Registry

General

The Registry is a hierchical tree-like structure that contains key and value pairs. It stores all the required information for the OS and the software installed to run under subtrees.

Keys are containers that represent a specific component of the computer. The host system's Registry root keys can be accessed from c:\windows\system32\config\. 

PS C:\WINDOWS\system32> gci c:\windows\system32\config\


    Directory: C:\windows\system32\config


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        28/09/2022     09:00                bbimigrate
d-----        28/09/2022     09:00                BFS
d-----        07/05/2022     06:24                Journal
d-----        07/05/2022     06:24                RegBack
d-----        28/09/2022     19:52                systemprofile
d-----        13/03/2024     20:13                TxR
-a----        17/04/2024     21:41        1048576 BBI
-a----        28/09/2022     09:00          28672 BCD-Template
-a----        23/04/2024     10:09       46661632 COMPONENTS
-a----        17/04/2024     21:41        1572864 DEFAULT
-a----        22/04/2024     09:43        6356992 DRIVERS
-a----        15/02/2024     07:33          32768 ELAM
-a----        17/04/2024     21:41         131072 SAM
-a----        17/04/2024     21:41          32768 SECURITY
-a----        18/04/2024     06:05      142082048 SOFTWARE
-a----        17/04/2024     21:41       31195136 SYSTEM
-a----        28/09/2022     08:14           8192 userdiff
-a----        11/04/2024     06:33           1623 VSMIDK

Values represent data in the form of objects that pertain to the specific Key. These consist of a name, a type specification, and the required data to identify what it's for.

Registry Hives

These are important because they act as a single point of information and give us the ability to make widespread changes to the host.

Name
Abbreviation
Description

HKEY_LOCAL_MACHINE

HKLM

This subtree contains information about the computer's physical state, such as hardware and operating system data, bus types, memory, device drivers, and more.

HKEY_CURRENT_CONFIG

HKCC

This section contains records for the host's current hardware profile. (shows the variance between current and default setups) Think of this as a redirection of the HKLM CurrentControlSet profile key.

HKEY_CLASSES_ROOT

HKCR

Filetype information, UI extensions, and backward compatibility settings are defined here.

HKEY_CURRENT_USER

HKCU

Value entries here define the specific OS and software settings for each specific user. Roaming profile settings, including user preferences, are stored under HKCU.

HKEY_USERS

HKU

The default User profile and current user configuration settings for the local computer are defined under HKU.

We can use reg.exe or the Get-Item and Get-ItemProperty cmdlets to interact with the hives.

  • /F <pattern>

  • /S -> recursive

  • /K -> Key names only

PreviousServicesNextWindows Event Log

Last updated