Unit OS12: Scripting 12.2. The Registry Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 12.2. Registry Fundamentals Registry Structure Registry Limits Monitoring Registry Activity with Regmon 3 1
Registry Fundamentals Repository for system/user configuration information Contains information NT requires to boot & configure System-wide application settings (e.g. install directory) Per-user settings (e.g. fonts, window placement, etc.) Called Configuration Manager (CM) in NTOSKRNL Network accessible (via Remote Registry service) Provides limited remote configuration, but not management Changing some registry entries causes action, but only if something watching for changes WMI provides remote management (described in next section) Also is a window into in-memory (volatile) system information Hardware description (built during boot process) Performance data 4 Registry Interface to Performance Counters Performance- Custom Custom Performance monitoring application A application B tool applications Pdh.dll RegQueryValueEx Windows Management Instrumentation Programming High-performance provider interface Interfaces Advapi32.dll PerfLib Registry DLL provider System Performance High-performance performance extension data provider DLL DLL object 5 2
Viewing and Changing the Registry Should never have to do this! Most common Registry parameters can be adjusted using a graphical NT utility But, some advanced tuning and configuration options require modifying and/or adding registry data Registry Editor tools Windows NT4/2000 had 2 tools (Regedt32.exe and Regedit.exe) REGEDT32.EXE Interprets NT-specific data types, NT permission lists REGEDIT.EXE Doesn’t understand NT-specific data types or security But has more thorough find capability XP/2003: single combined Regedit.exe does everything No shortcuts for these tools 6 Command Line Registry Tools Reg.exe (built into XP/2003; also in 2000 Support Tools) Can compare keys, load/unload hives, add/remove/query keys, and backup/restore (useful since NT Backup can only backup local registry hives) Regini.exe (built in to XP/2003; also in 2000 Resource Kit) - make registry changes via a script (.INI file) Regdmp (2000 Resource Kit) – dump registry in format that Regini reads Scanreg.exe (2000 Resource Kit) - flexible registry search tool 7 3
Registry Usage When is the Registry read? During boot (to determine which drivers, configure the system) During login (to set user preferences, such as drive letter mappings, screen saver, wallpaper, etc.) When you start applications (to read app-specific settings and per- user settings) When is the Registry modified? When you install applications or drivers When you change system, user or application settings It should not be polled for changes Interesting to check your systems for “quietness” of Registry Should use Registry change notification Windows functions Thread sleeps until a change is made to the part of the Registry they are interested in 8 Registry Structure Registry editors display Registry as an Explorer-like tree view Lab: run Regedit and examine The Registry is structured like a file system: Keys are like directories Values are like files Values have data types – like a file type Data is like the contents of a file The most common value types (there are 12 total): REG_DWORD - 32-bit integer REG_SZ - string REG_MULTISZ – array of strings REG_BINARY – array of bytes to represent arbitrary data Registry keys have full NT security Allows fine grained control as to who has what access 9 4
Logical Registry Structure Five visible “root” keys organize the data Really only two “roots”: HKLM and HKU 1. HKEY_CLASSES_ROOT (HKCR) Link to HKLM\Software\Classes - file extension associations, COM class registrations HKEY_LOCAL_MACHINE (HKLM) System-global static and dynamic configuration HKEY_USERS (HKU) Root for the loaded (logged on) user profiles HKEY_CURRENT_USER (HKCU) Link to profile of the user accessing this key HKEY_CURRENT_CONFIG (HKCC) Link to subset of HKEY_LOCAL_MACHINE - has hardware profile information Hidden virtual key for performance data HKEY_PERFORMANCE_DATA 11 HKEY_LOCAL_MACHINE Five main subkeys for local machine information HKEY_LOCAL_MACHINE\Hardware Hardware configuration data, resource usage, etc. Completely volatile (not saved across boots) HKEY_LOCAL_MACHINE\SAM Local account & groups database (for NT4 domain controllers, served as the domain account database) HKEY_LOCAL_MACHINE\Security System-wide security policies (for NT4 domain controllers, served as the domain security policy database) HKEY_LOCAL_MACHINE\Software Per-machine software data not critical for booting HKEY_LOCAL_MACHINE\System Controls booting and running the system (config.sys functionality) Available during bootstrap 12 5
HKEY_USERS HKEY_USERS is root for loaded user profile Registry data This is stored in \Documents and Settings\%USERNAME%\ntuser.dat In NT 4 it was stored in \Winnt\Profiles\%USERNAME% Note this is just a small part of your user profile, which includes your desktop, start menu, My Documents, etc. A user profile is “loaded”: When a user logs on interactively When a service process configured to run under a specific user account starts RUNAS (unless /NOPROFILE specified) 13 User Profiles HKEY_USERS\.Default is NOT the default Registry profile It is the profile for the System account E.g. Change logon desktop settings are here because Winlogon runs under System The default user Registry profile is in: \Documents and Settings\Default User\Ntuser.dat The starting user profile for users logging without a profile This does not show up in the Registry because it is not loaded Note: roaming profiles are left on a system even after you logoff! Anyone with local administrative privileges can view your documents and settings and Registry information Can override with group policies 14 6
Registry Physical Structure Registry consists of a number of files called “hives” A hive is a piece of registry database stored in its own file System-wide configuration information is in %systemroot%\system32\config User profile (HKEY_CURRENT_USER\...) in \Documents and Settings\…\ntuser.dat User profile is more than just the registry settings Entire directory under \Documents and Settings (e.g. start menu, My documents, temporary files, etc) Profile for new users is in \Documents and Settings\Default User NTLDR loads System hive, which points to other hives Registry points to loaded hives at: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist Can defrag registry hives with Pagedfrg from Sysinternals 15 Backup Hives .sav hive files in \Windows\System32\Config are the template hive files stored by Windows Setup \Windows\Repair has copies of the hives that were made after Setup completed Windows Backup updates them when it backs up “System State” System Restore restore points (described in the startup/shutdown section) also store copies of registry hives 16 7
Registry Limits SYSTEM hive was limited to 12MB in Windows 2000 Now limited to 200 MB or # of RAM, whichever is lower Limit is due to fact that entire SYSTEM hive is loaded into memory by NTLDR (discussed in Startup and Shutdown section) Total loaded registry hive data was limited to 376MB in Windows 2000 This was because registry hives were read into paged pool when loaded Explains why there was a system registry quota (see Control Panel- >System->Performance Tab - click on Virtual Memory “Change” button) Limited number of terminal server users XP/2003: No limit to loaded registry hive data Hives are accessed as memory mapped files Views are mapped as necessary Registry no longer in paged pool System registry quota is gone 17 Registry Reliability & Recovery Registry mechanism guarantees atomicity Uses transaction logging to ensure structural integrity One .LOG file per registry hive Automatically used to recover corrupt registry hives other than SYSTEM SYSTEM hive corruption recovery: Prior to Windows XP the system keeps a backup version of System called System.Alt NtLdr uses System.Alt of System is corrupt On Windows XP, Ntldr knows how to apply the registry log files to the System hive in order to repair it in cases where the system crashed during updates On Windows Server 2003 the configuration manager “self-heals” by amputating parts of the registry that are corrupt 18 8
Vista Transactions The Vista Registry supports transactions Allows application file system and Registry changes to be undone Changes committed only when associated transaction commits Relies on Distributed Transaction Coordinator (DTC) on Vista Server to enable multi-node transactions Transaction API is with NTFS (TxF) and the Registry Documented in Vista Beta 1 SDK CreateTransaction, SetCurrentTransaction, CommitTransaction, RollbackTransaction 19 Configuration Problems Missing, corrupted or overly-secure Registry settings often lead to application crashes and errors Some applications don’t completely remove registry data at uninstall Regmon may yield the answer… 20 9
Recommend
More recommend
