The Legendary Registry
If you attempt to understand the inner workings of Microsoft operating systems, or hear computer experts in these operating systems talking about the software internals, then sooner or later you will stumble across the term “Registry”. Most users know that reckless editing of the Registry can quickly lead to Windows not operating properly, or even require a new installation of the operating system. But what is this Registry?
Basically, the Registry is the place where important system variables and settings are stored. It was introduced in Windows 95 in order to replace the old system files from the DOS days by converting them to a better, more modern format. Some of you may remember the old system files such as Config.sys, Autoexec.bat, System.ini or the old favorite Win.ini. The *.sys files were system files, *.ini files were initialization files and Autoexec.bat was a batch files that started relevant programs and performed various system settings on startup. All these files have one thing in common with each other, and also with the present-day Registry – they provide the operating system and applications with relevant hardware and software parameters.
Those of you who feel the wish to have a look at their very own operating system Registry can do this with the “regedit” command (in Windows 2000 and XP, you can also use “regedt32”), which you run from the menu item Start -> Run. But please take note – reckless changes, without knowing exactly what you are doing, can endanger the system stability or even require a complete new installation of the operating system. After opening the registry you are usually first confronted with five somewhat cryptic so-called “Keys”, beginning with the word “HKEY”. We will now explain these basic keys in more detail.
HKEY_CLASSES_ROOT reflects the file “classes.dat” and points to the subkey HKEY_LOCAL_MACHINE\Software\Classes. This is where information about the applications and their data associations are stored, i.e. which program is used to open a file when it is double-clicked. This main key actually only exists for the purpose of compatibility with the “good old days”. For this reason, changes should only be made under KEY_LOCAL_MACHINE\Software\Classes.
HKEY_CURRENT_USER basically represents the old “win.ini” file from earlier times. It contains individual user settings for the user who is currently logged on, e.g. the desktop background and other basic settings relating to the current user account. This information is also simply referred to as the user “Profile”.
Experienced, and perhaps somewhat older, users will recognize the key HKEY_LOCAL_MACHINE as similar to the original system.ini. In contrast to the profile settings explained in the previous paragraph, this key applies equally to all users of the computer, since it contains all the specific hardware and software settings. The hardware information stored here can be viewed in a more comfortable, and definitely less cryptic, manner in the Windows Device Manager.
All user-defined settings for the user currently working on the computer are stored under the HKEY_USERS key. When first installed, this always contains a pre-defined standard profile with the appropriate name of “default”. If several users are configured in a system (e.g. “Christian”, “Andreas” and “Susi”), then these are each stored under Windows/Profiles/Username. In the course of development of Windows, and to avoid the user name being stored in the Registry in plain text (as in Windows 95/98/ME), under Windows 2000/XP each user is stored under a Security ID (“SID number”) composed of the letter “S” and a numeric suffix.
HKEY_CURRENT_CONFIG refers to the subkey HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current (Software/System) for Windows 2000/XP, or HKEY_LOCAL_MACHINE\Config for Windows 95/98/ME. This key contains the settings for connected peripheral devices, i.e. printers, scanners, hard drives etc., and reflects the well-known control panel.
Windows 95/98/ME users reading this article may wonder that they find six keys instead of the five mentioned, so we should perhaps also mention the relic HKEY_DYN_DATA. This key provides information for Plug & Play devices that are stored in the main memory and whose status is continually changing. This key no longer exists in Windows 2000/2003/XP.
We know a little more about Windows and its keys but are not really in a position to start editing values. The reason for this is simple – every key contains further subkeys and a great deal of explanation is necessary in order to explain all the exact storage locations and types. Even very experienced users seldom edit the Registry, and they mostly work on the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key, in order to remove undesired entries from the computer startup process (here you can see that working in the Registry is not always clear and convenient); regardless of whether they are visible or not, at least some of the startup entries are located here. Yes, you read that correctly, only some of them: There are many settings possible in the Registry that allow software to be automatically started. This naturally has advantages and disadvantages.
One problem is that the different autostart possibilities are confusing and difficult to remember, even for seasoned users. Proper editing of the Registry is really only possible with the help of software tools, and we shall return to this topic later. Apart from this, its importance to Windows naturally also makes the Registry an interesting place for various types of Malware. This is not restricted to the simple idea of loading pests on startup through the use of a “hidden autostart” entry. A favorite target in the Registry is also (e.g.) the installed browser (especially Internet Explorer). Malware can use Browser Addons, which normally exist as DLL files, to be started system wide. Especially Spyware and/or Adware programs use this or a similar method. Perhaps one or other readers of this article have wondered why their browser always navigates to the same irritating advertising website when it is started – this is almost certainly an example of a browser attack via the Registry, a so-called “Browser Hijacker”.
Another computer problem, or more accurately an operating system problem that is not caused by Malware, is the constant installation / deinstallation / update / deletion of programs. Many normal user operations still leave traces behind in the computer and also in the Registry. In the same way as deinstalled programs sometimes leave empty folders on the hard drive, fragments or unnecessary entries are often left in the Registry. This is one of the main reasons why a system becomes slower and slower over time, until the irritated user finally resorts to a reinstallation of the operating system. This problem, and the inconvenient nature of manually editing the Registry has led to the development of a large number of tools allowing you to easily edit or even clean the Registry.
One of these editing tools is the Emsisoft HiJackFree program, available for free from www.hijackfree.com. As a user of Emsisoft Anti-Malware you also have a copy of HiJackFree installed on your computer, which you can find in the Start Center. HiJackFree displays the most important functions and variables of the Registry in a much clearer and more convenient manner than the standard Windows tools. For example, all currently running processes and services can be displayed and – a very useful feature – deeply hidden Autostart entries in the Registry can be conveniently deactivated by selecting a check box. If you later discover that a particular deactivated function is actually needed, then the entry can be easily reactivated from HiJackFree, a feature that is unfortunately missing from many other tools.
Have a Great (Malware-Free) Day!
Rootkits - A New Malware Trend