Registry Structure: Hives, Keys, and Values

The Registry is organized in a hierarchical, tree-like structure, conceptually similar to folders and files in the file system.

  • Hives: These are the top-level containers, analogous to the root directories of the Registry. Each hive represents a major section of configuration data. The main hives are:

    • HKEY_LOCAL_MACHINE (HKLM): Stores system-wide settings related to hardware, operating system configuration, and installed software that applies to all users. These settings are physically stored in several files (without extensions) located in the C:\Windows\System32\config directory, such as SAM, SECURITY, SOFTWARE, and SYSTEM.

    • HKEY_CURRENT_USER (HKCU): Contains settings specific to the currently logged-in user. This includes user preferences, application settings for that user, desktop configuration, environment variables, etc. This hive is physically stored in the user's profile directory, typically at C:\Users\{username}\NTUSER.DAT.

    • HKEY_USERS (HKU): Contains the HKEY_CURRENT_USER hive for the currently logged-on user, as well as hives for other user profiles loaded on the system (including default and system profiles identified by their SIDs).

    • HKEY_CLASSES_ROOT (HKCR): Primarily deals with file associations, COM object registrations, and UI-related information. It's largely a merged view derived from specific keys within HKLM\Software\Classes and HKCU\Software\Classes.

    • HKEY_CURRENT_CONFIG (HKCC): Holds information about the hardware profile currently being used by the system, generally derived from keys within HKLM.

  • Keys / Subkeys: Within each hive, information is organized into Keys and Subkeys. These function like folders and subfolders, providing a logical structure for related settings. For example, HKCU\Software\Microsoft\Windows contains numerous subkeys related to the Windows settings for the current user.

  • Values: These are the actual data entries stored within keys. Each value consists of three parts:

    1. Name: An identifier for the specific setting (e.g., EnablePrefetcher). A key can have a "(Default)" value which may or may not contain data.

    2. Data Type: Defines the format of the data being stored (see below).

    3. Data: The actual configuration setting or information itself (e.g., 3, C:\Program Files\MyApp, 0x00000001).

PreviousWindows Registry: IntroductionNextRegistry Value Types (Brief Overview)

Last updated