Windows Registry Hive

LATEST POST

3/7/20253 min read

Windows Registry Hive Overview

Windows Registry is a hierarchical database used by the Windows operating system to store configuration settings and options. It includes information, settings, and preferences related to hardware, software, users, and the operating system. The registry is organized into different sections known as hives. These hives store and manage various critical data that Windows and installed applications rely on for proper operation.

A registry hive is essentially a logical group of keys, subkeys, and values that are saved as discrete files on disk. These files are loaded into memory when the operating system boots up and are continuously referenced as users interact with the system.

Types of Windows Registry Hives

Windows operating systems primarily include the following registry hives:

  • HKEY_LOCAL_MACHINE (HKLM)

  • HKEY_CURRENT_USER (HKCU)

  • HKEY_CLASSES_ROOT (HKCR)

  • HKEY_USERS (HKU)

  • HKEY_CURRENT_CONFIG (HKCC)

Each of these hives serves a distinct purpose, containing different types of configuration and operational data for Windows and installed applications.

1. HKEY_LOCAL_MACHINE (HKLM)

The HKEY_LOCAL_MACHINE (HKLM) hive stores configuration settings and information related to the computer’s hardware and software. The settings in this hive apply globally to all users on the machine, making it one of the most critical registry hives.

Subkeys within HKLM

  • SYSTEM: Contains information regarding system startup, drivers, services, and Windows components.

  • SOFTWARE: Stores settings and configurations for installed applications and system software.

  • SECURITY: Manages security policies and settings, including user authentication mechanisms.

  • SAM (Security Accounts Manager): Stores account information, including usernames and password hashes.

  • HARDWARE: Contains dynamically gathered hardware configuration data, which is populated at system boot time.

This hive is stored on disk in C:\Windows\System32\Config and is one of the most crucial parts of the Windows operating system.

2. HKEY_CURRENT_USER (HKCU)

The HKEY_CURRENT_USER (HKCU) hive contains settings specific to the currently logged-in user. These settings are derived from the HKEY_USERS hive but are mapped to HKCU for easier access.

Subkeys within HKCU

  • Control Panel: Stores user-specific desktop settings, screen saver settings, and other UI configurations.

  • Software: Holds user-specific settings for installed applications.

  • Environment: Stores environment variables for the current user session.

  • Keyboard Layout: Manages keyboard input preferences for the user.

  • Network: Contains settings related to network connections and mapped drives.

HKCU is dynamically loaded from the NTUSER.DAT file located in the C:\Users\[Username] directory. Each user has their own separate NTUSER.DAT file.

3. HKEY_CLASSES_ROOT (HKCR)

The HKEY_CLASSES_ROOT (HKCR) hive is primarily responsible for managing file associations and Object Linking and Embedding (OLE) information. It defines how files with specific extensions are handled by the system.

Subkeys within HKCR

  • File Extensions (.txt, .jpg, .exe, etc.): Defines the associated application for each file type.

  • CLSID (Class Identifiers): Stores information related to COM (Component Object Model) objects.

  • Interface: Defines the interfaces for different system components and applications.

HKCR is a merged view of HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes. This allows Windows to differentiate between machine-wide file associations and user-specific file associations.

4. HKEY_USERS (HKU)

The HKEY_USERS (HKU) hive stores user profile information for all users who have logged into the system. Each user’s settings are stored under a unique security identifier (SID).

Subkeys within HKU

  • .DEFAULT: Stores the default profile settings for new users before they log in.

  • S-1-5-XX...: Each subkey represents a different user profile, storing personalized settings.

  • User Environment Variables: Contains user-specific environment variables.

Since HKCU is derived from HKU, modifying settings in HKCU will automatically reflect in the corresponding HKU subkey.

5. HKEY_CURRENT_CONFIG (HKCC)

The HKEY_CURRENT_CONFIG (HKCC) hive contains information about the current hardware profile used by the system. It dynamically gathers information from HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current.

Subkeys within HKCC

  • System\CurrentControlSet\Control\GraphicsDrivers: Stores settings related to display adapters and graphics rendering.

  • System\CurrentControlSet\Control\Print: Holds printer-related configuration settings.

  • System\CurrentControlSet\Services: Contains dynamically loaded driver settings.

HKCC is not stored as a separate file on disk but is a representation of active hardware configuration settings at runtime.

Additional Important Registry Hives

While the five main registry hives are the most commonly referenced, there are additional specialized registry hives that exist for system administration and configuration purposes.

  • HKEY_PERFORMANCE_DATA

    This hive is used by performance monitoring tools and is not visible within the standard Registry Editor. It provides real-time performance data regarding CPU, memory, disk, and network usage.

  • HKEY_DYN_DATA (Windows 9x/ME Only)

    This hive was used in older versions of Windows (Windows 9x/ME) to store dynamic system information such as Plug and Play devices and system resource allocation. It has been replaced by HKLM\HARDWARE in modern Windows versions.

CONTACT

contact@f4tm4n.com

About me

Frameworks

Experiences from People

Stories from Professionals

My Exam Strategies