Blog
MSI Structure of Registry
- April 12, 2022
- Posted by: Pavithra
- Category: End User Computing

What is Registry?
(MSI Structure of Registry) The Registry is split into a number of logical sections. Each of these keys is divided into subkeys, which may contain further subkeys, and so on. Any key may contain values. These values can be:
- String Value
- Binary Value
- DWORD Value (numbers between 0 and roughly 4 thousand million)
- Multi-String value
- Expandable String Value
HKEY_CLASSES_ROOT:
HKCR stores information about registered applications, including associations from file extensions and OLE object class ids.
HKCR is a compilation of HKCU\Software\Classes.
If a given value exists in both of the subkeys, the one in HKCU\Software\Classes is used.
HKEY_CURRENT_USER:
HKCU stores settings that are specific to the currently logged in user.
HKCU mirrors the current user’s subkey of HKEY_USERS
This area of the registry contains user-specific settings, and points to the user’s specific branch of the HKEY_USERS key.
HKEY_LOCAL_MACHINE:
HKLM stores settings that are general for all users on the computer.
This key is found within the file: %SystemRoot%\System32\Config\system
HKEY_USERS:
HKU contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user registered on the machine.
HKEY_CURRENT_CONFIG:
HKCC contains information gathered at runtime; information stored in this key is not permanently stored on disk, but rather regenerated at boot time.
The key is actually a pointer to one of the configuration branches of HKEY_LOCAL_MACHINE\Config
Editing the Registry (Information registration editor)
Registry can be edited by running regedit.exe
Windows NT 4 uses both REGEDIT.EXE and Windows NT 3.x’s REGEDT32.EXE.
REGEDIT.EXE had a left-side tree view that began at “My Computer” and listed all loaded hives.
REGEDT32.EXE had a left-side tree view, but each hive had its own window.
REGEDIT.EXE represented the three components of a value (i.e. name, type, and data) as separate columns of a table
REGEDT32.EXE represented them as a list of strings
REGEDIT did not support permission editing, therefore the only way to access the full functionality of an NT registry was with REGEDT32.EXE
Windows XP was the first system to integrate these two programs into one, adopting the REGEDIT.EXE interface with the additional NT functionality
The largest difference between REGEDIT and REGEDT32 is the ability for this one to set permissions on keys. Tweak UI (part of the Microsoft Tools) is a special utility designed to edit various registry settings. Policy Editor is more suited to administrative registry editing.
Where is the Registry stored? (MSI Structure of Registry)
Depending upon the version of Windows, Registry is stored in several files.
There will be different files and different locations for these files, but they are all on the local machine, except for the NTuser or user file which may be placed on another computer to allow for roaming profiles.
For Windows NT, 2000, 2003, & XP
The Registry files (Sam, Security, Software, System, Default ) are stored in %SystemRoot%\System32\Config\
The NTUSER.dat and Userdiff file is stored in the profile folder.
For Windows 95 & 98
The registry files are named User.dat and System.dat and are stored in the \Windows\ directory.
Windows ME The registry files are named Classes.dat, User.dat, and System.dat and are stored in the \Windows\ directory.
For Windows 3.11
The registry file is called Reg.dat and is stored in the \Windows\ directory.
Common Locations (MSI Structure of Registry)
HKCU\Console: Contains values that control how the command prompt is displayed. For example, the value of QuickEdit determines how marking and pasting is performed in a command prompt.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders: Contain values that allow one to alter the locations of important folders. So one could change the location of the desktop, my documents, my pictures, etc.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall: The key is used for uninstalling any application. UninstallString is there in the Hive
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList: This key contains subkeys that list the account SIDs on the computer. Each SID represents a user that can log in. From here one can change the profile path of a user’s account, set account flags, and a lot more.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: This key holds useful keys as well as useful values. Such as, set autolog on the computer, so one doesn’t need to enter a username and password after a restart. This path generically exists as a startup location for Windows NT, so it prepares the user’s desktop when a user logs in.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion: Run, RunOnce, RunOnceEx, RunServices, RunServicesOnce: These subkeys hold values for startup items. String values contain paths to executable that are executed based on the rules of the key. For run they execute every time a user logs in, runonce runs the executable once when a user logs in, and then that entry is removed (although the program could potentially read itself back), RunServices/RunServices are very similar to Run/RunOnce. RunOnceEx contains extensions that are very rarely used. These keys exist both in both the CU and LM handles, although the rules are different (LM applies to all users).
Abbreviation
HK stands for handle key,
CU for current user,
LM for local machine
HKCR for HKEY_CLASSES_ROOT
HKCU for HKEY_CURRENT_USER
HKLM for HKEY_LOCAL_MACHINE
HKU for HKEY_USERS
HKCC for HKEY_CURRENT_CONFIG
Registry Limitations on Windows 95/98/Me: (MSI Structure of Registry)
Windows® Installer has the following registry limitations on Microsoft Windows 95, Windows 98, and Windows Millennium Edition (Windows Me). The stated limits for the maximum number of features or components are approximate. The actual limits can depend upon the installation.
- Registry values are limited to 16382 on Windows 98 and Windows Me, and limited to 16371 on Windows 95. This effectively limits the number of components per feature to 817. The limit varies depending upon any additional space needed to accommodate optional parent features, which should placed in the same value.
- The total size of a registry key and all its values is limited to 64 KB on Windows 95 only. This can limit the maximum total number of features and components in a product.
- Windows Installer version 1.2 saves in-progress information as a registry value. This can limit the maximum number of features on Windows 95, Windows 98, and Windows Me. This limitation no longer exists with Windows Installer version 2.0 or later. Note that some of these limitations may be checked by ICE47.
What are the differences between configuration files and registry?
The difference between configuration files and registry is discussed as follows:
- Configuration files are application specific so anybody using the same application will have same settings whereas in registries these settings are stored in HKCU hive.
- Configuration files are simple text files for which ACL cannot be applied. Contrast this to the registry (or SQL Server) where an entry can have an ACL so that certain accounts are refused access to a value (and presumably to a feature of the app that uses the value).
When registry is used?
Registry is used to store the configuration settings of a particular application.
- HKCR is a compilation of HKCU\Software\Classes. If a given value exists in both of the subkeys, the one in HKCU\Software\Classes is used.
- HKLM stores settings that are general for all users on the computer.
- HKCU stores settings that are specific to the currently logged in user.
- HKU contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user registered on the machine.
HKCC contains information gathered at runtime; information stored in this key is not permanently. The key is actually a pointer to one of the configuration branches of HKEY_LOCAL_MACHINE\Config stored on disk, but rather regenerated at boot time