Editing the Windows NT Registry

Don't let the Registry intimidate you

Sooner or later, every Windows NT administrator edits the Registry. Perhaps you want to fix a problem, improve performance, or enhance security. In many cases, the fix to your problem comes with dire warnings about the consequences of invalid changes. You wonder which is the lesser of two evils--­living with the problem, or applying the fix and possibly introducing an error into the Registry. Editing the Registry is not as risky as you might think, if you take certain precautions.

In this article, I discuss how to find and safely modify Registry settings and how to add new entries to the Registry.

What Is the Registry?
The NT Registry is a hierarchical database that stores configuration information for the OS and installed applications. The Registry's intended purpose was to reduce the number of .ini files the OS used to keep configuration details for applications. Some applications had multiple .ini files, often in several directories. A drawback of the Registry is that transferring program settings, preferences, and customization values from one computer to another is now harder than it used to be.

Registry subtrees. The Registry has a hierarchical tree structure, and the Registry's main components are known as subtrees. Each of these subtrees has a name that begins with HKEY_ (handle to a key, which is a reference that NT's developers unnecessarily left in the Registry's user interface). If you use the Windows 95 Registry editor (i.e., regedit.exe--­which also comes with NT 4.0 and later) to open the Registry, the subtrees appear as items in a hierarchical structure, as Screen 1, page 190, shows. If you use the NT Registry editor (i.e., regedt32.exe), each subtree appears in its own window, as Screen 2, page 190, shows. When you look for a Registry entry, you need to know which subtree it is in. Regedt32 looks in only the current subtree.

HKEY_CLASSES_ROOT contains data about file associations. The application-setup programs register the file extensions for each application. (For example, when you click a filename with a .doc extension, Word or WordPad starts automatically.) This subtree also contains information about component object model (COM) objects and provides backward compatibility with the Windows 3.1 Object Linking and Embedding (OLE) and Dynamic Data Exchange (DDE) functionality. This subtree is an alias or pointer for the HKEY_LOCAL_MACHINE\SOFTWARE\Classes Registry key. Use NT Explorer to edit this subtree's values. NT Explorer is more user-friendly than the Registry, and you're less likely to make errors. Open NT Explorer, and select View, Options. Then, edit the file associations from the File Types tab.

HKEY_CURRENT_USER contains information about the system's configuration for the current user. These settings include color scheme, mouse sensitivity, custom program groups, and preferences for the display of dates, times, and currency values. You might need to edit this subtree occasionally.

HKEY_LOCAL_MACHINE contains information that is specific to the computer, regardless of who is logged on. Examples of the information this subtree stores include the IP address, the interrupt the network card uses, the version of NT currently running, and common program groups. You often need to edit this subtree.

HKEY_USERS contains information about the settings for all the users who log on to a computer, including settings for the default user. HKEY_CURRENT_USER contains a pointer to the entry in HKEY_USERS for the user who is currently logged on. HKEY_USERS identifies users by security ID (SID) rather than by username. You typically don't edit values in this subtree. If you need to edit user settings, use HKEY_CURRENT_USER.

HKEY_CURRENT_CONFIG is a new subtree in NT 4.0. It provides support for hardware profiles (also a new feature in NT 4.0) and compatibility with the Win95 Registry. Win95 applications that use this subtree can also run on NT 4.0. This subtree is yet another pointer. HKEY_CURRENT_CONFIG points to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current Registry key.

The regedit Registry editor displays a subtree called HKEY_DYN_DATA. This Win95 subtree contains dynamic data stored and updated in RAM for fast access If you try to open this subtree in NT, you'll receive an error message.

Registry keys and values. Within each subtree are the Registry keys. The Registry keys can, in turn, contain subkeys. At the lowest level, the subkeys contain values. A value has three components: the name of the value, the type of value, and the actual assigned value.

The NT Registry supports several types of values. REG_DWORD is a numeric value, which regedt32 shows in hexadecimal (hex) notation. Regedit shows the hex value followed by the decimal equivalent in parentheses. REG_SZ is a text string. REG_EXPAND _SZ is a string that contains variables (e.g., %systemroot%). When you access the Registry key, the corresponding value (e.g., c:\winnt) replaces the variable. REG_ MULTI_SZ is a string value that can contain multiple entries. The Win98 Registry doesn't require or support entries with variables, or multiple-valued entries, so regedit doesn't support the REG_EXPAND_SZ or REG_MULTI_SZ value type. You must use regedt32 to examine or edit a Registry entry that contains a variable, or a multiple-string Registry entry.

Choosing a Registry Editor
You might wonder which Registry editor to use. Each Registry editor has advantages and disadvantages, and I use both editors depending on the situation.

Regedt32. Regedt32 has a security feature that regedit lacks. You can use regedt32 in a read-only mode: Start regedt32, and select Options, Read Only Mode. Working in the read-only mode prevents you from accidentally making changes as you search through the Registry.

As I mentioned previously, regedt32 can search in only the current subtree. But, regedit can't handle multiple-valued strings or strings that contain variables. Thus, I use regedt32 to make Registry changes when I know the Registry path.

Although regedt32 can't search for a Registry value, you can use an old NT 3.x workaround to this problem. Use the print option to print a Registry subtree to a file, then use Notepad or WordPad's text search to find the key. Make sure you use the print option rather than the save option, because regedt32 saves Registry keys in a form that text editors can't read.

Regedit. Regedit has better search capabilities than regedt32 has. Regedt32 can search only for a key--­not for a value within the key. Regedit searches for keys, values, or data throughout the entire Registry, so you don't have to know which subtree to look in. Press Ctrl+F or select Edit, Find to open a search window. When regedit finds the value you want, it shows the entire path.

Proceed with Caution
Before you edit the Registry, you need to take some precautionary steps. First, make sure you have an up-to-date Emergency Repair Disk (ERD). Second, make sure you have a backup of the Registry. If you save a Registry key before you modify it, you can easily restore the original if your change doesn't work as intended. You can use the rdisk utility to create a backup, or you can use regedt32 or regedit to create a backup. You can use either Registry editor to back up all or part of the Registry. In addition, you can use the Registry editors to restore the Registry.

Go Ahead, Make Those Changes
Administrators commonly make two types of modifications to the Registry: changing an existing value and adding a new value. The simplest modification you can make is changing a value. You typically know the complete path of the value you need to change, and you simply find the value and make the change.

If you change a value with regedt32, you need to select the correct mode, because regedt32 displays values as decimal, hex, or octal. For example, suppose you enter 10 as an interrupt for your network card. If you're in decimal mode, you'll have no problem. But if you're in hex mode, typing 10 requests interrupt 16, and the network card doesn't start. Screen 3 shows the Registry entry for the EventLog file's size: 0x80000 in hex or 524288 in decimal. In cases in which the value can be only 0 or 1, the mode you're in makes no difference. I sometimes see students in NT classes unnecessarily change from the default hex mode to decimal mode before they change a value from 0 to 1.

Adding a value with regedt32 is slightly more complicated than changing a value. Start regedt32, and select Edit, Add Value. You need to supply the name of the value, the type of value (e.g., REG_DWORD), and the actual value. Make sure you enter the name and type of value correctly. After you close the Registry editor, your changes will take effect.

Action at a Distance: Editing the Registry Remotely
As an administrator, you can connect to remote computers and edit their Registries. Both Registry editors let you make remote changes. You can't see the HKEY_CURRENT_CONFIG and HKEY_DYN_DATA aliased subtrees on remote systems, but you don't edit these subtrees anyway. Regedt32 shows only the HKEY_LOCAL_MACHINE and HKEY_USERS subtrees. You typically make changes only to the former to troubleshoot a system problem. On the latter subtree, the regedt32 window shows the computer name (instead of HKEY_USERS on Local Machine) to indicate which computer you are connecting to, as Screen 4 shows. The regedit window shows a more Explorer-like interface, as you see in Screen 5.

Don't Be Afraid of the Big Bad Registry
Some administrators worry so much about making changes to the Registry that they neglect numerous opportunities to tune NT and improve their system performance. Don't let the Registry scare you. If you browse in read-only mode and you take the proper backup precautions, you have nothing to fear.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.