Needless to say, it’s an integral and delicate component of your operating system. All the entries, referred to as keys and subkeys, are sorted into five major categories known as hives. The Windows registry is a database used to store important settings and configuration information for Windows operating systems without which Windows cannot operate.
Was The Windows Registry A Good Idea?
Protected Storage is a service used by Microsoft products to provide a secure area to store private information (Carvey, 2004). Information that could be stored in Protected Storage includes MSN Explorer and Internet Explorer AutoComplete strings and passwords, Microsoft Outlook and Outlook Express accounts’ passwords, and MSN Messenger msvcrt.dll is missing password. Registry Editor hides these registry keys from users viewing, including administrator. There are tools that allow examiner to view the decrypted Protected Storage on a live system, such as Protected Storage PassView (NirSoft, 2004) and PStoreView (PStoreView, 2005).
In the Windows 3.1 era, Windows applications frequently stored settings in .INI configuration files that were scattered across the OS. The registry can now be used by all programs, and it helps bring together the settings that would otherwise be scattered in many different locations across the disk. The Windows registry is exactly as it sounds—a central registry. It contains all the configuration settings for the operating system, hardware, user profiles, and software.
The registry contains information and settings for all the hardware, software, users, and preferences of your computer and your operating system. When first opening the Windows Registry Editor, it displays root keys that contain all registry values. Below is a brief description about each of the most common root keys and the values contained in each of them. To view and make changes to the Windows registry, the Windows Registry Editor (shown below) may be used. In Windows 3.x, the Registry Editor was known as the Registration Info Editor or Registration Editor.
- This key contains recent search terms using Windows default search.
- Some malware such as BackOrifice2K will install itself as service.
- Each subkey represents a service and contains service’s information such as startup configuration and executable image path.
- The following section highlights some of the important registry keys in Windows XP (Service Pack 2) and how they can be of benefit to help describing suspect activities on the computer.
Windows Registry is often called the most mysterious tool on a Windows PC. If you know how to use it properly, it can prove to be a very powerful tool. The Windows Registry is basically a collection of databases of different configuration settings in Windows operating system. Both of these methods automatically write the changes to the Windows registry without you needing to open the Registry Editor.
Inside a hive file, data stored as part of the hive is organized into containers called cells. A cell might contain a key, a value, a security descriptor (a.k.a. SID) or a list of subkeys or key values. The first element in each cell is a field that identifies its datatype, which is then followed by one or more values of that type. Any vacant space after the cell up to that boundary is free space that the registry configuration manager can allocate for other cells as needs dictate. Thus, any given block in a hive file consists of a collection of blocks, each of which contains a bin, with one or more cells inside the bin, along with empty space among the cells that make up its contents.
The Registry Editor allows you to view all keys and values that are in the registry, as well as change Windows, program, or driver values you feel are necessary. Although .ini files are still sometimes used, most Windows programs rely on settings made to the Windows registry after being installed.