Our website contains many tutorials that require editing the Windows Registry. Rather than summarizing the process in every article, I thought it might be better to make a more in-depth exploration separately. In this tutorial, I will explain what the Windows Registry is, how to edit its contents and the risks associated with doing so.
In the early days of Windows, applications would often store their configuration data in text documents called initialization files. Typically, these files would use an extension like .ini, .txt, .cfg, etc. One of the major problems with this particular system was that with the sheer number of applications installed, the .ini files would become scattered across the file system, making them difficult to track. After the release of Windows 95, in an effort to further standardize and manage configuration for applications and Windows, Microsoft encouraged software developers to use the Windows Registry as an alternative to INI files for storing configuration data. In the years that followed, the Windows Registry became the standard repository for application settings.
Today, XML files are gaining popularity with developers as a new medium for storing application configuration data for a variety of reasons. However, the registry remains a very important component of Windows; for software developers and windows power users, the ability to manipulate it is an essential skill.
The Windows Registry is essentially a large hierarchical database. Its structure is not unlike that of the Windows file system. Data is stored in entries called values, which are stored in collections called keys. A key in regards to the registry is in essence, a folder of sorts. Keys usually contain a collection of values and sometimes subkeys, not unlike a folder filled with files and subfolders. This makes keys a little confusing, because typically the word ‘key’ in computing refers to the name part of a value in an associative array. Value in terms of the registry refers to both the name and the value of the entry. This is because in the earliest versions of Windows (3.1 and prior), keys in the registry could not contain multiple name/value pairs; it only contained a single value which was tied to the key itself. In this scenario, the structure of the registry much more resembles an associative array and the term ‘key’ makes perfect sense. The elements of the registry have not been given more appropriate names since.
Keys in the registry are arranged into logical groups called hives. The hives that make up the registry are stored in multiple files in various directories on the system (mainly %SystemRoot%\System32\config). Below is a list of the standard hives and their supporting files, according to Microsoft:
At the root of the registry there are typically five main keys visible in the registry editor, they are as follows:
HKEY_CLASSES_ROOT (HKCR)
HKCR contains data concerning the relationships between applications and other items, such as file type associations. It is essentially a compilation of the classes stored in HKCU and HKLM.
HKEY_CURRENT_USER (HKCU)
HKCU contains configuration data specific to the currently logged in user. The contents of HKCU are just a reflection of the data in HKU relating to the current user profile. As shown in the table above, all of the data in the HKCU hive is stored in a .dat file located in the user’s root folder (typically %SystemDrive%\Documents and Settings\<Username> or %SystemDrive%\Users\<Username> depending on the operating system).
HKEY_LOCAL_MACHINE (HKLM)
HKLM contains settings for all users on the machine, rather than any specific user. As in HKCU, HKLM sorts driver and services information in the SYSTEM key, and configuration for windows and applications in the SOFTWARE key.
HKEY_USERS (HKU)
HKU contains everything in HKCU as well as the same data for every other user on the machine. It also describes the default configuration for new users.
KEY_CURRENT_CONFIG (HKCC)
HKCC contains data relating to the current hardware profile of the machine. Technically, it only contains information describing the difference between the current configuration and the standard configuration, which is stored in the SOFTWARE and SYSTEM keys of HKLM. HKCC is actually just a mirror of the contents in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current.
The Windows Registry cannot be more than 512 levels in depth, and no more than 32 levels can be created at once with a single API call.
Because virtually every Windows setting is stored in the registry, it is the ultimate tool when it comes to system configuration. For more or less the same reason, the registry can also be very dangerous if misused. Incorrect configuration of certain parts of the registry can cause a variety of problems, including rendering the operating system unusable. Centralizing system configuration makes settings more accessible to the operating system. Registry settings can be applied to users en masse via group policy, and the entire registry is relatively simple to back up. Due to the way the registry is stored on the system, storing strongly typed data is possible and parsing data is not necessary as it is with INI files, which results in faster reads. On the other hand, the registry’s binary structure also makes damage much harder to repair.
The easiest way to manipulate the registry is via the Registry Editor, which is a component of Windows. By default, there are no shortcuts to the Registry Editor, so we’re going to have to start it a little differently than most applications.
Open the start menu and click Run. Type regedit and hit enter. We could type the full address to the Registry Editor, but it just so happens that it is stored in the system32 folder, which is where Run looks if an absolute path is not specified. If you’re using Windows Vista or Windows 7, just type regedit in the search box at the bottom of the start menu and hit enter.
At first glance, the Registry Editor looks similar to Explorer. You can navigate through keys using the tree on the left side of the window. Unlike explorer, subkeys won’t be displayed in the list view on the right, so you’ll have to use the tree to move around the registry. The list view shows each value of the current key. As discussed earlier, a value has its own name, type, and data. For the purposes of demonstration, we’re going to edit a value. The change we’re going to make is stopping an application from appearing in the “frequently used programs” list in the start menu (present in Windows XP onwards).
Windows keeps a small list of executables that shouldn’t be included on this list; it keeps this list in the registry of course. The value exists to stop certain system programs and applications that are unlikely to be run more than once from appearing on this list (things like installers and rundll32). Let’s say I want to prevent Windows Media Player from appearing on this list (because I already have it on my Quick Launch bar). This value is located in the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\FileAssociation
The parent keys in the above address basically break down like this:
Settings for the machine (not just this account) >
Settings for software on this machine >
Settings for software manufactured by Microsoft >
Settings for Microsoft Windows >
Settings for the current version of Microsoft Windows >
Settings for explorer (explorer handles the user interface, among other things) >
So use the tree view on the left to navigate to this key. You should see roughly three or four values listed. The one we’re interested in is called AddRemoveApps; it’s a REG_SZ which is essentially a string value (a value that contains data composed of a sequence of characters, usually text of some description).
Double click on AddRemoveApps or you can right click on it and select Modify… from the context menu that appears. You should see a small dialog appear captioned “Edit String”. This is pretty self explanatory; to edit the value data, change the contents of the second text box and click OK. The contents of mine looks like this:
SETUP.EXE;INSTALL.EXE;ISUNINST.EXE;UNWISE.EXE;UNWISE32.EXE;ST5UNST.EXE;RUNDLL32.EXE;MSOOBE.EXE;LNKSTUB.EXE;MSASCUI.EXE
So what we have here is a list of executables separated by semicolons. To add Windows Media Player, jump to the end of the string, add a semicolon, then type the executable name:
SETUP.EXE;INSTALL.EXE;ISUNINST.EXE;UNWISE.EXE;UNWISE32.EXE;ST5UNST.EXE;RUNDLL32.EXE;MSOOBE.EXE;LNKSTUB.EXE;MSASCUI.EXE;WMPLAYER.EXE
You’ll notice I’ve typed wmplayer.exe in upper case; this is just for consistency, it isn’t actually case sensitive. Windows only checks this value when it attempts to add a program to the list, so if Media Player is already on your frequently used programs list, you will have to remove it yourself first (either by clearing the list, or right clicking on it and selecting Remove from This List.).
You can also export entire keys (or the registry itself) into .reg files, which are basically text files with a special syntax which Windows can read. When you open a .reg file, Windows attempts to modify the registry based on the contents of the file. Since this is a potentially dangerous thing to do (especially if you don’t know where the file came from or what its purpose is), Windows will always ask for confirmation before executing a .reg file. If you want to read or edit a .reg file, you can do so with a text editor such as notepad.
Exporting allows you to back up the registry before making changes. In most cases, this isn’t strictly necessary if you’re careful, but it is a good practice to establish. To export a key, simply right click on it and select Export.