How To Use the Registry Editor Correctly – 3746 days old

[Grogan]

How To Use the Registry Editor Correctly

During the course of solving problems with Windows, you may be called on to edit the system registry.
For example, a solution may be presented in the form of a Microsoft Knowledge Base article with instructions
to delete, create or edit specific registry entries, along with dire warnings about incorrect use of the
registry editor. This is scary stuff to some people, and a clear pictorial guide is needed to give folks
the knowledge and confidence to perform this task safely.

What is the Registry and Why?

The registry is quite simply a central binary database of hardware and software settings. On disk, it
exists as multiple database files which are loaded into memory at startup and become the System Registry.

When Windows was younger, settings were stored in hundreds of separate text files, usually with the .ini
file extension. Such files were often stored in the Windows directory, but many applications kept their
configuration in their own directories. Hundreds of INI files, meant hundreds of disasters waiting to
happen if any of the files were corrupted or missing. It also meant much hard disk seeking to find
and process these configuration files.

With applications like Microsoft Office, came the concept of object linking and embedding (OLE) and a
better method of storing such data for common applications to access, was needed. The concept of the
registry was born, in Windows 3.1. It mostly contained information pertaining to handling of certain
file types and data, by certain applications. Yes, there was even a crude registry editor, for altering
these settings. For history's sake, here is a screen shot of what it looked like.



When designing Windows 95, Microsoft decided to use the registry database for system critical settings
in addition to most all application settings. The advantages were that it was much faster to access the
information if a central database with structure could be loaded into memory, and also easier to protect
and back up a central repository. The disadvantages of this are having all your eggs in one basket.
Corruption (whatever the cause), or deletion of serious data while editing, can render the system
completely unusable.

This is why it is important for both the operating system, and users to take steps to preserve this
critical database.

Backing Up the Registry

First of all, Windows takes some automatic steps to preserve the registry. In Windows 95, this mechanism was
very poor, it consisted of renamed files System.da0 and User.da0 which got created on a successful
startup. If registry corruption occurred, Windows was able to replace the registry files with those
copies. Problem with that was, if the system got started, the copies got overwritten with current ones.
It was a one shot deal.

Windows 98 through Windows Millennium Edition, employ the "Registry Checker" (scanregw.exe) at startup
to create an archive (.cab file) of the registry files once per day when Windows is started. This was
a much better mechanism in that the system could revert back to a good registry, or the user could boot
to DOS and use scanreg /restore to restore a dated registry backup.

Windows NT based operating systems (Windows NT4/2000/XP) have a relatively poor mechanism called the
"Last Known Good Configuration" that can be chosen at boot time through the advanced startup options.
It is simply a copy of the control information in the registry, and the undoing of recent registry edits
from the information contained in log files. It is not really a backup of the system registry, and
as soon as any user logs onto the system, it is overwritten. Also, a one shot deal.

While not really an automated registry backup mechanism, Windows XP has System Restore that tracks
changes to the system and can allow recovery if used correctly.

What should I do, prior to Registry Editing?

If you are using Windows 95, make a copy of C:\Windows\System.dat and C:\Windows\User.dat. If using
multiple profiles, each individual's user.dat file will be in the user's directory under c:\windows\profiles.
In an emergency, these files could be manually copied back, using DOS. Alternatively, there are rescue
utilities you can use. Provided with Windows, is the ERU (emergency recovery utility) for backing
up configuration files. There are also third party rescue utilities, such as WinRescue

If you are using Windows 98 (1st or Second Edition) or WinME, then you can use the scanregw.exe
utility to take a fresh snapshot of the registry. Simply go to start/run, and type scanregw and
hit enter. Windows will inform you that it has finished checking the registry, and has already backed
it up today and it asks you "Would you like to back it up again?". Say Yes. Should you need to restore
this backup, Restart the system and press F8 before the Starting Windows splash appears. Choose Command
Prompt Only from the boot menu, and type scanreg /restore and choose the most current backup
from the list. The one you created yourself, will say "Not Started" beside it in this list and that's
nothing to worry about. It just means that this registry backup was not one that was used to start
the system. Note that on Windows Millennium systems, you will have to boot with a WinME startup disk to
use scanreg /restore

In Windows NT4, you will have to create an Emergency Repair Disk. It's a floppy that contains a bit of
repair information that Windows NT setup uses to repair your installation. It also creates a backup of
the registry files on the hard disk that can be (optionally) used during the repair process. To do this,
go to Start/Run and type rdisk and hit enter. Follow the prompts. To restore this, start
Windows NT4 setup and choose to Repair and you'll be prompted for the Emergency Repair Diskette.

For Windows 2000, you have a couple of options. The first of which, is an Emergency Repair Disk, much
like in Windows NT4. The difference is, you create it with the Windows 2000 Backup Utility. Go to
Start/Programs/Accessories/System Tools, and choose Microsoft Backup. Choose to make an Emergency Repair
Disk, and check the box to include the Registry (again, the registry files get saved to the hard disk).
Like NT4, you would use this diskette to repair Windows 2000 by starting setup and choosing to repair.

Additionally, in the Windows 2000 backup utility, there is a System State backup. This backs up the
registry, in addition to critical system files and requires a few hundred megabytes of free space on
any drive or partition, for storing the backup file (.bkf file extension). This backup can be restored
with the backup utility.

For Windows XP, you should simply create a current System Restore Point.

Go to Start/Programs/Accessories/System Tools and choose System Restore. Choose to Create a Restore point, and click Next then enter a comment in the field so that you will remember it. Create your restore point. System Restore is only useful, when you have a current, valid restore point to restore. Do not rely on the automated "System Check Points". Always create your own.

For all versions of Windows, there is another mechanism for backing up registry settings, using the
registry editor to create a special text file (a .reg file) that contains information to restore all, or
selected branches of the registry. This is also useful, and will be covered shortly.

Using the Registry Editor - Navigation

Finally, we'll start getting into what we came here for. To open the registry editor, go to start/run
and type regedit and hit enter. The branches of the registry, will be presented to you as a tree
of folders much like Windows Explorer, in the left pane. These are of course not directories, but registry keys and this
is not Windows Explorer, it's the registry editor! To expand or collapse the keys, simply click the plus or
minus signs beside them.

Note: It is critical that you are extremely careful with mouse clicks and keystrokes at all times while the registry editor is up on screen.



Usually, you'll be given the location of a registry subkey, in the form of a path. Click + signs
beside the corresponding subkeys (represented as folders) until you get to the desired subkey.

For example, let's say that you are instructed to go to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion

Click the + sign beside the HKEY_LOCAL_MACHINE branch, then click the + beside the Software subkey,
then Microsoft, and so on. When you get to the Currentversion subkey, click on it once in the left
pane of regedit, and in the right pane, you will see the values that it contains.



Exporting Branches of the Registry

Our first task using the registry editor, is to export to a text file. This is an alternate means of
backing up settings prior to registry editing.

From the Registry menu in regedit, choose Export Registry File. A browse dialog will appear, where you
choose a location and name for the file. When My Computer (default, when you first open Regedit) is
selected, All will be chosen for the Export Range. This will export the entire registry (all of it's settings),
to a text based .reg file.



The resulting .reg file can be double clicked to merge the settings back into the registry, or it can
be imported again, using the Import Registry File function of the Registry editor. It is important to
note, that this does not remove erroneous keys and values from the registry, it only restores the data
to existing ones. It is not really a "registry backup", however, in Win9x, you can rebuild the registry
from scratch, using the real mode registry editor from DOS using the command:

regedit /c filename.reg

This is far more risky than restoring a registry backup though, and is not an option for Windows NT
based operating systems.

What is more useful than exporting the entire registry to a text file, is exporting a selected branch.
For example, the one you are going to be editing.

This time, before choosing Export Registry File, drill down to the subkey that you wish to export, and
click on it to highlight. We'll use the example of the Currentversion subkey again.



Note that this time, since we had the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion
subkey selected, under Export Range, Selected Branch is chosen, and the path to the subkey we are going
to export is shown. This .reg file can be double clicked at any time, to restore all of the subkeys and
values under Currentversion.

Editing the Registry

Ready to roll up your sleeves (so you don't fumble) and dig in? First of all, there are a few
conventions that I like to follow. It doesn't matter whether you are deleting or renaming a subkey, or
deleting, renaming or editing a value, I recommend that you first click on the object
once (left click) to highlight it. Then, right click on it and choose an action from the context menu.
This ensures that you always have the correct subkey or value selected, and that you are always choosing
the correct action. Keep your mits off the delete or backspace keys on the keyboard while registry editing.
While not always necessary depending on what you are editing, a general rule of thumb is that you should
restart your computer after performing registry editing.

Deleting a Subkey

A common situation, for an example. Say there is a program no longer present on your system, whose uninstall entry in
Add/Remove Programs remains. You try to uninstall it, and you just get an error because the files
are no longer present. To remove the entry from add/remove programs, the uninstall subkey for the
program can be removed from the registry.

Let's say for example, that the program is Kazaa. Open the registry editor, and navigate to

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Uninstall

Click the + sign beside Uninstall, to expand the tree of subkeys under it.



Scrolling down a little, I don't see a subkey with the word Kazaa in it. Start clicking on each of
the subkeys in the left pane under Uninstall and for each one, look in the right pane of regedit to
see the values. We can see from the information in the right pane that the subkey we want is the
third ugly one with the long string of numbers between parentheses (such a string is knows as a GUID,
or Globally Unique Identifier).



Now, if it's not already, click once on that subkey to highlight it, then simply right click on it and
choose Delete from the menu.



Accept the Confirm Deletion prompt, and then close the registry editor. The uninstall entry for Kazaa will be gone from Add/Remove Programs.

[Grogan]

Deleting Registry Values

Let's start out with an example of what not to do. A trap that I don't want you to fall in to.
Every subkey has a Default Value, though most don't contain any data. However, it is possible for them
to contain data for various reasons and it's possible for a poorly implemented installer or malicious
program to modify the default value in a subkey. You do not ever want to delete the default value, for
you may cause the rest of the data in the subkey to be disconnected. What you could have after doing that,
is an empty subkey, with a new default value if regedit doesn't create a new one correctly. I've had it happen, and it wasn't nice. Note that regedit shouldn't let you delete the default value if it's the only value in the subkey, but you shouldn't try it.

Instead, what you want to do is Modify the default value's data, and clear it.

In this example, some stupid program has added itself to load at startup, in the Default Value of the subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run



First click on the Default Value in the right Pane of regedit. Then, right click on it and choose Modify.



Backspace to delete the data in the field, and click OK. The Default Value data is cleared, and it will look like this:



It is fine to leave it like that.

Now that you've seen an example of how not to delete a value, here's a practical example of deleting values.

This is a common situation in Windows 2000 and Windows XP when CD Recording software has not uninstalled
correctly. It results in losing access to CDROM devices, with error messages displayed. See the
following information:

CD-ROM Access Is Missing and Messages Cite Error Code...

They are asking us to navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}

and delete two values named UpperFilters and LowerFilters

This is a straight forward procedure, simply navigate to the subkey in the left pane of regedit, then
click on the subkey to display the values in the right pane.



Next, click once on the LowerFilters value to highlight, then right click on it and choose delete.



Accept the confirmation, then right click on the UpperFilters value and choose delete.

Exit the registry editor, and restart your computer.

Registry Permissions

Windows NT based operating systems introduce a strange concept into the mix. Some registry keys are
protected, even from the Administrator, by permissions. During the course of registry editing, you
may be required to grant Administrators permission to modify, or even read the data in a subkey.
Note that these protections are in place for good reason, and the example I'm about to show you is not
something I recommend that you do. However, the rationale is, if you must edit the registry,
it's good to know how to do it correctly. I will use Windows XP for this, as it's the NT based
operating system that most people will be using.

A prime example of protected keys, are the subkeys where the hardware enumeration information is
stored. These are the settings you see in Device Manager. Don't play with this, it's just an example.

If you find yourself unable to access data under a subkey, right click on it in the left pane and
choose Permissions from the menu.



As you can see, "Everyone" has only read access. Only the System has full control over these subkeys.



Click the Add button, and type in Administrators to add the Local Administrators group to the
access control list and click OK.



Now grant Full Control to Administrators, by checking the box.



After you are finished, be sure and right click on the subkey again,
choose Permissions and highlight and remove Administrators
from the permissions dialog, as Everyone should only have Read access,
and only the System should have full control.

Warning: Don't remove or change anything for System or remove the "Everyone" group from
the list!

That is how it is done for Windows XP, but I'll mention that older Windows NT based operating systems
didn't have this functionality in regedit.exe. Only the archaic (less user friendly)
regedt32 program was able to change permissions on subkeys. Navigate to your subkey by first
clicking the little Window for the Hive you are going to be working on, then double click subkeys
to expand them. When you get to the desired subkey, click once on it to highlight.
Go to the Security menu in the regedt32 program, and choose permissions and add the
Administrators group to the list, and grant permissions.

[Grogan]

Editing (Modifying) a Value

Here is a good example. Say your system was infected with some worm or trojan, that added itself to
the file type information, for executable files. This puts the trojan in between all requests for a
user running an exe file from the Windows Shell. (e.g. double clicking a shortcut on the Desktop,
launching a Start Menu shortcut, or double clicking the program in explorer)

What commonly happens is, people use their antivirus software to remove the trojan, but the registry
value's data remains. The result of this is, when the trojan is gone, the command is broken and it is
no longer possible to run executables through the shell. You can't even run regedit.exe!

Fortunately, Microsoft has designed regedit such that it can be run as a .com executable, and it can
be renamed (copied is best) to regedit.com

Go to Start/Run and type command and hit enter. This will run command.com and a command prompt
will appear. Type cd \windows (or cd \winnt if that's your Windows directory) and
then type copy regedit.exe regedit.com

Now, if you go to Start/Run and type regedit, it will launch regedit.com and the registry
editor will appear because in DOS/Windows a com file with the same name as an exe will override.

Navigate to:

HKEY_CLASSES_ROOT\exefile\shell\open\command

Click on the command subkey to highlight it, and you'll see the Default value in the right pane.



In this case, what we want to do is modify the data of the default value, so that it is "%1" %*
To do this, we can simply delete the path to the trojan, from the value's data.

Click once on the default value then right click on it and choose Modify and you'll see:



Now, here is one pitfall with regard to editing value data. When the field is highlighted in blue like
that, pressing an input key on the keyboard will erase the field. If this ever happens to you, simply
click Cancel and right click the value again and choose Modify. To preserve the data and
selectively edit it, simply left click in the field to dismiss the highlighting (selection).



In this case, I click where I want my cursor to be. That is, right before the first quotation mark in
this data field. I then use my backspace key, to clear the unwanted data. Be sure there aren't any
leading or trailing spaces. It should now look like:



Click OK, and in the right pane of regedit, the corrected value should look like this. Extra quotes
may be automatically displayed by the registry editor just to denote the data. They aren't actually
part of it, and you do not type them. Whether or not they are displayed, depends on the version of Regedit.



Exit the registry editor and restart your computer.

Creating New Keys and Values

So far we've learned how to navigate to a subkey and modify or delete a value. Sometimes, it will be
necessary to create keys or values to change a hidden setting, or override some default behaviour
that is causing problems or annoyances.

Subkeys created in the registry serve mainly as containers to hold various types of data, represented
by various types of registry values. Not only are there different types of registry values, there are
additional types available under Windows NT based operating systems that don't exist in Win9x.
The function of a particular piece of data in a value depends on it's location in the registry, the
type of value it is, and what program or process is using it, and how.

Confusing? You bet it is. However staying within the scope of this article, we're principally concerned
with being able to follow specific instructions for registry editing, so we need only concentrate on
creating a particular piece of data correctly. In most cases we need to be able to create subkeys,
string values and dword values and maybe create or modify a binary value.

A string value is simply a piece of data in text form. It can be numbers as well and can serve pretty
much any purpose. It can be a command that's executed, or it can be words that appear in a menu or
titlebar of a program, for example. The UpperFilters and LowerFilters registry values, and the default
value for the exefile file type that we used above, are examples of string values.

A dword value is basically a 4 byte number used to represent some piece of data for a program or
process. It's often used in an on or off type situation (0 or 1) for a configuration setting.

A binary value is data stored in raw binary form. It's not really meant to be human readable, but is
displayed usually as a string of hexadecimal numbers with an offset value in the Modify dialogue.
An ascii dump is displayed to the right, though it's really got little to do with the data.

Example: New Keys and Values

You grow weary of MSN Messenger launching itself every time you use Outlook Express, even though you've
unchecked the box "Automatically Log on to the Messenger Service" in Options. Creating a registry key
and a value can disable this annoying behaviour, and prevent messenger from automatically launching under
other circumstances as well. This particular value we're going to add, still allows Messenger to be
run manually. Note that this is for Messenger 4.x, including the version that ships with Windows XP.

Open the registry editor and navigate to:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger

Click once on the Messenger subkey to highlight it.



Now right click on it, and go to New, and choose Key.



You'll see a familiar field, just like in Explorer when renaming a file. Clear it and type
Client as the name of the new subkey, and hit enter to finalize it.



With the Client subkey highlighted, right click and go to New and choose DWORD Value



You will see the New Dword Value appear in the right pane. Again, just like renaming a file in Explorer,
give it the name PreventAutoRun and hit enter.



Now, with the new PreventAutoRun value highlighted, right click and choose Modify



In the Modify dialog, clear the 0 from the field and enter 1 and click OK.

The value should then look like this. The registry editor displays 0x00000001 (1) because it's a DWORD.



Now, it is also possible to disable Messenger entirely, to prevent anything or anyone from running it.
To do that, use a DWORD value named PreventRun instead. See the following for more information
about this particular setting.

How to Prevent Windows Messenger from Running on a Windows XP-Based Computer

Modifying a Binary Value

This is not something you'll need to do very often, and you will only want to do it for a specific
reason, following specific instructions. It's probably the most difficult type of registry edit you
may need to do with respect to correcting problems.

In this situation, on a Win9x computer, you find that Autorun doesn't work when you insert a CD
in the CDROM drive, even though the "Auto Insert Notification" setting in Device Manager is enabled
for the drive. This can occur if the data of the binary value NoDriveTypeAutoRun is incorrect.

See the following MSKB article for information about this setting.

CD-ROM Does Not Run Automatically After You Insert...

They are asking us to navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explor er

and correct the NoDriveTypeAutoRun value.

Click once on the Explorer subkey to display the values in the right pane. In this example, note
the incorrect data in the value. Note that I made up that garbage data just to make the screenshot,
it's not the data you'll actually see. What counts is the correct data you are going to type.



Right click on the NoDriveTypeAutoRun binary value and choose Modify. The binary value editor dialogue
will appear. The first set of four zeros are just the offset, don't worry about that.



Click in the field and type 95 00 00 00 (don't hit the space bar to insert spaces, it will
automatically format the data. Just type it.) After typing the numbers to insert the correct data,
use your delete key on the keyboard to delete the original data (everything after the corrected data).
It should look like this:



Click OK to apply the change, and your registry value should then look like this in the right pane
of the registry editor.



Exit the registry editor, and restart your computer.

[Grogan]

After reading and viewing the examples, you should now be able to follow instructions to edit the
registry, within the scope of solving specific problems. When someone gives you a Microsoft Knowledge
Base article with registry editing as a solution, you needn't fear it.

Always ensure that you have a means of recovering from disaster, prior to registry editing, even if you
think you are good. Rare but possible, especially if the registry database is damaged to start with,
even if registry editing is done correctly corruption can occur. Entire keys and everything under them
can seemingly vanish, and possibly render Windows completely unable to start. So be prepared to restore
your registry from DOS, or repair your Windows NT based operating system (e.g. Windows XP) if disaster
strikes and you are unable to merge the .reg file you created or run System Restore.