Tuesday, June 18, 2019

An Overview of Windows Registry

Well, we have heard a lot about Registry, and we may know it is used in windows to store the configuration settings but the inner workings of windows registry is not as clear. This blog will cover the basics of Windows Registry, its working, benefits, and some cool registry hacks.


What is Windows Registry?



All the version of Microsoft Windows Operating System uses Registry to store the vital information about the Windows components, configuration files and settings of all the hardwares and softwares installed on your computer. When a program is installed on Windows Operating system, a new subkey is added in the Windows Registry containing settings such as program’s location, its version and the procedure to start the program. We will understand keys and subkeys in later part. For now, just understand the basic concept of what windows registry is. Whenever a program is executed, the registry entries or keys relating to it is retrieved.


Windows Registry stores:
  • Information and config files for all the windows components like hardware, software, users and preferences of the PC. Any changes made in Control Panel Settings, System Policies, software installed, the changes are reflected and stored in the registry.
Windows Registry was first introduced with Windows 3.1 which stored only the Configuration Information for COM-based components. Windows 95 and Windows NT extended the use to centralise the information in the profusion of .ini files, which stores the configurations for every single program and were stored in different location.


Windows applications are not necessarily required to use Windows Registry, but there are many advantages of storing configuration settings in Registry instead of .ini files:
  • File Parsing is done efficiently with a binary format. Reading and writing is quicker than an .ini file.
  • The information stored in .ini files can also be stored in the registry.
  • Windows has a built -in Registry Editor using which we can edit the keys manually. 
  • Registry can also be accessed over a network connection  for remote management/support, including from scripts, using the standard set of APIs, as long as the Remote Registry service is running and firewall rules permit this which allows Backup and Restoring easy.

What is Keys, Subkeys and Values (Hive)?


The registry contains of two basic elements i.e. Keys and Values. Registry keys are the container similar to folders, subkey is a term for the key that exists within other keys and Registry values are non-container similar to files.
In registry, a hive is a group of keys, subkeys, and values that has a set of supporting files which contains the backups of its data. Every time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile.


Below are the common registry hives in Windows Operating System:


  • HKEY_CURRENT_CONFIG
  • HKEY_LOCAL_MACHINE (HKLM)
  • HKEY_CURRENT_CONFIG (HKCC)
  • HKEY_CLASSES_ROOT (HKCR)
  • HKEY_CURRENT_USER (HKCU)
  • HKEY_USERS (HKU)
  • HKEY_PERFORMANCE_DATA (used in Windows NT, but cannot be viewed in the Windows Registry Editor)
  • HKEY_DYN_DATA (used in Windows ME, 98 and 95)


To view registries in Windows run regedit command in Run box. Below exhibit shows the basic structure of the Windows Registry.



The Exhibit shows the hive, keys, subkeys and their values, name and type. Registry keys can also have a "default" value, called as empty string. The registry value can store data in various formats.
There are two functions that are used to store and retrieve data to and from the registry. They are - RegSetValueEx function is used to store data under a registry value to indicate the type of data being stored. RegQueryValueEx function is used to indicate the type of data retrieved, when retrieving a registry value.

The data type used in registry are:

  • REG_BINARY - The value is stored as raw binary data.
  • REG_DWORD - The data is represented by a four byte number and is used for boolean values, such as 0(Disabled) and 1(Enabled).
  • REG_EXPAND_SZ - An expandable data string which contains a variable that will be replaced when called by an application. For example, the string value "%SystemRoot%" will replaced by the actual location of the directory containing the Windows NT system files. (Available in an advanced registry editor such as REGEDT32.)
  • REG_MULTI_SZ - A Multiple string which represents the values containing lists or multiple values, with each entry separated by a NULL character. (Available in an advanced registry editor such as REGEDT32.)
  • REG_SZ - A standard string type, used to represent human readable text values.

There are some data types other that are not available through the standard registry editors. They are:

  • REG_DWORD_LITTLE_ENDIAN - Little-endian format - 32-bit number.
  • REG_DWORD_BIG_ENDIAN - Big-endian format -  32-bit number.
  • REG_LINK - Unicode symbolic link - not to be used by application.
  • REG_NONE - No defined value type.
  • REG_QWORD - 64-bit number.
  • REG_QWORD_LITTLE_ENDIAN - Little-endian format - 64-bit number.
  • REG_RESOURCE_LIST - Device-driver resource list.


Some Registry Hacks



Windows Registry is a strange and puzzling place, but if you are comfortable editing it, you have the power to tweak nearly every Windows setting you can imagine. Make sure you backup windows registry before you start  hacking.
Below are some of the registry hacks that you can perform to make your PC more secure and better.

  • Read Only USB flash drives

If an attacker has a physical access to your PC, it is easy for them to plug in a USB flash drive and make copies of your data. There is a simple way to prevent this.


Go to 'HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies' and create a DWORD value called 'WriteProtect' and set it to 1. Now we will be able to read the USB drives, but not write into it.

  • Change Registered Owner

When setting up Windows OS, you are asked to enter your name, which is stored as registered owner.


To change the registered Owner using registries you can browse to 'HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion' and you'll see both a 'RegisteredOwner' and 'RegisteredOrganization' value. Double-click either to change them.


  • Troubleshoot startup

Sometimes Windows take too much of time to start up or shutdown, which occurs when there is some problem.


To find out the problem, go to 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', create a DWORD value called 'verbosestatus' and set it to 1. Restart your PC. Windows will give you the detailed information.


  • Speed Up Taskbar Previews

The standard delay time for taskbar previews is 400 milliseconds, or just under half a second. This can be adjusted to speed up or slow down with an easy Registry hack.


Go to HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced. Add a new DWORD (32-bit) Value with name "ExtendedUIHoverTime." Under "Base," click Decimal and then enter in the delay time (in milliseconds) in the "Value data" field and click OK. Restart your PC.


You can also create your own registry hacks by exporting the registry and editing it using any text editor. Thus double clicking the registry file will set new values in the registry. This technique can be used to change registry value of any computer just by double clicking it.

References



https://www.akadia.com/services/windows_registry_tutorial.html
https://www.howtogeek.com/167579/how-to-make-your-own-windows-registry-hacks/
https://www.howtogeek.com/school/using-windows-admin-tools-like-a-pro/lesson5/
https://www.dummies.com/computers/operating-systems/windows-xp-vista/understand-how-the-windows-registry-works/
http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry
https://www.pcworld.com/article/228071/6-registry-hacks-to-make-your-pc-faster.html

1 comment: