Abstract
Learn about the tools you can use to view and manipulate the Windows NT and Windows 2000 Registry. This chapter also provides an overview of tools you can use to edit the Registry.
WIN2K TOOLS FOR ACCESSING THE REGISTRY
Although the Registry was designed to be a behind-the-scenes part of Windows NT, experience has shown that administrators who want to get the most out of their NT and Windows 2000 systems must know how the Registry functions and how to maintain it. In "How the Registry Is Architected" and "The Registry and the Active Directory," I lay the foundation for understanding how the Registry works, both on a local machine and in an Active Directory (AD) environment. In this chapter, I focus on the tools you can use to view and manipulate the Registry, either interactively or via a command line.
This chapter also provides an overview of tools you can use to edit the Registry, including Win2K tools such as Regedt32 and Regedit; Win2K Resource Kit utilities such as Regini and Regdmp; and third-party tools such as Regclean and ConfigSafe.
When you install Win2K servers or workstations, you get two different graphical tools for viewing and manipulating the Registry — Regedit and the NT-specific Regedt32. Both are 32-bit applications, but Regedit is meant to maintain backward compatibility with the old Windows 3.1 and Win95/98 Registry tool.
In addition to maintaining backward compatibility, Regedit also supports the ability to import and export Registry files (files ending in .reg) from the command line (Regedt32 lacks this ability). This capability is very useful when you need to script Registry changes and an application has already provided the .reg file needed to perform the task. And, new to Regedit in Win2K, you can add "Favorites," or quick links to commonly accessed Registry keys, within the tool.
Despite its features, you can’t use Regedit to do everything. That’s where Regedt32 comes in. Regedt32 lets you modify Registry security and auditing, whereas Regedit does not. In addition, Regedt32 lets you load and unload temporary hive files into the Registry, which I describe in the "Manipulating Hives and Keys" section of "Backing Up and Securing the Registry and Manipulating Hives and Keys." Regedt32 also has a different look-and-feel: While Regedit uses the familiar Explorer tree interface to display subtrees, Regedt32 displays each subtree in a different window.
Regedit is normally stored in %systemroot% and Regedt32 is kept in %systemroot%\system32. Each tool has its own capabilities and limitations. Table 1 compares their features.
As you can see in Table 1, some features and functions are divided between the tools. This can make manipulating the Registry frustrating, as neither tool gives you everything you need.
Regedt32
I discuss Regedt32 first because it is generally my choice for doing anything interactively with the Registry in Win2K. Even though it lacks some of the features of Regedit, it performs most of the functions you need for typical Registry tasks. Most importantly, it is the only out-of-the-box graphical tool that lets you modify Registry security. And although Regedt32 doesn’t let you view all hives in the familiar Explorer format, you can tile each subtree for a complete view of the Registry (Figure 1).
Another useful Regedt32 feature is the read-only mode. From the Regedt32 menu, choose Options, Read Only Mode, and from that point until you close the tool, you won’t be able to inadvertently — or even purposefully — make changes to the Registry. This is a safeguard that helps prevent errant keystrokes from causing disastrous results while you explore the Registry.
Another feature of Regedt32 gives you the ability to do some basic reporting against keys and values within the Registry. Many third-party tools can help you dump the Registry to a file or report, but Regedt32 contains its own simple but useful "poor-man’s" version that lets you quickly report on a set of keys or values. This might come in handy if you need to compare the contents of two machines’ Registries. First, highlight the key you want to dump. You can dump an entire subtree, such as HKEY_LOCAL_MACHINE, by highlighting that key. From the Regedt32 menu, select Registry and then Save Subtree As. Choose a file name from the Save file dialog box. All keys, subkeys, and values beneath the highlighted key are dumped to the file. The resulting output is a text file, which you can view with your favorite word processor or text editor. The listing in Figure 2 shows sample output from this feature, representing the keys and values underneath HKEY_LOCAL_MACHINE\Software\Microsoft\JavaVM.
As you can see, the Save Subtree As feature is useful for at-a-glance reporting on sets of Registry keys and values, but formatting is minimal and extraneous information abounds.
Note that all of the functions Regedt32 is capable of are available only via the GUI. This is not the case with Regedit — you can invoke some of its more valuable features from the command line. This ability makes it a valuable scripting tool when it comes time to manipulate Registry keys and values. (Because Regedt32’s operations cannot be invoked from the command line, it is not a scripting tool.)
Regedit
Regedit is a good GUI Registry tool for doing a few things that Regedt32 should do, but doesn’t. Perhaps one of the most common is the ability to search through both Registry keys and values for a specific piece of text or a numeric value. (Regedt32 only supports searches at the key-name level, which means it completely ignores values.) Regedit handles keys, values, and the data contained in values.
Note: Although Regedit is better at searching for data in the Registry than Regedt32, it has its limitations. If you try to locate data within a value of type REG_BINARY, it fails. You can search the text within the name of a REG_BINARY value, but the search tool completely ignores binary data itself.
Regedit makes it easy to rename keys and values. You simply right-click the highlighted object and choose rename, just as you would in NT’s Explorer shell.
Regedit can also connect to a remote computer’s Registry. To make the connection, select Registry and then Connect Network Registry from Regedit’s menu to connect to a remote computer.
Reg Files Dissected
As I mentioned above, Regedit can be called from the command line and can take a .reg file containing registrations to add to the Registry as input. Many Windows applications, as part of their setup routines, contain .reg files that register machine or user-specific keys and values during install. Regedit can help you take advantage of this capability to create your own .reg files for doing simple or complex Registry manipulations. Because they require a particular format, .reg files are not the most intuitive to understand, especially when you create values using data types other than REG_SZ and REG_DWORD. The format of a .reg file must also be consistent for the tool to work as expected. Figure 3 shows an example of a typical .reg file.
Let’s analyze the formatting for a typical .reg file, such as the one shown in Figure 3. The first requirement for any .reg file is the tag at the start of the file: Windows Registry Editor Version 5.00. Note that this header tag is new in Win2K. The header must be exact, including case sensitivity, or Regedit fails to import the file. Additionally, you can still use the Regedit4 tag that was supported in NT 4.0 to begin your .reg file. (Again, you must use REGEDIT4 exactly; the tag is case sensitive.
Warning: Simply putting REGEDIT as the tag for a .reg file won’t work. In fact, although it may appear to have worked, the changes you specify won’t have
been made.
The required designator tells Regedit that this is a valid .reg file. The next nonblank line starts the registration. Typically, you start by indicating which Registry key you want to manipulate and enclose it in brackets ([ ]). Each of the five subtrees is shown in brackets and ready for manipulation.
After each Registry key, the next line(s) are values that you wish to add or change under this key. In Figure 3, under the NetBT key, the first value we change is TYPE, which is a REG_DWORD value. Each value name must be enclosed in double quotation marks. The exception to this rule occurs when you don’t actually use a value name. Some Registry keys have "default" values that have no value nametag, but do contain data. You often find such entries in HKEY_CLASSES_ROOT. In this case, the value name is designated with an @ symbol:
[HKEY_CLASSES_ROOT\.aad]
@="Agent.Character.2"
After the value name is defined, it is followed by an equal sign, after which the data for that value is entered. Depending upon the value’s data type, you use different tags to indicate to Regedit what kind of data follows. If the data is a REG_SZ value, you simply enclose it in double quotation marks. For example, in Figure 3, the line
"DisplayName"="NetBios over Tcpip"
sets the value DisplayName with REG_SZ data of "NetBios over Tcpip."
If you need to enter a value other than REG_SZ, Regedit is a bit less intuitive. To the right of the equal (=) sign, you must first designate the type of value using the format DataType: followed by the data for that value in hexadecimal format. If the value is of REG_DWORD type, the data is represented by a four-byte hexadecimal value (e.g., dword:ffffffff). For values other than REG_DWORD, the data is also presented using hexadecimal format, but a comma separates each byte (i.e., two-character hex number). If a line of data needs to wrap to the next line, the backslash (\) character is used to indicate a continuation on the following line. In Figure 3, the line near the end of the script that begins with "TMP" shows an example of a value that contains hexadecimal data formatted in this comma-delimited fashion. Table 2 shows how to designate each of the data types you are likely to need in your Registry scripts.
Note: REG_SZ, REG_MULTI_SZ and REG_EXPAND_SZ strings are always terminated with the NULL character (00). You won’t see this in a Regedit script for REG_SZ values; it is added automatically. However, the other two types do require this in their Regedit data.
You must follow some other conventions when you build Registry files. The backslash (\) character has special meaning (i.e., a directory designator) to the operating system (OS). If you want to use the backslash character literally in a REG_SZ string within your Registry file (e.g., in a UNC path (\\Servername) or a directory name (C:\Program Files), you must precede it with another backslash. For example, I might have a value I need to fill called LogonServer, with the UNC path to servera. In my .reg script, the line that assigns this value would look like the following:
"Logonserver"="\\\\servera"
where each literal backslash is preceded by a backslash to indicate that it should be taken literally and included when Regedit processes the script.
You can also put comments in your .reg files by beginning a line with a semicolon. A semicolon tells Regedit not to process the contents of that line. Line 2 in Figure 3 shows an example of how you can use commenting to describe what is going on in your .reg script.
Building Your Own Reg Files
When you build a .reg file from scratch, keep in mind that the Registry is structured with keys, subkeys, and values. You can group changes or additions to multiple values under a single key. For example, the following listing groups changes to four values under a new key that I create in HKLM\Software\Test.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TEST]
"Working Directory"="C:\\PROGRAM FILES\\TEST"
"Autorestart"=dword:00000001
"IgnoreFlags"=dword:00000000
"User Directory"=hex(2):25,75,73,65,72,70,72,6f,66,69,6c,65,25,
5c,6c,6f,63,61,\6c,20,73,65,74,74,69,6e,67,73,00
Of course, you can not only make multiple value changes under a single key, but also reference multiple keys under multiple subkeys in your .reg file. For example, in the listing above, I could have added some changes to HKEY_CURRENT_USER\Control Panel in the script as well.
In the listing, you also see that the "Working Directory" value contains a reference to the Program Files folder in which the backslashes are properly delimited with the literal backslash character. Additionally, there is a value of type REG_EXPAND_SZ that contains some hexadecimal data. Up to this point, I have discussed the tags that are used to build REG_EXPAND_SZ (hex(2)) and REG_MULTI_SZ (hex(7)), but I haven’t really talked about how you can create your own .reg files using values of these types. Although it is not something most people want to do, you can create entries of these types manually.
Tip: You can automate some of the steps in creating your own .reg files by letting Regedit do most of the hard work. That is, within Regedit, go ahead and create "dummy" keys that represent what you want to create with your .reg file. Assign values of the intended types to them and use the export feature to create a starting point from which to customize your .reg files.
As I mentioned earlier, each two-digit number is a hexadecimal representation of a byte of data. For example, the "User Directory" value shown in the listing above starts with 0x25 as the first value; 0x25 corresponds to 37 in decimal notation, and 37 is the ASCII value for the % character. If you take time to do the math for each character shown, you see that it expands out to %userprofile%\local settings. Note that although REG_SZ keys require use of the literal backslash, when you try to represent a backslash value like the one shown for the User Directory, represented as hexadecimal, you do not need to include the double-backslash notation. Again, while it is not the most effective use of your time to manually enter values of these types in a .reg file, it is possible to do so!
Command-Line Options for Regedit
After you have created a .reg file, you can import it into the Registry in one of two ways. From the Regedit tool’s main menu, select Registry, Import Registy File, and enter the path to your .reg file. Regedit processes the entries and makes the appropriate changes. However, you can also call .reg files from the command line using Regedit. To do so, simply call Regedit followed by the name of the .reg file, as follows:
regedit [path]<regfilename>, or regedit c:\temp\myfile.reg
After you submit this command, Regedit asks you to confirm the registration, then tells you whether it has successfully registered your changes (Figure 4) or whether it has failed to register them correctly (Figure 5).
Registration errors are most commonly caused by syntax errors within the .reg files. A missing or incorrectly formed header tag at the top of the file or a missed colon somewhere deep down can cause a failed registration. One of the limitations of using Regedit to make Registry changes is that it does not have any kind of logging to tell you whether it has successfully made all of the changes you expected it to make. In addition, I have encountered cases in which Regedit reports as a successful registration one that was, in fact, only a partial registration of what I intended. This is a good reason for not using Regedit to register many complex Registry changes!
There are circumstances in which you need to deliver a .reg file "invisibly." That is, you don’t want a dialog box to appear that tells users that the registration was successful and asks them to click a button for the message to go away. You also may want to deliver a .reg file in the background, using, for example, the Win2K Task Scheduler. In that case, there is no "desktop" to which you can send a "successful registration" dialog box, so you’ll need to suppress the message. For these instances, you can call Regedit with the /s flag. This flag tells Regedit to suppress all status messages when it processes a .reg file. To use this flag, call Regedit using the following format:
regedit /s <regfilename>, or regedit /c:\temp\myfile.reg
WinConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Virtualization Congress Oct. 14-16 in London Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.
Windows IT Pro
Register
