Overview

Resources

  1. Further readings

LogoStructure of the Registry - Win32 appsMicrosoftLearn
LogoOverview of the Windows Registry: Core ServicesMicrosoftLearn

  1. Windows registry hive

LogoRegistry Hives - Win32 appsMicrosoftLearn

  1. Advanced information

LogoWindows registry for advanced users - Windows ServerMicrosoftLearn

Basic overview of Windows registry

A central hierarchical database used to store information that is necessary to configure the system for one or more users, applications and hardware devices. It contains information that Windows continually references during operations, such as profiles for each user, applications installed on the machine, etc.

What is a registry hive?

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

A new hive is created each time a user logs on to a computer, with a separate file for the user profile known as the user profile hive. This user's hive contains specific registry information pertaining to the user's application settings, desktop, environment, network connections and printers. User profile hives are located under the HKEY_USERS key.

The supporting files (that contains backup of its data) for all hives are stored in the %SystemRoot%\System32\Config folder, while it is stored in %SystemRoot%\Profiles\Username for HKEY_CURRENT_USER.

The following table displays the mapping of the supporting file locations to each registry hive:

Note that some of the values displayed under the supporting files may be outdated on modern Windows versions.

Registry hive
Supporting files

HKEY_LOCAL_MACHINE\SAM

Sam, Sam.log, Sam.sav

HKEY_LOCAL_MACHINE\Security

Security, Security.log, Security.sav

HKEY_LOCAL_MACHINE\Software

Software, Software.log, Software.sav

HKEY_LOCAL_MACHINE\System

System, System.alt, System.log, System.sav

HKEY_CURRENT_CONFIG

System, System.alt, System.log, System.sav, Ntuser.dat, Ntuser.dat.log

HKEY_USERS\DEFAULT

Default, Default.log, Default.sav

HKEY_CURRENT_USER

Ntuser.dat, Ntuser.dat.log

Retrieving information for a particular hive

We can use a few methods to retrieve information for a particular hive:

  1. Registry editor

  2. reg.exe

reg query <hive> /s ...

  1. Supporting files location

This method will not work, and will simply return an error message: "The process cannot access the file because it is being used by another process." This is because the files are not allowed to be read and accessed by any users while the Windows operating system is running.

dir /s /b %SystemRoot%\System32\Config\<hive_supporting_filename>
dir /s /b %SystemRoot%\Profiles\Username\<hive_supporting_filename>

Example

Given that we want to retrieve information about the HKEY_LOCAL_MACHINE\SAM hive:

Using reg.exe

reg query HKEY_LOCAL_MACHINE\SAM /s

# save to separate file
reg save HKEY_LOCAL_MACHINE\SAM <local_file_path_to_save>

PreviousscNextreg.exe

Last updated