Windows NT Registry Overview
By NeonSurge
Released through the rhino9 team
Preface
This is the third installment of whats been dubbed the "Get Familiar
with NT underground series." The first paper dealt with NetBIOS, the
second paper dealt with SMB's and the Redirector, this is the third
paper, Overview of the Windows NT registry. This paper is not meant for
NT engineers that already know the registry, and its not meant for
people that have read the 800+ page books on the registry Ive seen. This
paper is meant as a quick guide to get people understanding exactly what
this registry thing is. Enjoy, have fun, and as always, if you have
problems, comments, or questions contact me (neonsurge@abyss.com).
What is the Registry?
The windows registry provides for a somewhat secure, unified database
that stores configuration information into a hierarchical model. Until
recently, configuration files such as WIN.INI, were the only way to
configure windows applications and operating system functions. In todays
NT 4 enviroment, the registry replaces these .INI files. Each key in the
registry is similar to bracketed headings in an .INI file.
One of the main disadvantages to the older .INI files is that those
files are flat text files, which are unable to support nested headings
or contain data other than pure text. Registry keys can contain nested
headings in the form of subkeys. These subkeys provide finer details and
a greater range to the possible configuration information for a
particular operating system. Registry values can also consist of
executable code, as well as provide individual preferences for multiple
users of the same computer. The ability to store executable code within
the Registry extends its usage to operating system system and
application developers. The ability to store user-specific profile
information allows one to tailor the enviroment for specific individual
users.
To view the registry of an NT server, one would use the Registry Editor
tool. There are two versions of Registry Editor:
.:Regedt32.exe has the most menu items and more choices for the menu
items. You can search for keys and subkeys in the registry.
.:Regedit.exe enables you to search for strings, values, keys, and
subkeys. This feature is useful if you want to find specific data.
For ease of use, the Registry is divided into five seperate structures
that represent the Registry database in its entirety. These five groups
are known as Keys, and are discussed below:
HKEY_CURRENT_USER
This registry key contains the configuration information for the user
that is currently logged in. The users folders, screen colors, and
control panel settings are stored here. This information is known as a
User Profile.
HKEY_USERS
In windowsNT 3.5x, user profiles were stored locally (by default) in the
systemroot\system32\config directory. In NT4.0, they are stored in the
systemroot\profiles directory. User-Specific information is kept there,
as well as common, system wide user information.
This change in storage location has been brought about to parallel the
way in which Windows95 handles its user profiles. In earlier releases of
NT, the user profile was stored as a single file - either locally in the
\config directory or centrally on a server. In windowsNT 4, the single
user profile has been broken up into a number of subdirectories located
below the \profiles directory. The reason for this is mainly due to the
way in which the Win95 and WinNT4 operating systems use the underlying
directory structure to form part of their new user interface.
A user profile is now contained within the NtUser.dat (and
NtUser.dat.log) files, as well as the following subdirectories:
Application Data: This is a place to store application data specific to
this particular user.
Desktop: Placing an icon or a shortcut into this folder causes the that
icon or shortcut to appear on the desktop of the user.
Favorites: Provides a user with a personlized storage place for files,
shortcuts and other information.
NetHood: Maintains a list of personlized network connections.
Personal: Keeps track of personal documents for a particular user.
PrintHood: Similar to NetHood folder, PrintHood keeps track of printers
rather than network connections.
Recent: Contains information of recently used data.
SendTo: Provides a centralized store of shortcuts and output devices.
Start Menu: Contains configuration information for the users menu items.
Templates: Storage location for document templates.
HKEY_LOCAL_MACHINE
This key contains configuration information particular to the computer.
This information is stored in the systemroot\system32\config directory
as persistent operating system files, with the exception of the volatile
hardware key.
The information gleaned from this configuration data is used by
applications, device drivers, and the WindowsNT 4 operating system. The
latter usage determines what system configuration data to use, without
respect to the user currently logged on. For this reason the
HKEY_LOCAL_MACHINE regsitry key is of specific importance to
administrators who want to support and troubleshoot NT 4.
HKEY_LOCAL_MACHINE is probably the most important key in the registry
and it contains five subkeys:
Hardware: Database that describes the physical hardware in the computer,
the way device drivers use that hardware, and mappings and
related data that link kernel-mode drivers with various
user-mode code. All data in this sub-tree is re-created
everytime the system is started.
SAM: The security accounts manager. Security information for user and
group accounts and for the domains in NT 4 server.
Security: Database that contains the local security policy, such as
specific user rights. This key is used only by the NT 4
security subsystem.
Software: Pre-computer software database. This key contains data about
software installed on the local computer, as well as
configuration information.
System: Database that controls system start-up, device driver loading,
NT 4 services and OS behavior.
Information about the HKEY_LOCAL_MACHINE\SAM Key
This subtree contains the user and group accounts in the SAM database
for the local computer. For a computer that is running NT 4, this
subtree also contains security information for the domain. The
information contained within the SAM registry key is what appears in the
user interface of the User Manager utility, as well as in the lists of
users and groups that appear when you make use of the Security menu
commands in NT4 explorer.
Information about the HKEY_LOCAL_MACHINE\Security key
This subtree contains security information for the local computer. This
includes aspects such as assigning user rights, establishing password
policies, and the membership of local groups, which are configurable in
User Manager.
HKEY_CLASSES_ROOT
The information stored here is used to open the correct application when
a file is opened by using Explorer and for Object Linking and Embedding.
It is actually a window that reflects information from the
HKEY_LOCAL_MACHINE\Software subkey.
HKEY_CURRENT_CONFIG
The information contained in this key is to configure settings such as
the software and device drivers to load or the display resolution to
use. This key has a software and system subkeys, which keep track of
configuration information.
Understanding Hives
The registry is divided into parts called hives. These hives are mapped
to a single file and a .LOG file. These files are in the
systemroot\system32\config directory.
Registry Hive File Name
=================================================================
HKEY_LOCAL_MACHINE\SAM SAM and SAM.LOG
HKEY_LOCAL_MACHINE\SECURITY Security and Security.LOG
HKEY_LOCAL_MACHINE\SOFTWARE Software and Software.LOG
HKEY_LOCAL_MACHINE\SYSTEM System and System.ALT
=================================================================
Although I am not gauranteeing that these files will be easy to
understand, with a little research and patience, you will learn what you
want to learn. I have been asked to write a file on how to decipher the
contents of those files, but I have yet to decide wether I will do it or
not.
QuickNotes
Ownership = The ownership menu item presents a dialog box that
identifies the user who owns the selected registry key. The owner of a
key can permit another user to take ownership of a key. In addition, a
system administrator can assign a user the right to take ownership, or
outright take ownership himself.
REGINI.EXE = This utility is a character based console application that
you can use to add keys to the NT registry by specifying a Registry
script.
==========================================================================
The Following table lists the major Registry hives and some subkeys and
the DEFAULT access permissions assigned:
\\ denotes a major hive \denotes a subkey of the prior major hive
\\HKEY_LOCAL_MACHINE
Admin-Full Control
Everyone-Read Access
System-Full Control
\HARDWARE
Admin-Full Control
Everyone-Read Access
System-Full Control
\SAM
Admin-Full Control
Everyone-Read Access
System-Full Control
\SECURITY
Admin-Special (Write DAC, Read Control)
System-Full Control
\SOFTWARE
Admin-Full Control
Creator Owner-Full Control
Everyone-Special (Query, Set, Create, Enumerate, Notify, Delete, Read)
System-Full Control
\SYSTEM
Admin-Special (Query, Set, Create, Enumerate, Notify, Delete, Read)
Everyone-Read Access
System-Full Control
\\HKEY_CURRENT_USER
Admin-Full Control
Current User-Full Control
System-Full Control
\\HKEY_USERS
Admin-Full Control
Current User-Full Control
System-Full Control
\\HKET_CLASSES_ROOT
Admin-Full Control
Creator Owner-Full Control
Everyone-Special (Query, Set, Create, Enumerate, Notify, Delete, Read)
System-Full Control
\\HKEY_CURRENT CONFIG
Admin-Full Control
Creator Owner-Full Control
Everyone-Read Access
System-Full Control
==========================================================================
Thats it for the Registry Overview. Questions or Comments should be
forwarded to neonsurge@abyss.com
NeonSurge
Rhino9: The Windows NT Security Research Team
www.x-treme.abyss.com/techvoodoo/rhino9
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
