The Windows Registry: Anatomy, Keys, Hives, Values, …

The Windows Registry is a centralized hierarchical database It stores essential information for the configuration and operation of both the operating system itself and the installed applications and users who interact with it. Unlike the old INI file system, the registry organizes all these settings into a uniform, modern, and much more efficient structure.

Virtually every aspect of Windows—hardware, drivers, services, file associations, system preferences, network settings, and user details—is orchestrated through the registry. For this reason, any modification to the registry can have direct consequences on the behavior and stability of the system.

What is the Windows registry?

El Windows' register is a centralized hierarchical database It stores essential information for the configuration and operation of both the operating system itself and the installed applications and users who interact with it. Unlike the old INI file system, the registry organizes all these settings into a uniform, modern, and much more efficient structure.

This system allows you to centrally manage and maintain configurations, facilitating administration and troubleshooting tasks in Windows environments.

Historical context and evolution of the record

Before the appearance of the register, the INI files were the standard for storing configurations on Windows and MS-DOS systems. These distributed, plain-text files hampered centralized management, security, and user customization. The arrival of the registry in Windows 95 represented a qualitative leap, allowing a single logical repository with multiple advantages:

• Faster and more efficient access thanks to its binary format compared to sequential analysis of text files.
• Strongly typed data, avoiding ambiguities and errors.
• Multi-user support, since each profile stores its own preferences and settings.
• Capacity for atomic updates (transactional), improving data integrity in the face of concurrent modifications.
• Easy backup and restore, even remotely.

With the succession of Windows versions (from 95/98/Me/NT/2000 to the current Windows 10 and 11), the registry has evolved, adapting its structure, strengthening its security, and expanding its access APIs.

Basic architecture: Hives, keys and values

The structure of the Windows registry is based on a hierarchy similar to that of a file system, but instead of folders and files, it uses the concepts of hives (subtrees), Keys (keys), subkeys (subkeys), and values (values).

Hives: the core of the organization

Registry hives are logical groupings of keys and values. that are loaded into memory during the Boot of the system or when a user logs in. Each hive is typically backed by one or more specific files on disk, allowing for individual uploads, downloads, and backups.

The main hives of the registry are:

• HKEY_LOCAL_MACHINE (HKLM): Global and device-specific configuration. Contains, among others, the SOFTWARE, SYSTEM, SAM, and SECURITY hives.
• HKEY_CURRENT_USER (HKCU): Preferences and session-specific user data. Technically, it's a dynamic link to a specific branch of HKEY_USERS.
• HKEY_USERS (HKU): Contains the profiles of all active users in the system.
• HKEY_CLASSES_ROOT (HKCR): Information on file and class associations for OLE/COM objects. Since Windows 2000, it combines HKCU and HKLM views to accommodate multi-user contexts.
• HKEY_CURRENT_CONFIG (HKCC): Provides profile data hardware used in the current boot.
• Other specialized hives, such as HKEY_PERFORMANCE_DATA and HKEY_DYN_DATA in older versions.

Each of these hives contains, in turn, countless keys, subkeys, and values ​​that determine the behavior of all aspects of Windows.

Keys and subkeys: the hierarchical structure

Keys are similar to folders in a file system.. Each key can contain other subkeys, forming a branched hierarchy that follows the following scheme:

Root key (for example, HKLM) > Subkey (SOFTWARE) > Subkey (Microsoft) > Subkey (Windows) > …

All registry keys have a unique name and are not case sensitive. Names cannot contain the backslash (\), since it is used to separate the different hierarchical levels.

Values: the stored information

Within each key there may be multiple values. Each value has a unique name within its parent key and stores data that can be of various types, depending on the specific needs of each application or Windows component.

By convention, all keys can have a "default" value, the name of which is an empty string. Thus, the registry allows a key to contain anything from a single value to a long list of values, each representing different settings or data.

Example: The key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion can have values ​​such as ProgramFilesDir (string with the path of Program Files) or CommonFilesDir (Common Files location), each with its corresponding data type.

Types of data stored in the registry

One of the major advantages of the registry over INI files or most text-based configuration systems is the ability to handle strongly typed data. Each registry value can have a specific data type, allowing both the system and applications to handle information unambiguously.

Main types of registry data

Full Name	Symbol	Description
No type	REG_NONE	Untyped data
Chain	REG_SZ	Text string, usually in Unicode (UTF-16LE), generally with a null terminator
Expandable chain	REG_EXPAND_SZ	String that may contain environment variables, resolved dynamically by reading the value
Binary	REG_BINARY	Any arbitrary binary data
DWORD	REG_DWORD / REG_DWORD_LITTLE_ENDIAN	32-bit integer (usually little-endian)
Big-endian DWORD	REG_DWORD_BIG_ENDIAN	32-bit integer in big-endian order (rare)
Symbolic link	REG_LINK	Unicode string that specifies a symbolic reference to another registry key
Multiple chain	REG_MULTI_SZ	List of Unicode strings, ideal for setting up lists as search paths
List of features	REG_RESOURCE_LIST	Used by Plug & Play hardware to store lists of resources
Resource descriptor	REG_FULL_RESOURCE_DESCRIPTOR	Data on hardware assignments, Plug & Play
List of resource requirements	REG_RESOURCE_REQUIREMENTS_LIST	Possible resources that a hardware may need
QWORD	REG_QWORD / REG_QWORD_LITTLE_ENDIAN	64-bit integer (introduced starting with Windows XP)

Each data type allows information to be saved in the optimal format for its purpose, making work easier for both the operating system and developers and administrators.

Hive backup and persistence files

The data stored in the registry doesn't exist solely in memory: each hive is backed up and maintained in specific files on the file system, allowing it to persist across reboots, backups, and restores in the event of serious errors.

Most central hives reside in %SystemRoot%\System32\Config and, for user settings, in the corresponding profile folder. The most relevant files in particular are:

• Sam: HKEY_LOCAL_MACHINE\SAM
• Security: HKEY_LOCAL_MACHINE\SECURITY
• Software: HKEY_LOCAL_MACHINE\SOFTWARE
• System: HKEY_LOCAL_MACHINE\SYSTEM
• Default: HKEY_USERS\.DEFAULT
• ntuser.dat: HKEY_USERS\ and, by link, HKEY_CURRENT_USER
• UsrClass.dat: User-specific COM associations and configurations

Depending on the version of Windows, these files may have additional backups (.log, .sav, .alt) that help restore the hive in case of failure or corruption.

For example:

• System.alt: Critical alternative backup of SYSTEM
• * .log: transaction log of recent changes
• *.sav: snapshot of the configuration at a specific phase of the installation

Mobile user settings and system restores use these files to load or move customized preferences and settings.

Registry hierarchy and root keys

Registry access always starts from a root key (root key), which corresponds to one of the predefined hives. Each root key is a constant in the Windows API and is accessed from both the Registry Editor and from scripts or applications, as in this advanced editing example in the registry editor in Windows. The main root keys are:

• HKEY_CLASSES_ROOT (HKCR): File associations, object types, OLE/COM interfaces
• HKEY_CURRENT_USER (HKCU): User preferences in session
• HKEY_LOCAL_MACHINE (HKLM): Device-level configuration
• HKEY_USERS (HKU): Loaded user profiles
• HKEY_CURRENT_CONFIG (HKCC): Current hardware profile
• Special keys such as HKEY_PERFORMANCE_DATA and HKEY_DYN_DATA (older versions)

On modern versions of Windows, HKEY_CURRENT_USER It is implemented as a dynamic link to the HKEY_USERS subkey corresponding to the logged-in user, and the same is true for HKEY_CLASSES_ROOT for the user and machine class association branches.

Browsing and editing the registry

Accessing and modifying the registry requires specialized tools, as any erroneous changes can cause serious system problems. The main methods are:

Registry Editor (regedit.exe)

The most used graphical tool is regedit.exe (and its historical version regedt32.exe). It allows you to navigate the structure, search for keys, add, modify, or delete values, and export/import entire branches.

• Hierarchical view: Keys and subkeys are displayed as folders in a tree, making navigation easier.
• Basic actions: create, rename, delete keys and values, change value data, export and import branches to .REG files.
• Advanced search: allows you to locate keys, values ​​or data in the entire registry (or restricted to a branch).

command line utilities

For repetitive, unattended or automated operations, you can use tools such as reg.exe (included as standard in Windows), RegIni.exe or even scripts in VBScript, PowerShell or JScript.

Examples:

• reg query HKLM\Software\Microsoft /v Version – Check the 'Version' value
• reg add HKCU\Software\MiApp /v Config /t REG_SZ /d “Value” – Add or modify a value
• reg delete HKLM\Software\MiApp /f – Delete the 'MyApp' key and its values
• reg import file.reg – Merges the contents of a .REG file

.REG files

.REG files are text files that are readable and exportable, allowing you to easily import or export parts of the registry. They are ideal for transferring configurations, distributing changes, or backing up specific branches.

An example of a modern .REG file starts with:

Windows Registry Editor Version 5.00 "Settings"="Value"

They can be merged into the registry by double-clicking on the file or with the command regedit /s archivo.reg from the line of commands.

Windows API and Programming

For programmers, registry access is managed through Win32 API functions (advapi32.dll) and high-level libraries in languages ​​such as VB.NET, C#, Delphi, PowerShell, etc. This allows applications and services to read, write, or delete registry settings while respecting permissions and security restrictions.

Some of the most used functions are:

• RegOpenKeyEx, RegCreateKey, RegSetValueEx, RegDeleteValue, RegQueryValueEx, among many others.

COM applications can use RegSvr32.exe to register or unlink objects more securely.

Permissions and security in the registry

The registry implements a robust security system, based on access control lists (ACLs), which determine which users and groups can view or modify each key or value. This is especially important to protect critical system configurations.

In general:

• Sensitive branches (such as HKLM\SYSTEM, HKLM\SECURITY, HKLM\SAM) can only be read or modified by administrators or the system itself.
• The remaining settings are usually available to the owner user and the system.
• Group and domain policies can enforce these restrictions, blocking access even to the registry editor for unprivileged users.

Through RegIni.exe, SubInACL.exe or regedit itself, you can view and modify the permissions of the keys to adapt to specific needs.

In addition, since Windows Vista, virtualization and protection mechanisms have been implemented that redirect write attempts to protected branches to secure user locations if the application lacks sufficient privileges, thus avoiding compatibility errors and security problems.