Cracking the Code: Dive Deep into Windows Registry

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] [Music] as an IT professional it's almost impossible to troubleshoot windows effectively if you do not understand the Windows registry so this is going to be a very hands-on as well as practical presentation on a technical look at the Windows registry let's begin our technical dive into this subject by first asking what is the registry the registry is a hierarchal database there are critics that claim it's just a flat database but one thing for sure everyone agrees is complexed the hierarchal databases have a tree structure and the registry does have a tree structure the registry is a herald a de base that applications and system components store and retrieve configuration data it's the repository for both system-wide operating system and per user settings currently hierarchal databases are still widely used especially in applications that require very high performance and availability such as banking and telecommunications the registry saves all data in binary form for speed and memory efficiency this is very important for Windows in understanding what the question what is the registry let's first go and find the files that make up the registry so I'm going to go to my virtual machine and do reg edit most of you are familiar with the reg edit I'm going to run it as an administrator you don't have to and I have opened it up to a location you can see I'm in let me scroll this up and over I've started with the H key which is called a root key and I went down to system control set 0:01 control and let's scroll down here until we get to a sub key called hive list this is a very interesting registry key because in it shows us the path and the name of the files that make up the registry and you can see some of them this is we've got the BCD file which is your hive that controls how Windows boots that's actually in the UEFI system partition so I'm going to launch Disk Management you can see I've got a 99 megabyte EFI system partition and that is where that bc d pyv is located and that's a critical boot registry hive you'll notice the rest of them are in hard disk volume 4 which is C Drive they're in windows system32 config and notice most of the hives that make up the registry are in that same folder default which is going to be our HG user system software security Sam we have a few profile registry files into user dot dot and this is for services go here and launch service and I'm going to launch my service app and why why that is important if you notice that there is an account called local system and that file is this registry is responsible for that local service account there's also some of these services that are being run by a network service account and that is being taken care of by this registry hive network service we have John with his own anti user dot dot this is his hive that represents his user specific information and we also have for John a user class dad and you can see it's an app data local Microsoft Windows what's so nice about this hive list is it shows you where your registry files are the rest of these files have to do with an app over here this is a new app from Microsoft it's called your phone it allows you to take your Android phone and tie it into Windows I've tried it I wasn't impressed it couldn't stay synced so I give up on it but you can see it also has put some files into the registry so back to that question what is a registry it's strategically located and placed files on the hard drive that are loaded into memory that provide the massive configuration information for the operating system and every user that's logged on or part of the system the configuration manager is an executive component of the Windows kernel and it's responsible for implementing the registry database here's a basic block diagram of Windows and you can see it's divided into user mode and kernel mode you'll notice under kernel-mode you have a block they're called executive that's where the configuration manager is so here we have a more granular view of that same thing here we can see the configuration manager actually in a block the configuration manager is responsible for loading the hives into memory and allowing applications and systems to do their reading and writing query of the database [Music] here I have the classic registry editor open and you can see I've got my computer highlighted if you look at the five keys that are below it most of you are comfortable with this these are the root keys of the registry and they make up the tree structure that we've talked about in the hierarchal database have you ever wondered why they all begin with H key H key classes roots h hkey current user H key local machine have you ever wonder why it's H key let me open up H key local users and you can see there's lots of sub keys under H key local user low I'm sorry H key local machines but none of them begin with H key B C D or H key hardware they just begin with a key name only these five begin with H key why because this explains how applications and processes and the operating system access the registry they access the registry via handles that's what the H means in each of those names handles let me explain here's process explorer and process explorer allows me to see visually all the processes and applications running in user mode when an application i'm going to double click this text file and it's going to open notepad when notepad runs it's an application or process it needs to access folders files registry keys and other resources graphical objects when it does any of any process or application and windows wants to access those type of resources it does it via handles so here in notepad i'm going to scroll down and we'll look at notepad and we can come over to the column that's dealing with handles and you can see notepad is using two hundred and sixty-four handles so we know that some of those handles are tied to registry keys folders files graphical objects and we can actually drill in and see what those are I'm going to come up here and show my lower pane and I've asked to see in the lower pane handles so I'm selecting notepad and you can see all the handles that are being used by notepad and guess what it's accessing a registry key under H key user is its accessing the class's key or software classes local settings key but notice it doesn't go to just this sub key it starts with the handle key the H key current user if it wants to access a key in H key local machine it opens the H key local machine the handle key so always applications access the registry via these keys it may want a sub key many layers down but it always begins by requesting an H key root key here we have one drive and I've slide down and we can find the registry and notice no matter what subkey it wants to access it always accesses it via H key a handle key so the registry provides these five keys these are handle keys no matter what subkey they need they must access one of these root handle keys to access that value often technical documentation will not use the full name of a root key in your registry instead they'll use the abbreviation so it's important for text to become aware of the appropriate deviations for the rookie's many times they simply won't use those long names when we open up the registry editor we see five keys most of you are very comfortable with this but only two of them are really legitimate pointers to the registry one is H key local machine and H key users oh wait a minute mr. Poole what about the others H key current config and H key classes classes routes are really there for backward compatibility H key current user is there strictly to allow applications to quickly access registry information representing the current logged on user H key local machine is the most comprehensive of all the root Keys it represents the BCD the hardware the security counts manager which is Sam security policies all the software installed on your system and the operating system which is represented by the system H key local machine is of many hives and I've got all the hives listed with their paths and their names so see : windows system32 config and then we have the hive system the hive software the hive Sam security and then in the system the efi system partition we have the BCD hive that is all being pulled up and shown when you launch the H key local machine h key users is its hive is found in the system 32 config and the hive is called default all the users that are registered on that PC the local PC are saved in H key users key they're listed by SIDS and if you'll notice that's the s - 1 - 5 - 18 19 20 21 those security IDs are how they list the users there is one is called dot default and that represents the system profile under which the system account runs that's indicated by the blue arrow that's very similar to the root user in Linux H key user key also points to a hard drive path called seat : users most of you are comfortable with this this is where users have their profiles stored H key current config is simply a shortcut to the H key local machine sub key called current this is really there for backward compatibility I believe it was XP when XP was using hardware profiles H key classes routes is again it's a copy of the following H key local machine sub key called classes indicated by the green arrow and then last H key current user represents the logged on user from the H key user hive let me share a couple concepts that have really helped me understand the registry better we've we've already confirmed that H key local machine and H key users are really the only two keys that are legitimate pointers into the registry so think of this as one hard drive H key local machine is a hard drive H key users as a hard drive so as we look at H key local machine we think of that as our hard drive we see all these sub keys that represent directories on that hard these are all called keys in this particular key I see we have a bunch of value names think of these as files in this directory and I know it's a key but think of it as a directory these are all file names in the directory and each file name each file contains data so in this case the name of this file is baseboard manufacturer this is baseboard product bias release date so in the registry we call them value names think of them as file names and in each one of these files is data that data could be at ASCII text such as Microsoft Corporation or it could be a date or the file could contain a reversion information or the file could contain hexadecimal information or 32-bit binary information so each of these value names think of them as files and in the data is what is in that file so what kind of data can we store in the registry what can we put in those files we can put various types of specific data this is a chart that shows you the different kinds of data that you can put in a value name you can do fixed length Unicode strings here we got reg minor arbitrary length binary data reg D word 32-bit number and you can go on and on you can look at this list this is the type of data that you can put in the registry here's the takeaway reg binary and reg D word make up 94% of all the type of data in the registry all the other ones that are in this chart are very limited and used very little 94% of the registry is either reg binary or reg D word [Music] iq professionals often have to use registry editor and edit the registry to fix something or add a feature or correct a problem so it's something we do there's a couple things I want to share that are good tips and tricks and some good best practices so in this case I'm a fan of right mouse context menus so I'm often in let's say a directory like Program Files and I would like to use the shift key and right mouse click and get access to command line window I want to pop up a command line window right here at Program Files well Microsoft is pushing PowerShell so they've moved that out and they've put PowerShell which is great but don't get rid of my command line so I'm gonna look for an article or somewhere where they have a registry hack that I can put that feature back in so I found some articles that tell me how to find a registry key and fix that and add that feature back into my right mouse-click context menu there in this article they're giving me the path to the registry subkey in this case they're showing me in the article right here and I'm going to take that without thee and I'm gonna write I'm gonna copy that and what I'm gonna do is I could drill down and try to find it that way but I'm not I'm just gonna replace this command line window and just type it in that gets me right to where I want to go that saves me a lot of time so based on the information in your article it is going to be this sub key and the value names are the files here that we're going to modify now before I do anything I am going to export this key as a backup so I'm going to go to the export and I'm just going to call this my CMD key and I'm going to save this because if something goes wrong something fails something a user I'm doing this for a user and two weeks from now they don't they want it back I'm going to keep this backup key of this registry element I want to save it now I'm going to go ahead and right mouse click and change permissions in here I'm going to choose the application package go to advanced and before the owner was trusted installer and I went to change and edit myself and I'm logged on as John I've added John as the owner and then I applied that then I'm going to go ahead and come back to administrators in the access list and I'm going to check the full control and that gave me rights finally to the key so that I can modify it now I can go to the value name and in this case I did this value name and I right mouse click and I renamed and I typed in show based on velocity ID and when I change that it then gave me back now notice I did not have to hit the Save button if I go to my folder now and I pull up notice my open command line window here so now I have both my powershell option and my command line window here so the be accurate be careful and backup your keys so you can restore later over the many years of Windows Microsoft has taken a real hit on the subject of registry it has been less than stable and has caused so many problems especially for the enterprise support side now in the windows directory I'm in the system 32 and then config and this is where our registry hives almost all of the registry hives are here if you've been in here lately you notice it's got a lot of stuff in here let's take a look at what has happened since Vista and why all of these files are in our config folder be sure if you go there and you don't see all the files that I just showed you make sure you change your folder view options make sure you allow you can see hidden files folders and drives I always uncheck the hide extensions because I'm I'm attack I want to see extensions and then uncheck hide protected operating system files if you don't do that you won't see these files when does was a Windows registry was a database and it was forever getting corrupted and Microsoft was taking some real heat because of this problem it just wasn't consistent with the advent of Vista Microsoft introduced the kernel transaction manager this set the stage or the platform that allowed Microsoft to begin to take many things like NTFS and the registry and began to apply this transactional manager feature to these critical elements so now the registry has is protected during updates it has a robust transaction rollback and error recovery capabilities it is protected from multiple sources and it gives it all of the database asset protections which are known as además 'ti consistency isolation and durability now in the config folder is a subdirectory called txr and this is where the registry transactional manager stores the files that it needs to use when you look at your config folder you'll see your T lowercase X uppercase R folder so because of this new technology registry hives have a number of new extensions if the registry hive has no extension it's a complete copy of the hive it's the actual running version of the hive if there's a dolt alt it's a backup copy if it's a dot log it's a transaction log of changes to the keys and values entries in the hive if it's a dot SAV it's a backup copy of the hive this is relatively new so now in the configuration folder the configuration manager now uses log hives as a way to make sure that the registry hive is always in a recoverable State the configuration manager uses a dual logging scheme that's why you'll see a hive with log 1 log 2 when the configuration manager schedules a lazy write operation or what it's known as a hive sync once it's scheduled within five seconds data will be permanently written to the registry hive Windows 10 has definitely shown an movement in registry resilience because of this technology [Music] you [Music] now I have spent a great deal of time showing you the registry via one program called the registry editor but I'm going to throw a monkey wrench into this and tell you that this registry editor does not show you a complete picture of the registry this is really important to understand there is no complete registry until the configure main configuration manager loads all the hives into an actively running copy of Windows developers and api's in Windows need a set of registry hives that are considered volatile in other words they're only built every time you boot up when you shut down those volatile registry hives go away when you have your registry hives on your hard drive and Windows boots up the configuration manager actually creates a set of volatile registry hives that then makes up the entire picture of the registry and that is what API is and developers use here's a complete chart of what is shown in memory from the registry while we're on the topic of registry and memory I'm going to launch the system internals process explorer if we launch system information there's a section called kernel memory and it includes non paged kernel memory in other words it's never paged out to a page file and then there's sections of kernel memory that can be it's in this section here that we actually put our registry it can be paged out if necessary but it is always in this kernel memory section here I'm back to my virtual machine and I've launched this time process monitor this is a tool I really love because it helps me understand how Windows works process monitor i'm allows me to see all the events that are taking place by threads and processes network activity by file access and registry so i'm going to turn on the capture feature and if you'd like to learn about this particular tool there'll be a link to have in the video description that will take you to a video i did that really walks you through how to use this tool but let's go i'm going to turn off i don't want to see threads and processes and i don't want to look at network activity and i don't want to look at file access i want to focus on what is the operating system doing in relative to the registry and if you notice over here we see the processes names and over here we see query registry activity and you can see and I'm going to cover here and I'm going to do the auto scroll actually I'm going to turn that back on and you can actually see how busy the operating system is in its querying looking at reading interacting with the registry there is no time even when your PC seems to be doing nothing that it is not engaged in the registry there are four principal times when the registry is heavily read first during the initial boot process this is where the key BCD is heavily involved second during the kernel boot process where the kernel settings device drivers system elements memory manager process manager all of those are being configured that's during the kernel boot third is during your logon when you log on there's a heavy use of reading the H key current user and determining wallpaper or network drive map mapping green saver menu behavior icon placement startup programs and on and on so this is another this is the third time that Windows heavily reads the registry and fourth during application startup when you start an application there is a heavy reading of the registry there is so much to talk about in the subject of registry especially to the text and administrators I have included in the notes and in the slide deck that you can download from the video description a lot of additional information that I will not cover in the video we can't end this discussion without talking about backups so I'm gonna go to restore restore points and launch my restore point my system properties under system protection and this is where your restore point software is controlled and managed remember the latest versions of Windows have actually turned restore points off this is something that if you're supporting users especially with critical critical desktops I would highly recommend you get and make sure that restore points are on store points are all about backing up and the ability to restore your registry so if you're not doing this you need to do it I'm not going to spend a lot of time on this because there's thousand videos on restore points on YouTube but I would encourage you to set your configuration the amount of data that you use to at least 10% of your hard drive why because it gives you more restore points to choose from when you get into a pickle when you have a problem you want as many backups as possible if you've been an IT very long you'll know that there are times that even restore points do not work and it's always nice to have an ace in your back pocket and that is found in the Reg back folder under config if you look at the latest versions of Windows have turned off this task that Microsoft used to run and it would back up all your registry hives as you can see I have a full copy here this is really really nice this is for manual restore in other words you have to have a offline disk that you can boot to or an offline flash drive that you boot to and you can manually simply copy these and overwrite your existing files in your config folder this is a manual process but boy it has saved my hide more than once but it is now turned off by default in newest versions of Windows so you can turn it back off I'll link you to an article that you can turn this back on this is really nice to have on your own desktop and any critical desktops that you support on the enterprise [Music]
Info
Channel: TechsavvyProductions
Views: 79,109
Rating: undefined out of 5
Keywords:
Id: -bsLmDfvF1Y
Channel Id: undefined
Length: 27min 27sec (1647 seconds)
Published: Sun Mar 15 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.