Windows Server Troubleshooting - Registry

Click here to start saving with ING DIRECT!

Home | Methodology | Architecture | Tools | Memory | Processor | Registry | File System | Network | Active Directory | Contents

Get the Book

Major Topics
Other Topics
File System
Active Directory
More Detail
Control Set
Registry Editor

eXpert Genealogy

Memory from

2003-2006 Team Approach Limited
All rights reserved

The Registry is a binary database used to store configuration information for both

  • the Windows operating system and device drivers, and
  • Windows applications
Hardware Registry Software

SAM database  

OS configuration

  User profile

The Registry database is stored in binary files known as hives. At startup, the hives are read and the data is stored in the pageable memory pool.  This will take a few MB for a workstation and more for domain controllers. The size of the Registry depends on

  • The number of user accounts. These are stored in the SAM Security Account Manager database hive file.
  • Application software configuration
  • User preferences are stored in user profiles

Improperly set RSL Registry Size Limit can produce errors. An insufficient size limit may cause problems such as out of memory errors.

The hive file for the logged in user is loaded from the folder %SystemDrive%\Documents and Settings\%Username%. The other hive files are stored in the folder %SystemRoot%\System32\Config.

The hives correspond to the files in the following table.

Everything in the Registry is organized into two main subtrees.
The other subtrees are aliases to subkeys located in the two main subtrees.
The main subkeys are organized as follows.

FileName Registry Path Description
HKEY_LOCAL_MACHINE System specific configuration
Stored in %SystemRoot%\System32\Config
dynamic no file HARDWARE Hardware configuration
SAM SAM Security Account Manager user and group information
Security SECURITY Local security policies and user rights
Software SOFTWARE Configuration of Windows and applications
System SYSTEM Configuration of drivers, services, booting and loading options
HKEY_USERS User specific configuration - Stored in
%SystemDrive%\Documents and Settings\%Username%
Default .DEFAULT Profile for when no user is logged in, e.g. logon screen
NTUser.dat S-1-5-21-xxxxxxxxxx-yyyyyyyy-zzzz SID for the currently logged on user profile
Accessible via the alias HKEY_CURRENT_USER

Registry Backup

NTBackup will backup the registry as part of the System State. REGBACK/REGREST are Resource Kit utilities to backup and restore the Registry without the rest of the System State.

Emergency Repair Disk

The ERD is an emergency backup of the Registry that is stored on a diskette.  In Windows 2000, NTBACKUP copies the Registry to a diskette and to C:\Repair\RegBack. Windows 2003 and XP  replace this with the new ASR Automated System Recovery.

The Emergency Repair procedure requires booting with the original Windows CD or the set of four setup diskettes. Interrupt the normal installation procedure by selecting R to repair the system.

Registry Security

The same security and auditing system that protects the file system is used to protect the Registry. The generic permissions on Registry keys are Read and Full Control. Special permissions provide fine control.  The default permissions allow ordinary users to alter many critical Registry settings. The Registry Editor can change the security permissions.

Restricting permissions too much may prevent some applications or system features from working properly. Ensure that you test any security changes.

Windows 2000 and XP have tighter Registry security than NT. This may cause problems for older applications. Solve this problem by updating the application or relaxing the security. To relax the security to be compatible with NT, use the Security Configuration and Analysis MMC snap-in and apply the COMPATWS.INF template.


Use SysDiff to fix application problems

The Resource Kit SysDiff utility can store system changes/differences from one machine and duplicate these changes to another machine. SysDiff can store both file and registry changes. It is typically used to store the file and registry changes that occur when a new application is installed. The changes are stored in a difference file that is then used to quickly deploy the application on other machines. If the application becomes corrupted, reapplying the the difference file will fix the problem.

Use WinDiff to observe Registry changes

WinDiff is a utility that can show you the differences between two files. It can be used to show differences between two parts of the Registry or to compare a part of the Registry before and after some event, like an application installation. The registry entries must first be exported to ASCII REG files and then they can be compared with WinDiff. The following dialog shows the comparison of two different Control Sets. Common lines are displayed with a white background and differences are colored.