its various components. In tutorial 2, we covered backing up and restoring the registry. In this tutorial, we will get into more of the details of what actually is in the registry. If you're only interested in how to use (or recover) the registry, but not what the registry is, it's possible to skip this tutorial. However, if you're unsure about this, I'd recommend reading it anyway.

The Registry Structure

Now humor me for just a moment; I think I'm going to back up my registry. In fact, it is a good time for you to do a backup as well, since it is entirely possible that at any time you might have some kind of problem (or disaster) with the registry and really need that backup copy to restore it. Start Backup, select the System State option in the Backup tab, and back up to a safe location. Alternatively in the Welcome tab, select Automated System Recovery Wizard. Next, let some time pass by... Note When doing a System State backup to a networked location, realize that the selected network location may not be available when attempting to restore! It may be possible (and necessary) to install a minimal Windows XP installation so that you can access the backup location, however. Ah, that feels better. I've got a fresh backup copy of my registry (and everything else on the drive) just in case I do something stupid, and so do you not that we ever do anything stupid, right? The registry is subdivided into the following five clearly defined sections, called hives:

• HKEY_CLASSES_ROOT

• HKEY_CURRENT_USER

• HKEY_LOCAL_MACHINE

• HKEY_USERS

• HKEY_CURRENT_CONFIG

Some registry objects are less important than others. For example, a damaged Security Accounts Manager key (SAM), can probably be recovered easily without serious, permanent problems you could restore the SAM without much difficulty. You could possibly lose the entire user database, so no users would be able to log on to the server. However, as long as you can log on as Administrator, the worst case is that you would have to enter the other user information again (just hope that there are not thousands of users on your network!) The default SAM registry will contain at least the initial Administrator user ID and password, which you would have to know. However, say you lose the system component of the registry without adequate backup. In that case, it is unlikely that you'll be able to recover without reinstalling Windows XP, and that would be a painful experience at best.

Of Hives and Bees A Registry Overview

As we discussed in tutorial 1, the Windows XP/NT registry is arranged into logical units called hives. Though I can't vouch for its truth, legend has it that some unnamed programmer at Microsoft seemed to see a logical relationship between the various keys in the registry and the structure of a beehive. Now me, I just don't see this, so let's consider the two following alternative analogies that make much more sense:

• The registry is arranged just like the directories, folders, and files contained on your hard drive. Hives are analogous to root directories, and keys are like subdirectories and files. In fact, this relationship is almost 100 percent parallel: hives are usually shown separated by backslashes (just like directories on the drive) from keys, and keys typically (but not always) have values, or they can be like directories and contain subkeys. Remember, just as a file may be empty, a key may well contain no value.

• The registry is arranged as a hierarchical database, nothing more, and nothing less. If you are a database person, this view of the registry might make more sense to you. In truth, the database arrangement is more like the registry's actual, physical, construction. Specific data is assigned to a key. As I've mentioned, some registry keys don't have a value set; this is also acceptable. Warning Be careful not to delete empty keys just because they are empty. Even though they don't have a value, their presence in the registry may be necessary for the health and well being of Windows XP, or other applications. Never, ever delete a key unless you know that there will be no adverse side effects, and keep a backup of what you delete so that it may be restored when adverse side effects develop.

The Registry Hives

The Windows XP registry is divided into five hives, each named using the prefix HKEY_. Each hive embodies a major section of the registry that has a specific functionality. Each hive is separate from the other hives and is typically stored as a file in the directory %SystemRoot%\System32\Config. Hive storage files have no extension or file type, making them easier to find. These hives are discussed next.

Hives, Keys, and Values

In this tutorial, I use terminology similar to that used when referring to disk drives, directories, subdirectories, files, and the contents of files. Often Microsoft confuses the issue somewhat. I will try to keep it clear: Hive A hive is similar to a root directory on a drive. A hive contains keys (like files and subdirectories). A hive is the highest level; a hive can not be a subhive inside another hive. An example of a hive in the registry is HKEY_LOCAL_MACHINE. Key A key is similar to a subdirectory or a file and is found inside a hive. Inside a key there may be other keys (like files) that contain values or other keys (like subdirectories) that contain both keys and values. A key will have either a hive or key as a parent above it, and zero or more keys contained within it. Sometimes Microsoft refers to a key as a subhive. An example of a key in the registry is HKEY_LOCAL_MACHINE\SAM. Value A value is similar to a file's data. Each key will have one value (though the value may consist of many parts) or no value set at all. There is also something called the default value (sometimes called the unnamed value), an object that may be assigned a value, or not. It is up to the using application (or the system, if the value is being used by the system) to properly interpret the value's meaning. When a value is requested, the registry simply provides raw data.

HKEY_CLASSES_ROOT

The HKEY_CLASSES_ROOT hive contains information about both OLE and various file associations. The purpose of HKEY_CLASSES_ROOT is to provide for compatibility with the existing Windows 3.x registry. The information contained in HKEY_CLASSES_ROOT is identical to information found in HKEY_LOCAL_MACHINE\Software. Note You'll use the Windows XP utility Notepad to print the contents of many files. Notepad supports two command line options for printing: /p, which directs the printout to the default printer, and /pt <printer>, which directs the printout to the specified printer.

HKEY_CURRENT_USER

The HKEY_CURRENT_USER hive is used to manage specific information about the user who is currently logged on. This information includes:

• The user's Desktop and the appearance and behavior of Windows XP to the user.

• All connections to network devices, such as printers and shared disk resources.

• Desktop program items, application preferences, screen colors, and other personal preferences and security rights. They are stored for later retrieval by the system when the user logs on.

All other environment settings are retained for future use. By accessing the roaming user profile, Windows XP is able to make any workstation that the user logs on to appear the same to the user. Domain users need not worry about having to set up or customize each workstation that they will be using. The information contained in HKEY_CURRENT_USER is updated as users make changes to their environments.

HKEY_LOCAL_MACHINE

The HKEY_LOCAL_MACHINE hive contains information about the computer that is running Windows XP. This information includes applications, drivers, and hardware. There are five separate keys contained within HKEY_LOCAL_MACHINE: Hardware The key used to save information about the computer's hardware. So that new hardware can be added easily, the Hardware key is always re-created when the system is booted. Changes to this key are not meaningful. Contained within the Hardware key are the following four subkeys: Description Contains information about the system, including the CPU, FPU, and the system bus. Under the system bus is information about I/O, storage, and other devices. DeviceMap Contains information about devices (keyboards, printer ports, pointers, and so on). ResourceMap Contains information about the HAL (Hardware Abstraction Layer). Remember, as we have passed the year 2001, HAL is not a talking computer on a spaceship, HAL is the hardware. Also contained are I/O devices, drivers, SCSI adapters, system resources, and video resources. ACPI Contains information about the ACPI (Advanced Configuration and Power Interface). SAM The Security Accounts Manager stores information about users and domains in the SAM key. This information is not accessible using any of the resource editors. Rather, this information is better managed using the administrator's User Manager program. Security Contains information about local security and user rights. A copy of the SAM key is found in the Security key. As with SAM, the Security key is not accessible using the resource editors, and the information is best modified using the administrator's tools. Software Contains information about installed system and user software, including descriptions. There are generally subkeys for each installed product in which the products store information including preferences, configurations, MRU (most recently used files) lists, and other application-modifiable items. System Contains information about the system startup, device drivers, services, and the Windows XP configuration.

HKEY_USERS

The HKEY_USERS hive contains information about each active user who has a user profile. In Windows XP, two subkeys in HKEY_USERS key are .DEFAULT and the information for the currently logged-on user. Note The SID (security identifier) for the currently logged-on user begins with S-1-5-21. The value 21 indicates active users. The purpose of the .DEFAULT key is to provide information for users who log on without a profile. Information for the current user is stored under the user's SID. With the Windows Server, you may find more user identifiers that the system uses to create new user accounts. Personal profiles are contained in either the %SystemRoot%\Profiles folder or the %SystemDrive%\Documents and Settings\Default User folder, unless roaming profiles are used, in which case a copy is stored in one of these folders, but the original resides on a server.

HKEY_CURRENT_CONFIG

The HKEY_CURRENT_CONFIG hive contains information about the system's current configuration. This information is typically derived from HKEY_LOCAL_MACHINE\System and HKEY_LOCAL_ MACHINE\Software, though HKEY_CURRENT_CONFIG does not contain all the information that is contained in the source keys. Note Users migrating from Windows 95/98/Me take note: As I noted in tutorial 1, the HKEY_DYN_DATA hive no longer exists in Windows XP. In Windows NT 4, this hive was intended to contain information about the system's Plug and Play status. However, since Windows NT 4 does not support Plug and Play, this key was empty. Windows XP does not have this hive.

Registry Key Data Types

The keys within hives can contain values that can be edited using the Registry Editor. These values have different data types: REG_BINARY Represents binary values. They may be edited or entered as hexadecimal or binary numbers.

REG_SZ Used for registry keys containing strings. Editing is easy; just type in the new string. Case is preserved, but realize that the string is initially selected, so be careful not to inadvertently delete it. Strings are of fixed length and are defined when the key is created. A string key may be made longer by adding more characters to the string; it will be reallocated if this happens.

REG_EXPAND_SZ Used if the key is to contain an environment variable that must be expanded prior to its use. Some keys need to contain values that reference environment variables, much like a batch file for example, if a string contains the field %SystemRoot%\System32, and it is necessary to replace the %SystemRoot% part of the string with the value that is assigned to it in the environment. To do this substitution, this string must be defined as a REG_EXPAND_ SZ type string. The result of the expansion is then passed to the requestor. %SystemRoot% is a standard environment variable containing the location, drive, and directory where Windows XP has been installed. The Registry Editor uses the same window as is used for REG_SZ for entering a REG_EXPAND_SZ key.

Note Any environment variable, created by either the system or the user, may be used in a REG_EXPAND_SZ key. REG_DWORD A 32-bit value, entered as decimal or hexadecimal. The Edit DWORD Value window, allows you to enter only valid numeric data to save you from sloppy typing.

REG_MULTI_SZ Used to store multiple strings in a single registry key. Normally, a string resource in the registry can contain only one line. However, the multistring type allows a string resource in the registry to hold multiple strings as needed.

REG_FULL_RESOURCE_DESCRIPTOR Used to manage information for hardware resources. No one should edit the items that appear in the Resources window fields.

REG_NONE An identifier used when no data is stored in the key. It doesn't take a rocket scientist to figure out that there is no editor for the REG_NONE type. REG_UNKNOWN Used when the key's data type cannot be determined. Other registry data types not fully supported by the Registry Editor include: REG_DWORD_BIG_ENDIAN Like REG_DWORD, but specifies the big endian format, where the four bytes of the DWORD are arranged in opposite order than little endian format (little endian format is the native mode for Intel processors, while noncompatible processors from other companies, such as Apple's Macintosh computers, use big endian). REG_LINK Used for a symbolic link between a registry value and either Windows or an application's data. Entries in REG_LINK are in Unicode text. REG_QWORD A 64-bit integer number. REG_RESOURCE_LIST Contains entries used by device drivers, including information about the hardware's configuration. REG_RESOURCE_REQUIREMENTS_LIST Contains a list of resources required by a driver. In addition to the above types of registry data, applications also have the ability to create custom registry data types as needed. This flexibility allows the application to both save and load the registry data without having to perform complex conversions and translations. Now, let's move on to the various major hives that make up the registry.

HKEY_LOCAL_MACHINE: The Machine's Configuration

The HKEY_LOCAL_MACHINE hive contains information about the current hardware configuration of the local computer. The information stored in this hive is updated using a variety of processes, including the Control Panel, hardware and software installation programs, and administrative tools, and is sometimes automatically updated by Windows XP. It is important not to make unintended changes to the HKEY_LOCAL_ MACHINE hive. A change here could quite possibly render the entire system unstable. Note All the settings in the HKEY_LOCAL_MACHINE hive are recomputed at boot time. If a change has been made, and the change is causing problems, first try rebooting the system. The Windows XP Boot Manager should rebuild the HKEY_LOCAL_MACHINE hive at reboot time, discarding any changes made.

HKEY_LOCAL_MACHINE\Hardware: The Installed Hardware Key

HKEY_LOCAL_MACHINE\Hardware contains information about the hardware configuration of the local machine. Everything hardware related (and I do mean everything) is found in this hive. In Windows XP, the HKEY_LOCAL_MACHINE\Hardware key is subdivided into four subkeys: Description Contains descriptive information about each device, including a general description, information about basic configurations, and so on. DeviceMap Contains information about devices, including the location in the registry where a device's full configuration is saved. ResourceMap Contains translation information about each major component that is installed in the system. Most keys contain a set value entries named .Raw and .Translated. ACPI Contains information about the ACPI (Advanced Configuration and Power Interface). The ACPI key is only found on systems that support ACPI. Potential ACPI subkeys include the following: RSDP Root System Description Pointer DSDT Differentiated System Description Table FADT Fixed ACPI Description Table FACS Firmware ACPI Control Structure PSDT Persistent System Description Table RSDT Root System Description Table SSDT Secondary System Description Table

Note In Windows NT 4, the Hardware key contains another subkey, OWNERMAP, which contains information about removable PCI-type devices. These are devices plugged into the system's PCI bus but generally not permanently installed on the system's motherboard. However, not all PCI-type devices are listed in OWNERMAP.

Description

Within HKEY_LOCAL_MACHINE\HARDWARE\Description is a wealth of information about the installed hardware. The only subkey, System, fully describes the CPU and I/O. Items in the Description key are always redetected at boot time. The System subkey contains the following subkeys: CentralProcessor Contains information about the CPU. This includes speed, which is an identifier that contains the CPU's model, family, and Stepping. This subkey also contains vendor information; for example, a "real" Intel CPU has the VendorIdentifier string "GenuineIntel", while a CPU from AMD contains the string "AuthenticAMD". FloatingPointProcessor Describes the system's FPU (floating point unit) in a set of entries similar to that of the CPU. The fact that the typical CPU has an integral FPU is not considered here; the FPU is listed separately, regardless. MultiFunctionAdapter Describes the system's bus (PCI), any PnP BIOS installed, and other devices, including the controllers for disk drives, keyboards, parallel and serial ports, and the mouse. For a mouse that is connected to a serial port, the mouse is found under the serial port, while a mouse that is connected to a PS/2 mouse port is shown connected to a pointer controller as a separate device. ScsiAdapter Describes the system's IDE interfaces, if there are any. Windows XP lists these as SCSI interfaces, and they include the controllers for IDE disk drives, IDE CD-ROM drives, and other supported IDE devices. This key may not be found in all installations. Windows XP does not use this information, though it may be found in legacy installations that have been updated from earlier versions of Windows. Note ScsiAdapter lists only the devices attached to the IDE controller. The IDE controller itself is described in HKEY_LOCAL_MACHINE\Hardware\DeviceMap. Typically, the Description key can be used to determine what hardware is installed (and being used) and how the installed hardware is connected. However, some devices, such as storage devices (non-IDE hard drives, SCSI devices, non-IDE CD-ROM drives, video, and network interface cards), are not listed in HKEY_LOCAL_MACHINE\Hardware\Description. Instead, they are listed in HKEY_LOCAL_MACHINE\Hardware\DeviceMap. Why? Because these devices are not detected at the bootup stage; instead, they are detected when they are installed.

DeviceMap

The HKEY_LOCAL_MACHINE\Hardware\DeviceMap subkey contains information about devices, arranged in a similar fashion to the HKEY_LOCAL_MACHINE\HARDWARE\Description subkey discussed earlier. Windows

XP does not have any changes in the DeviceMap, when compared to earlier versions of Windows. The DeviceMap subkey contains the following subkeys: KeyboardClass Contains the address of the subkey that manages information about the keyboard. PARALLEL PORTS Contains the address of the subkey that manages information about the parallel printer ports. PointerClass Contains the address of the subkey that manages information about the system mouse. Scsi A complex subkey that contains information about each SCSI interface found on the computer. A note about what is considered a SCSI port is in order. Actually, Windows XP pretends that IDE devices, as well as many CD-ROM devices that are connected to special interface cards, are SCSI devices. This is a management issue. Windows XP is not converting these devices to SCSI, nor is it using SCSI drivers; rather, Windows XP is simply classifying all these devices under a common heading of SCSI. SERIALCOMM Contains the address of the subkeys that manage information about the available serial ports. In Windows NT 4, if the system mouse is connected to a serial port and not to a PS/2 mouse port, that port is not listed in the SERIALCOMM subkey. VIDEO Contains the address of the subkey that manages the video devices. Two devices are typically defined in VIDEO: one is the currently used adapter, and the second is a backup consisting of the previously installed (usually the generic VGA) adapter's settings to use as a backup in the event of a problem with the video system. Note For those of you still working with, or migrating from, NT 4, it's important to note that DeviceMap in NT 4 includes two additional subkeys which do not appear in Windows XP. KeyboardPort contains the address of the subkey that manages information about the keyboard interface unit, often called the 8042 after the original chip that served as the keyboard controller in the original PC. PointerPort contains the address of the subkey that manages information about the port that the system mouse is connected to. These two additional subkeys do not appear in later versions of Windows.

ResourceMap

All the various hardware device drivers use the ResourceMap subkey to map resources that they will use. Each ResourceMap entry contains the following usage information:

• I/O ports

• I/O memory addresses

• Interrupts

• DMA (direct memory access) channels

• Physical memory installed

• Reserved memory The ResourceMap subkey is divided into subkeys for each class of device (such as Hardware Abstraction Layer), and under these subkeys lie subkeys for different devices.

Windows XP and Windows 2000 include a new key in ResourceMap called PnPManager. This key contains Plug and Play information.

HKEY_LOCAL_MACHINE\SAM: The Security Access Manager

HKEY_LOCAL_MACHINE\SAM contains information used by all versions of Windows 2000 and Windows XP. It also contains user information (permissions, passwords, and the like). The SAM key is mirrored in HKEY_LOCAL_MACHINE\Security\SAM; making changes to one changes the other. Note Can't see the SAM or Security key? Use the Registry Editor to select the subkey you cannot see and then select Edit → Permissions from the main menu. Next, change the Type of Access from Special Access to Full Control. In Windows, this information is set using the Microsoft Management Console (MMC), Local Users and Groups branch. If the Windows system is a domain controller, the SAM is not used (we have the Active Directory services now). The SAM subkeys (both in HKEY_LOCAL_MACHINE\SAM\SAM and HKEY_LOCAL_MACHINE\Security\SAM) should only be modified using the MMC in Windows or the User Manager administrative programs in Windows NT 4.0 and earlier. However, attempts to modify information that is in the SAM subkeys typically result in problems. For example, users will be unable to log on, wrong permissions will be assigned, and so on. Warning Don't attempt to modify the SAM or Security key unless you have made a full backup of your registry, including the SAM and Security keys, as described in tutorial 2.

HKEY_LOCAL_MACHINE\Security: The Windows Security Manager

The HKEY_LOCAL_MACHINE\Security key contains information relevant to the security of the local machine. This information includes:

• User rights

• Password policy

• Membership of local groups In Windows XP, you'll set this information using the Active Directory Users and Computers program. Note For those of you migrating from NT 4, or still working with NT 4 machines, it's important to note that under Windows NT 4, the Security subkeys should only be modified using the User Manager or the User Manager for Domains. With all versions of Windows 2000 and Windows XP Professional, only the Active Directory administrative programs (Active Directory Users and Computers) should be used. Attempts to modify information in the Security key typically result in problems. For example, users are unable to log on, wrong permissions are assigned, and so on. The XP Home edition cannot join a domain and therefore has no access to Active Directory.

HKEY_LOCAL_MACHINE\Software: The Installed Software Information Manager

The HKEY_LOCAL_MACHINE\Software registry key is the storage location for all software installed on the computer. The information contained in HKEY_LOCAL_MACHINE\Software is available to all users and consists of a number of standard subkeys as well as a few subkeys that may be unique to each computer. One computer on my network, using a beta version of Windows .NET Server (this also applies to Windows XP), has the following subkeys in HKEY_LOCAL_MACHINE\Software. These subkeys correspond to items that I have installed on my computer: Adobe Contains information about the copy of Adobe's Acrobat program that was recently installed. Federal Express Contains information about the FedEx online access and support I have on my computer. All of my FedEx airbills are produced by computer, making shipments much easier. INTEL Contains information about the Intel 3D Scalability Toolkit that I installed at some point. I don't remember when or why, but it's there. Intuit Contains information specific to the financial software that is Intuit's specialty. Qualcomm Contains information specific to the Eudora e-mail program. The nice thing about Eudora is that there is a free version for private use. The following are system subkeys probably installed on your computer; however, some of these subkeys, such as ODBC and Clients, may not be present on some minimal installations: Classes Contains two types of items. First are file-type association items. For example, a typical association entry might have the name DIB, with a string that associates this name with the application Paint Shop Pro. Second are COM (Common Object Model) associations. For example, the extension .doc is associated with Microsoft Word for Windows or with WordPad, the default viewer for .doc files. Both WordPad and Word may be embedded in other applications. For instance, Outlook, Microsoft's upscale e-mail system, can use Wordformatted documents and embed either Word for Windows or WordPad to display and edit these documents. Clients Contains client-server relationships. For example, Microsoft Outlook is a multipurpose program with e-mail, a calendar, contact lists, news, and other features. Each of these parts of Outlook has a complex series of calling protocols that are defined in the Clients subkey. Gemplus Stores information for use with GemSAFE Smart Cards. These cards are used for security in Windows XP. Microsoft Stores a number of items that pertain to Microsoft products or parts of Windows XP. As few as 20 or as many as 100 entries can be in the Microsoft subkey.

ODBC Stores items that pertain to Open Database Connectivity, which allows applications to retrieve data from a number of different data sources. Many users install ODBC, either intentionally or as a side effect of installing another product. Policies This subkey contains entries for policy enforcement, a feature that has been added to Windows XP Professional. Policies are not used in XP Home. Program Groups This subkey contains one value entry, ConvertedToLinks, which is used to indicate whether the program groups were converted. A value of one (0x1) shows that the conversion is complete. Even a system installed on a new computer that didn't require conversion will have this value. Schlumberger This subkey contains entries used with Windows XP security management. This group includes both smart cards and terminals. Secure If you say so. The Secure subkey is the location in which any application may store "secure" configuration information. Only an Administrator may modify this subkey, so mere mortal users can't change secure configuration information. Not many, if any, applications use the Secure subkey. Windows 3.1 Migration Status Used to indicate if the computer was upgraded from Windows 3.x to later versions of Windows NT and Windows XP. Though at one time there were many upgrades, more users today are likely to be doing clean installations virtually all existing Windows 3.x systems have already been upgraded. This key contains two subkeys: IniFiles and reg.dat. These values show whether the .ini and reg.dat files have been migrated successfully to later formats. Note For those of you migrating from NT 4, or still working with NT 4 machines, it's important to note that NT 4 has a Description subkey that contains names and version numbers for software installed on the local computer. Though any vendor may use this subkey, the author can only see one entry, which is entered during installation of Windows XP. Microsoft RPC (Remote Procedure Call) has several entries in this subkey.

HKEY_LOCAL_MACHINE\System: The System Information Manager

The HKEY_LOCAL_MACHINE\System subkey holds startup information used by Windows XP when booting. This subkey contains all the data that is stored and not recomputed at boot time. Note A full copy of the HKEY_LOCAL_MACHINE\System information is kept in the system.alt file, found in the %SystemRoot%\System32\Config directory in versions of Windows prior to Windows XP. The HKEY_LOCAL_MACHINE\System key (a.k.a. the System key) is organized into control sets (such as ControlSet001, ControlSet002, and CurrentControlSet) containing parameters for devices and services. (The Clone key, present in prior versions of Windows NT, is not found in Windows XP.) The main control sets are as follows:

ControlSet001 The current and the default control set used to boot Windows XP normally. Mapped to CurrentControlSet at boot time, ControlSet001 is the most critical component in the registry in the normal bootup process. ControlSet002 A backup control set from the Last Known Good boot that is used to boot when the default control set (ControlSet001) fails or is unusable for some reason. ControlSet003 ControlSet003 (and ControlSet00n, where n is greater than 3) is a backup control set from the Last Known Good boot that may be used to boot from when the default control set (ControlSet001) fails or is unusable for some reason. CurrentControlSet The control set Windows XP has booted from. It is usually mapped to ControlSet001. Note For those of you migrating from NT 4, or still working with NT 4 machines, it's important to note that the Clone control set found in NT 4 is the volatile copy of the control set (usually ControlSet001) that was used to boot the system. Created by the system kernel during initialization, this key is not accessible from the Registry Editor. Windows XP uses the CurrentControlSet and previous control sets; it does not use the Clone control set at all. The HKEY_LOCAL_MACHINE\System key contains three or four other items: MountedDevices Contains items for each locally attached storage device that is available to the system. DISK Found in some systems that have been upgraded from earlier versions of Windows, this subkey contains items for each mapped CD-ROM drive. For example, I map my CD-ROM drives to drive letters after S: I have three entries in this subkey mapping each CD-ROM drive to a different drive letter. This subkey is updated by the Disk Administrator tool. Select Contains four subkeys. It also has information on which control set was booted and which subkey is the Last Known Good set. Also, if there is a "failed" control set, the failed control set's identity will be found in the Select subkey. Setup Contains information used by Setup to configure Windows XP. This information includes locations of drives and directories, the setup command line, and a flag telling if setup is currently in progress. The HKEY_LOCAL_MACHINE\System key is critical both to the boot process and to the operation of the system. Microsoft has created a number of tools and processes that help protect the HKEY_LOCAL_MACHINE\System key information. These include the Last Known Good boot process, which allows mapping in a known (or so we hope) copy of the control set, which in turn allows the system to boot if the original control set is too damaged to be booted. Warning Do not, I repeat, do not, boot using the Last Known Good control set unless it is necessary! Any changes made to the system during the previous session will be lost, gone, forever and ever!

When modifying the control sets, be aware of the process of booting and creating the control sets. Generally, modifying a backup control set won't affect the system.