home-Payment systems-The main keys of the windows registry. What is the Windows Registry

The main keys of the windows registry. What is the Windows Registry

Today we will try to get into the Windows registry from the back door, without using the standard WinAPI functions intended for this. What will it give us in the end? The ability to write and read from the registry directly, bypassing the restrictions set by the developers of antivirus solutions!

Looking ahead, I will note: this topic is interesting, but there is a whole set of serious problems. Although who said that we can’t afford it? 🙂

What is the register, or a little lyrics

From the point of view of the Windows operating system, the registry is a unique pantry. This peculiarly built hierarchical database stores settings, data, registration information and other crap about almost everything in the system, from programs to the settings of a specific user. Almost everything is stored in the registry. Despite the fact that some programs prefer to store their settings in ini-configs (especially programs written for Win 3.11. - Ed.), Windows itself reads all the necessary information about itself from the registry. For the sake of fairness, we note that in * nix-like operating systems, the system for storing settings in all kinds of configs still dominates.

For newcomers - system administrators, when starting to work with the registry, older comrades scare that incorrect configuration and change of registry parameters can completely overwhelm the system with its subsequent reinstallation. And indeed it is.

For example, the so-called restore points are copies of the registry. They are widely used by users when they encounter various problems both with the operating system and with software and hardware.

I must say that 99% of information about the Windows registry is a description of the main keys plus advice on how to work with them. But how does the operating system work with the registry itself? And can we emulate her actions? Let's speculate a little.

So what?

The registry is both Windows' strong and weak point. The strong side of the registry is that there is no need for software developers to manipulate a bunch of configs, as is, for example, implemented in nix. The registry is also convenient for the creators of COM components - the system automatically registers such a component in the registry and facilitates the task of its further use.

The weakness of the registry is that access to modification of sensitive areas of the registry allows you to control Windows by any program written by some newly minted malware. Remember at least the most famous branch of the Windows registry, which allows you to run programs at the start of the OS :).

If in Windows 98 the registry could be repaired by anyone who thought of it, then starting with Windows XP only users with an administrator account have access to the registry. In Vista +, registry access is protected by UAC. This is understandable.

I must admit that with the release of Win7, the security concepts when working with the registry have been revised for the better. For example, the HKEY_LOCAL_MACHINE registry key is under protection. In general, an attempt to write something to it will be redirected to the appropriate HKEY_CURRENT_USER branch for the current user.

Interface

To work with the registry directly, Windows offers the programmer a whole set of WinAPIs that any system developer should be familiar with - these are Reg * functions such as RegOpenKey, RegQueryValue, and so on. In the Win core, these are NtOpenKey, NtQueryValueKey, and a number of others. There is little point in describing them - all documentation on the proper use of these functions can be found on MSDN.

Here is what is worth noting. Antiviruses and proactives to control user actions installed hooks on the mentioned functions, both in the kernel and in the usermode.

With the release of Win7 x64, the situation has changed, and I already wrote about this once. The Windows developers decided to abandon the ability to intercept potentially dangerous functions in the Win kernel. Now the KeServiceDescriptorTable variable in x64 is exported more, and it won't work to rewrite the required code section - PatchGuard won't give it. There are, of course, sadomasochistic solutions to circumvent these restrictions - but there will be more crap than profit. Moreover, Microsoft offers convenient ObRegisterCallbacks to control the registry.

INFO

There is very little information on the Web about the structures that describe the main registry files. And almost all of them are in English. Basic knowledge can be found. In addition, it is well written about the registry in the bible of the system engineer "The Internal Arrangement of Windows" from comrades M. Russinovich and D. Solomon.

And now - about the most interesting

But what exactly is a registry really? If you look into the WINDOWSsystem32config folder, you can see several files there: system, software, security, SAM and several others.

These are registry files.

However, it would be unfair to speak of the registry simply as a combination of files loaded into memory. Much of what the registry contains is dynamic, that is, a number of values ​​are calculated at the stage of loading the system itself, primarily this concerns certain hardware parameters. For example, this is the HKEY_DYN_DATA registry subkey, the data of which, when the operating system is loaded, is located in RAM and remains there until the operating system is shut down. By the way, the same can be said about the key subkey HKEY_LOCAL_MACHINE, which does not have its corresponding file on the disk, but is actually formed from other registry files, such as software, system and others.

Thus, the registry from the inside can be rather roughly called a "virtual combination of registry files". After starting the system, these files are located both in the paged pool and in nonpaged memory.

Registry structure

In order to learn how to work with the registry directly, one cannot do without knowledge of its internal structure. In general, Microsoft has never revealed the secrets of the internal structure of the files that make up the registry, as it poses a security risk. According to my observations, all the available descriptions of the registry files and its structure (and, by the way, there are very few of them) are the results of the research of pioneer researchers. The most complete, in my opinion, such a "study" is possible, it belongs to Comrade Peter Norris.

We will not go into the details of the organization and structure of the registry, this is a long, tedious business and does not exactly fit into the framework of the article. It is important to understand here that the registry is a hierarchical tree-like structure, sometimes it is also said to look like a honeycomb.

And what to do with all this now?

I'll grieve right away: you won't be able to mess with the registry directly in the usermode, the system will not let you do this, as is usually the case with files occupied by other processes. If you try to twist, you can only read such a "busy" file, and then if you guess with the flags with which it was opened. Unfortunately, it will not be possible to write information into the "registry file" we are interested in. By the way, the feature with writing the necessary information to the registry can work, if you write to the registry * .BAK files, they are definitely available for writing.

So watch your hand :).

The first thing that can come to your bright mind is to open the registry file directly and write something there.

Theoretically, this can be done, for this you need, firstly, to be able to work with "busy" files (search for methods on the Web) and, secondly, as I said above, you need to know the internal structure of the registry files. This method is rather clumsy, but, despite its delusional nature, it is quite viable, although it is difficult to implement in practice (try experimenting with it yourself).

Here I will offer two ways to help you cut the registry into small pieces.

The first way is that for the configuration manager (Configuration Manager, part of the operating system, if you are not aware), the registry is nothing more than a set of strictly defined structures in memory, which, as it turns out, are very easy to work with. What are these structures, you ask? HBASE_BLOCK, HHIVE, HBIN, HCELL, HMAP_ENTRY, HMAP_DIRECTORY, a bunch of CM_ * structures used by the config manager to manage the registry. From the point of view of the operating system, the registry is simply a set of regulated structures in memory. For example, the signature "regf" for "registry file" is a predefined constant:

Define HBASE_BLOCK_SIGNATURE 0x66676572 typedef struct _HBASE_BLOCK (ULONG Signature; // 0x66676572 ULONG Sequence1; ULONG Sequence2; LARGE_INTEGER TimeStamp; ....) And here is the signature "regf" ...

That is, the meaning of all this my monologue is that there is a gorgeous possibility of manipulating the registry at the operating system level, but at the same time not using its standard tools. How is this possible? We just simulate the actions of the operating system itself, exactly the way it itself works with the registry! It is important, as I said, to understand that for the OS itself, the registry is nothing more than a set of corresponding structures in memory.

If we have access to registry files at the kernel level, then why are we worse than the OS itself in order to establish its own order?

And here the most interesting question appears on the scene - how to find these very structures in memory? True, there are no standard system tools for solving this issue, so you have to get out in a tricky way.

Knowing what the structures look like, you need to remember that each file, the hive of the registry, has its own constant signature. For example, "regf" is 0x66676572. For the hive, the signature will be 0xBEE0BEE0. Having access to memory from the kernel, we can quite easily find these signatures in memory by simply scanning it. You can also scan the memory in search of the "CM10" signature - it is this signature that is assigned by the config manager to the paged memory block, which is allocated for the CMHIVE structure. I suppose, having found the element of interest to us in memory, you will figure out what to do with it further :).

How, for example, can you change the value of a registry cell? The value is stored in the CM_KEY_VALUE-> Data field, so if you have a task to change any field in a specific registry key, look for the value there:

Typedef struct _CM_KEY_VALUE (WORD Signature; // #define CM_KEY_VALUE_SIGNATURE 0x6B76 WORD NameLength; ULONG DataLength; ULONG Data; //<---------- данные ячейки будут здесь ULONG Type; WORD Flags; WORD Spare; WCHAR Name; } CM_KEY_VALUE, *PCM_KEY_VALUE;

The second option is a kind of modification of the first. If you know, there is one peculiarity when working with the registry - all changes, that is, "creating new keys / writing / deleting keys", as a rule, take effect after rebooting the system (well, or after rebooting the explorer, this is such a hack method). Until then, all changes are in a suspended, "dirty" state. Moreover, the system, when accessing the registry, communicates with it through the file system cache. This is understandable - there can be hundreds of calls to the registry per second, therefore, relying on the speed of the file system is unreasonable, no speed will save you here. Therefore, the system works with the registry, as they say, virtually, through the file system cache. And here, in order to pull the guts of the registry into the light, you need to get into the cache! How this is done has already been described in tyrnets, including in.

Pro & Cons, or instead of a conclusion

What can I say in the end? The variation on the topic of direct control over the registry, proposed to the reader in the article, is purely experimental. I do not argue that it is too heavy for practical implementation, and many will say that it is better to use normal WinAPI functions designed to work with the registry - and they will be right to some extent. However, the implemented die_hard in fact, based on the principles given in the article, will have a truly thermonuclear power that is beyond the control of either the Avers or the operating system itself.

Now I'll finish. Happy compilation and may the Force be with you!

WWW

The article by Mark Russinovich on the "Inside the Registry" is obligatory to read, there was even a Russian translation. An excellent tool for collecting registry information: http://goo.gl/iSSVy.

Windows Registry (Windows Registry) is a hierarchical (tree-like) database containing records defining parameters and settings of Microsoft Windows operating systems. The registry as it looks when viewed by the registry editor is generated from data sourced from registry files and hardware information collected during the boot process. Registry files in English use the term "Hive"... In the documentation from Microsoft, this term is translated as "Bush".

The main files responsible for the formation of the registry

Registry files are created during the installation of the operating system and are stored in the folder:

% SystemRoot% \ system32 \ config (usually C: \ windows \ system32 \ config).

For Windows operating systems, these are files with the names:

system
software
sam
security
default
components
bcd-template

In operating systems Windows Vista, Windows 7, Windows8,,, registry files are located in the directory \ Windows \ system32 \ config and have the same names, however, these operating systems have added a new registry key to store ( Boot Configuration Data) With name BCD00000000... The file with the data of this section has the name bcd and is located in a hidden folder Boot active partition (the partition from which the system is booted). Usually, during a standard Windows installation, a small active partition is created (from 100 to 500 megabytes, depending on the operating system), which is hidden from the user and contains only service data for booting the system - boot records, boot manager bootmgr, boot configuration store BCD, localization files and memory testing programs. Bush location bcd depends on how the boot loader is configured when the system is installed, and may be on the same partition as the Windows directory.

The location of the registry files in any version of Windows can be viewed using the registry editor, in the section:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ hivelist

This section stores information about all hives, including user profiles, with links to their location in the Windows file system.

Registry structure

The Windows registry has a tree structure and consists of 5 main registry keys:

HKEY_LOCAL_MACHINE (HKLM) is the largest registry key. It contains all the basic settings of the operating system, as well as the hardware and software of the computer. The information contained in this section applies to all users who register in the system.

HKEY_ CLASSES_ ROOT (HKCR) - Contains associations between applications and file types (by file extensions). In addition, this section contains information about the registered file types and COM and ActiveX objects. except HKEY_ CLASSES_ ROOT this information is also stored in sections HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER... Chapter HKEY_LOCAL_MACHINE \ Software \ Classes contains default settings that apply to all users on the local computer. The options contained in the section HKEY_CURRENT_USER \ Software \ Classes, override the default and apply only to the current user. Chapter HKEY_CLASSES_ROOT includes data from both sources.

HKEY_USERS (HKU) - Contains the environment settings for each of the loaded user profiles, as well as for the default profile. V HKEY_USERS there is a nested section \ Default as well as other subsections identified by the SID ( Security ID, SID) of each user.

HKEY_CURRENT USER (HKCU) - Contains environment settings for the user currently logged into the system (environment variables, desktop settings, network settings, applications and connected devices).

This section duplicates information in HKEY_USERS \ user SID, where user SID- the security identifier of the user who is currently logged into the system (you can find out the SID of the current user by typing in the command line whoami / user).

HKEY_CURRENT_ CONFIG (HKCC) - Contains settings for the current hardware profile. The current hardware profile includes the sets of changes made to the default device configuration specified in the subsections Software and System root partition HKEY LOCAL_MACHINE... V HKEY_CURRENT_CONFIG only changes are reflected. In addition, the information in this section is located in HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ HardwareProfiles \ Current.

Registry data is stored as parameters located in registry keys. Each parameter is characterized by a name, data type and value.

Basic data types used in the registry

REG_DWORD is a 32-bit number. This data type is used by many parameters in device drivers and services. Registry editors can display this data in binary, hexadecimal, and decimal format.

REG_SZ - Human-readable text string. Values ​​representing component descriptions are usually assigned this data type.

REG_EXPAND_SZ - Expandable data string. This string is a text containing a variable that can be replaced when called from the application, for example, used to write environment variables.

REG_MULTI_SZ - Multiline field. Values ​​that are actually lists of text strings in a human-readable format usually have this data type. The lines are NULL delimited.

REG_BINARY - Binary data. Most hardware components use information that is stored as binary data. Registry editors display this information in hexadecimal format.

REG_RESOURCE_LIST - Hardware resource list. Applies to branch only HKEY_LOCAL_MACHINE \ HARDWARE.

Also, sometimes you can find these types of registry data:

REG_RESOURCE_ REQUIREMENTS_LIST- List of required hardware resources. Applies to branch only HKEY_LOCAL_MACHINE \ HARDWARE.

REG_FULL_RESOURCE_ DESCRIPTOR - Hardware resource descriptor. Applies to branch only HKEY_LOCAL_MACHINE \ HARDWARE.

REG_QWORD is a 64-bit number.

REG_DWORD_ LITTLE_ENDIAN - 32-bit little-endian number, equivalent REG_DWORD.

REG_DWORD_BIG_ ENDIAN - 32-bit number in big-endian format.

REG_QWORD_LITTLE_ ENDIAN - 64-bit spiked number. Equivalent REG_QWORD.

REG_NONE - The parameter has no specific data type.

Interaction of the registry with the operating system

When the computer starts up, the hardware recognizer ( hardware recognizer) adds a list of devices it has detected to the registry. Usually hardware recognition is done by the program Ntdetect.com and operating system kernel Ntoskrnl.exe

At system startup, the system kernel extracts from the registry information about the device drivers being loaded and the order in which they are loaded. In addition, the program Ntoskrnl.exe transfers information about itself to the register (eg version number).

During system boot, device drivers exchange boot parameters and configuration data with the registry. The device driver reports the system resources it uses, including hardware interrupts ( IRQ) and memory access channels ( DMA) so that the system can include this data in the registry. By the way, the registry allows you to create multiple hardware profiles. Hardware profile ( hardware profile) is a set of instructions that you can use to tell the operating system which device drivers to load when the computer starts up. By default, the system creates a standard hardware profile that contains information about all hardware found on the computer.

When a user logs in, user profiles are loaded ( user profiles). All information related to a particular username and associated rights is stored in the registry. A user profile defines individual system settings (display resolution, network connection settings, connected devices, and more). User profile information is also stored in the registry.

When installing applications. Each time the installer runs, new configuration data is added to the registry. When starting up, all installers must read information from the registry to determine if the components they need are present on the system. In addition, the system registry allows applications to share configuration information, which gives them more interoperability. The application must actively and correctly use the registry, and also be able to delete it correctly without affecting components that can be used by other programs (libraries, program modules, etc.). This information is also stored in the registry.

When administering the system. When a user makes changes to the system configuration using system administration tools (for example, using Control panels or snap MMC), all changes are immediately reflected in the system registry. In fact, administration tools are the most convenient and secure tools for modifying the registry. By the way, the registry editor ( regedit.exe), because all changes to the system can be made directly by editing the registry.

■ During the boot and operation of the operating system, the registry data is constantly accessed, both for reading and writing. Registry files are constantly changing, since not only the system, but also individual applications can use the registry to store their own data, parameters and settings. In other words, accessing the registry is one of the most common operations. Even if the user is not working at the computer, access to the registry is still performed by system services, drivers, and applications.

■ Violation of the integrity of the registry files (violation of the data structure) or incorrect values ​​of certain critical parameters can lead to a system crash. Therefore, before experimenting with the registry, take care of the possibility of saving and restoring it.

The Windows Registry is one of the most mysterious parts of the operating system that allows you to customize and modify almost every aspect of Windows. Some people work with the registry all the time, but most people have only a faint understanding of it and are not quite sure how to create custom sections and parameters. So let's try to figure out what the Windows registry is.

What is the Windows Registry

The Windows registry is nothing more than a collection of various system configurations and settings.

It can be thought of as a database that stores almost all of the important information. This information includes everything related to the hardware system, application settings, installed programs, user profiles, etc. Windows constantly accesses the registry, because, as already mentioned, all important information is stored in it, and it is much faster and easier for the operating system to manage everything from one place than fiddling with separate configuration files located in different places.

Windows registry components

The Windows 10 registry has three main components - root-level keys, keys, and settings.

Root-level keys contain sections that have their own set of parameters.

There are five different root level keys, and they all have their own specific purposes. Here is their essence:

  • HKEY_CLASSES_ROOT (HKCR): this key is used for Object Linking and Embedding (OLE) and file type associations. This is the key where Windows associates files with their respective programs so that the user can open and interact with them.
  • HKEY_CURRENT_USER (HKCU): This Windows registry key stores all data, user-level settings and configurations associated with the logged on user. Not only Windows, but also other programs store data related to the current user here.
  • HKEY_LOCAL_MACHINE (HKLM): regardless of the user's status, this key contains all system partitions, including any hardware settings, software parameters, etc. Since HKLM contains most of all system information, it is one of the most public Windows root keys.
  • HKEY_USERS (HKU): as the name suggests, this root key contains the settings for all users, including logged in and out, so do not confuse this key with HKCU.
  • HKEY_CURRENT_CONFIG (HKCC): simply put, it is a pseudo root key as it is a direct link to the current hardware profile settings in the HKLM root key.

Section parameters

Each of these root keys has its own sections, and each section has its own parameters. Each section can create 6 different types of parameters, and the values ​​of these parameters are completely dependent on the target program and / or configuration requirements.

In general, there are four main types of data used in the Windows registry editor of any version - 7.8 or 10:

  • String parameter: consists of plain, readable text and is one of the most commonly used settings in the Windows registry.
  • Binary parameter: as the name suggests, this parameter only contains binary data (0, 1). Often used to enable or disable a specific feature.
  • ParameterDWORD (32 bits): similar to a binary parameter, but capable of storing any integer in the range of 32 bits. Designed to work with 32-bit systems, but also used on 64-bit systems for backward compatibility.
  • ParameterQWORD (64 bits): this parameter is almost like a DWORD, but is capable of carrying any integer in the range of 64 bits. We can say that QWORD is designed to work with 64-bit systems.

How to open the Windows Registry Editor

This way of opening the registry will work regardless of the installed version of Windows - 7.8 or 10:

Press KEY + R KEY to open the Run window. Type or and press Enter or OK. If a User Account Control (UAC) window appears, click Yes.

The main executable file of the registry editor is located in the directory C: \ Windows... So you can open that folder and run the regedit.exe file directly, or you can simply create a shortcut to regedit.exe in a location convenient for you.

Registry Editor: For 64-bit and 32-bit Windows

The registry in 64-bit versions of Windows consists of 32-bit and 64-bit sections. Many of the 32-bit partitions have the same names as their 64-bit counterparts, and vice versa.

The 64-bit version (default) (regedit.exe) displays both 64-bit and 32-bit partitions. In the 64-bit version of Registry Editor, 32-bit keys appear in the following registry key:

HKEY_LOCAL_MACHINE \ Software \ WOW6432Node

You can view and edit 64-bit and 32-bit sections and parameters using the 64-bit version of the editor. To view or edit 64-bit keys, you must use the 64-bit version of the Registry Editor (regedit.exe). You can also edit and view 32-bit keys and values ​​using the 32-bit version (% systemroot \% Syswow64). To open the 32-bit version of Registry Editor, follow these steps:

  • Open the Run dialog.
  • Enter % systemroot% \ syswow64 \ regedit and click OK.

Note

Before opening the 32-bit version, you must close the 64-bit version of Registry Editor (and vice versa). However, you can open a second instance of Registry Editor. For example, if the 64-bit version of the editor is already running, enter the command % systemroot% \ syswow64 \ regedit -m to launch the 32-bit version of the editor.

Creating new sections and parameters

It is very easy to create sections and parameters. But before doing anything, please back up the Windows Registry, as any incorrect settings or deletion of important items can cause critical errors.

To create a backup, in the editor window, click "File -> Export", enter a file name and save it in a safe place.

To create a new section, right-click on the root level key and select New -> Section. The new section will look like a folder, and by default it will be named something like "New Section # 1". Of course, you can always rename a section. The same procedure applies whenever a new subkey needs to be created.

To create a new parameter, right-click in an empty area in the right pane of the editor and select the parameter you want. The created parameter must be given a name; the name depends entirely on the specific requirements.

To assign a value to a parameter, double-click it and enter a value. Again, the value depends on the program or specific settings.

Permissions for registry keys

By analogy with the rights and permissions for certain objects in the NTFS file system, the same protection is provided for the registry keys.

Since the days of Windows Vista, a large number of OS-specific registry keys that store Windows settings have been protected by Windows Resource Protection, so you can't just remove or change them. You cannot do this without becoming the owner of them and setting permissions (access rights) on them. Fortunately, the operating system allows this as well, but the manual method is too tedious, so it is better to use a simple utility that automates this entire process.

That's all! I hope the above has helped you better understand the Windows Registry and its main components. Share your views and experiences in the comments below!

Have a great day!

So, today the conversation will focus on a topic that would seem not very important, but, in fact, very necessary for every Windows user (and there are an overwhelming majority of them) - about what the registry is, what it consists of, why it is needed and how to save it in their bins. So what is a registry anyway? In essence, this is a huge, hierarchically structured database, powered by user requests. This database is needed to organize data about the system, as well as to optimize access to them. The registry contains a lot of diverse information both about the usual settings of the operating system and about various fine-tuning settings, including security settings and work with low-level programs, as well as drivers.

The registry is not an external program, it is part of the operating system. When the system boots, Ntdetect searches for the registry files and loads the parameters of this very boot from there. knowledge of registry keys and knowledge of their significance is essential for effective system management. And also at least for an elementary diagnosis of "why it doesn't work like that." The registry is a tree-like system of value / key catalogs. Which are responsible for certain settings. Moreover, it should be borne in mind that different keys can be of different types - from boolean to string.

Illustrative anatomy.

So, it's worth telling what the registry physically consists of and how it works. It's worth making a reservation right away. That in the form in which the registry is presented to the user, it is not stored anywhere and special programs are needed to edit it - registry editors. The standard regedit.exe and regedit32.exe are fine. In the process of setting up and installing the system, some part of the registry data is formed, and also during the operation of the system - another. As a result, when the system boots, the virtual object REGISTRY \ is formed, which is the registry. To edit, view and study the registry using standard Windows tools (programs regedit.exe and regedt32.exe), it is the registry branches that are available. After editing the registry and / or making changes to it, these changes are immediately written to the files that are integral parts of the registry. These are, in Windows 95 and Windows 98, user.dat and system.dat; on Windows ME - user.dat, classes.dat and system.dat. In later versions of the system, a much larger number of necessary files appeared.

About the shortcomings and how scammers make money on these shortcomings.

In fact, the system is quite complex, but quite reliable. Due to the excessive complexity, it is difficult to fragment the registry, and therefore with the speed of its operation. Also, the registry tends to become excessively "fat" as a result of the accumulation of data over a long period of time, which also complicates its functioning. This problem is solved with the help of special programs to optimize and clean the registry. When dealing with this issue on your own, you should remember that you should not delete something from the registry if you do not know about its purpose - this can seriously damage the system, or even disable it altogether. In addition, scammers are trying to get on with these problems - the network is full of offers "download a program to optimize the registry, after the installation of which the computer will run 30% faster." Usually, such an offer is followed by a form for sending an SMS, which confirms the previous suspicions. You should not pay attention to such things, and even more so believe them - then you will not lose either money or nerves.

The main branches of the registry, their meaning and purpose.

HKEY_CLASSES_ROOT is a link to HKEY_LOCAL_MACHINE \ Software \ Classes. The information stored here ensures that the required program is launched when the file is opened using Explorer. This section contains relationships between applications and file types, and information about OLE.

HKEY_USERS - This section contains settings for all users of the computer.

HKEY_CURRENT_USER - this branch is a link to a specific internal subkey HKEY_USERS. All settings are set in accordance with which of the users is currently in the system (i.e. which session is active).

HKEY_LOCAL_MACHINE - Contains practically the settings and parameters that belong to this computer, including hardware settings, hardware configuration and user profiles.

HKEY_CURRENT_CONFIG is essentially just a reference to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Hardware Profiles \ Current. There you will find all the incoming hardware settings required to start the system.

The main standard sections written above cannot be deleted or renamed. Some registry keys are volatile and are not stored in any file. The OS creates and manages these partitions entirely in RAM without storing them on the hard drive, so they are temporary in nature. The system creates volatile partitions every time it boots. For example, HKEY_LOCAL_MACHINE \ HARDWARE is a registry key that stores information about hardware devices and their assigned resources. Resource assignment and hardware discovery occurs every time the system boots, so it is logical and natural that this data does not need to be permanently stored on the hard disk.

How to keep "already acquired".

Sometimes it is useful to make a backup (backup) of the system registry - for fear of damage to it. This can happen as a result of unsuccessful experiments with the registry, incorrect installation of drivers, and many dozen other reasons. And to have it "just in case" also does not hurt. In order not to do this manually every time, you can use one of the many autobackup programs, for example, Comodo Backup.

Similar publications: