What We’ll Cover
Windows Registry Internals
- Unit 1: Architecture & Anatomy
- Unit 2: The Logical Structure
- Unit 3: Data Types & Values
- Unit 4: Tools & Manipulation
Unit 1: Architecture & Anatomy
The Windows Registry is a hierarchical database that stores low-level configuration settings for the operating system and applications.
Almost every serious Windows component talks to the registry in some form.
1. The Concept of “Hives”
A Hive is a logical group of registry keys backed by physical files on disk.
At boot time, Windows loads these hive files and assembles the registry tree.
2. Physical Location of Registry Hives
Most system hives are stored at:
C:\Windows\System32\config
Critical Hives
| Hive | Purpose |
|---|---|
| SAM | User accounts & password hashes |
| SECURITY | Local security policies |
| SOFTWARE | Installed software settings |
| SYSTEM | Drivers, services, boot config |
| DEFAULT | Default user profile |
The User Hive (Exception)
Each user has a personal hive:
C:\Users\<Username>\NTUSER.DAT
This contains user-specific settings like wallpaper, mouse speed, and application preferences.
Unit 2: The Logical Structure (Root Keys)
Windows presents registry data using logical Root Keys.
The Big Two
HKEY_LOCAL_MACHINE (HKLM)
- Applies to the entire system
- Shared by all users
- Backed by SYSTEM, SOFTWARE, SAM, SECURITY hives
HKEY_CURRENT_USER (HKCU)
- Applies only to the logged-in user
- Backed by NTUSER.DAT
Derived Root Keys
- HKEY_USERS (HKU) – All loaded user profiles
- HKEY_CLASSES_ROOT (HKCR) – File associations
- HKEY_CURRENT_CONFIG (HKCC) – Hardware profile at boot
Unit 3: Keys, Values & Data Types
- Keys act like folders
- Values act like files
Each value has:
- Name
- Type
- Data
Common Data Types
REG_SZ
Human-readable string
REG_DWORD
32-bit integer (often used as on/off flags)
REG_BINARY
Raw binary data
REG_EXPAND_SZ
Expandable string with variables like %SystemRoot%
REG_MULTI_SZ
Multiple strings stored as a list
Unit 4: Tools & Manipulation
Registry Editor
Open with:
Win + R → regedit
⚠️ Always export a key before editing.
Backup & Restore
- Export: Right-click key → Export
- Restore: Double-click
.regfile
Automation with .reg Files
If you want to make changes to registry, you can simply create a .reg file, double click it and make changes.
Here as an example we are creating a .reg file for creating a game setting of FULLSCREEN. Since fullscreen settings have boolean value of On/Off we have used the REG_DWORD value here to set it to 1 ie true,.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\MyGame]
"PlayerName"="itsmegsg"
"FullScreen"=dword:00000001
Command Line (REG)
Command-Line can also be used to make changes to Windows Registry. Here is a simple example.
REG ADD HKCU\Software\MyGame /v PlayerName /t REG_SZ /d "itsmegsg"
Final Thoughts
The Windows Registry is foundational for Windows internals, malware analysis, forensics, and Active Directory security.
Once you understand its structure, it becomes a powerful ally instead of a black box.
Top comments (0)