Windows NT Server 4.0 Notes


Module 3: Configuring the Windows NT Environment

Advantages of the Registry

  • configuration settings are stored in one location ð easier to control
  • supports settings from multiple users on a single computer
  • granular security => you can protect each registry database entry with an access control list (ACL) which lists exact permissions granted to each user or group
  • different data type are supported
    • .ini file only supported ASCII format
    • NT 4.0 supports ASCII; binary; Unicode format

Type of information contained in the registry:

  • Installed hardware.
  • Installed device drivers.
  • Installed applications.
  • Installed network protocols.
  • Network adapter card settings.
  • User information like: users, group membership, permissions, and rights.

Six components that use the Registry:

Component

Description

Windows NT kernel
  • (Ntoskrnl.exe) Extracts information from the registry during startup, such as which device drivers to load.
  • The kernel passes back information on itself, such as version number.
Device drivers
  • Pass data to the registry, and receive load and configuration parameters.
  • The device driver tells the registry what system resources it uses, for example, IRQ and DMA settings.
Setup programs
  • Applications or hardware setups can add new information to the registry, and extract information for verifying if the appropriate components are installed.
Hardware data
  • Hardware configuration data is collected from the registry during startup, and stored. 
    • On x.86 it is done through Ntdetect.com
    • RISC-based computers it is extracted from the computer's firmware.
Hardware profiles
  • Hardware Profiles are lists of hardware selected for the current session.
User profiles
  • NT creates and maintains settings for a user's work environment in user profile. 
  • Changes in the profile are first written to the registry, then to the user profile.

 

The registry is structured like folders on a hard disk, it has a hierarchical structure that contains: The Hierarchical Structure of the Registry  

Hierarchies

Description

Subtree or "Root key"
  • Are like the root folder on a hard disk. There are five of them.
  • Root keys are at the highest level of the hierarchy and are made up of one or more HIVES.
Keys and subkeys
  • Are analogous to folders and sub folders. Each hive can contain keys and subkeys, just like a folder can have sub folders.
Values
  • Like files, they come at the end of the hierarchy.
  • They can contain one or more values. 
  • A value entry has three parts:
    • the value name
    • data type,
    • the value.
Value data types
  • REG_DWORD: 
    • "Double word"
    • one value is allowed (1-8 HEX digits).
  • REG_SZ: 
    • Readable text
    • often involve a description or identification
    • e.g. RegisteredOwner: REG_SZ: Grant Wilson
    • one value is allowed (is interpreted as the string to be stored).
  • REG_EXPAND_SZ:
    • Expandable data string
    • like REG_SZ, but text can contain a variable replaceable for by an application.
    • e.g. DevicePath: REG_EXPAND_SZ:%SystemRoot%\Media
      • This tells the application to find what it needs in the C:\Winnt\Media folder IF the %SystemRoot% is C:\Winnt.
  • REG_BINARY: 
    • one value is allowed.
    • String of HEX, pairs are interpreted as a byte value.
    • This is machine readable info and you should never have to edit these data types.
    • e.g. many of these have to do with system hardware configurations
  • REG_MULTI_SZ: 
    • contains a list of values, so multiple values are allowed. Entries are separated by a null character.
Hive
  • Is a discrete body of keys, subkeys, and values.
  • Each hive has a corresponding registry file and .log file that is used to record changes to the registry and to ensure its integrity.
  • .log files and the hive files are located in the 
      • \winnt_root\System32\Config    folder

   

The Maximum size for any registry value is 1 MB

The Five Subtrees of the Registry:
 

Subtrees Description
HKEY_LOCAL_MACHINE
  • Data in this subtree is constant, regardless of the user logged on.
  • Contains local computer's hardware information and settings for any device ever installed in the computer.
  • Part of the data is used to boot Windows NT.
  • Used by apps, device drivers and NT itself to set the local computer configuration.
HKEY_USERS
  • Contains preferences for every user that has ever logged into the computer.

It contains two subkeys:    

  • .DEFAULT contains the system default settings used when the CTRL+ALT+DEL logon screen is displayed.
  • The SID of the user currently logged on.
HKEY_CURRENT_USER
  • Contains the preferences of the user who is currently logged on.
  • a copy of the info is stored in the

\winnt_root\System32\Config    folder   

  • the file used the first 5 letters of the user's account name and 3 unique digits to name the file.
  • HKEY_CURRENT_USER takes precedence over HKEY_LOCAL_MACHINE for duplicate data 
  • Receives stored information from the user's subtree located in HKEY_USERS\SID.
HKEY_CLASSES_ROOT
  • Contains information about OLE classes and file associations.
  • It contains the same information that is typically stored in the reg.dat. 
  • It points to the Classes subkey of the HKEY_LOCAL_MACHINE\SOFTWARE
  • Provides compatibility with Windows 3.1 database
HKEY_CURRENT_CONFIG
  • Contains settings for all hardware devices currently installed in the computer (the active hardware profile). 
  • This data is extracted from the SOFTWARE and SYSTEM hives

  An Example of a Subtree: HKEY_LOCAL_MACHINE

The HKEY_LOCAL_MACHINE subtree provides a good example for the registry because the structure for all the subtrees is similar.

It has five subkeys (see below) which are all (except HARDWARE which is dynamically created when the computer is started) considered hives because they have corresponding files in the "winnt_root\system32\config" folder. Applications can query all these subkeys but can only add information to the SOFTWARE and the SYSTEM subkeys.

Subkeys of HKEY_LOCAL_MACHINE

 

Subkey

Description

HARDWARE
  • This subkey is volatile because it's constructed from information gathered each time the computer is booted.
  • It does not map to a file on disk because it is build every time the computer starts up. Here you can see what driver should be installed, you can see what kind of hard ware is found by Windows NT.
  • The information under HKEY_LOCAL_MACHINE\Hardware can be used to determine this info:
    • the right driver to install for a piece of hardware. This is done by booting NT and then seeing what hardware device was detected
    • whether a device driver is failing to load because the hardware is no longer being detected. Maybe there's a hardware failure or a conflict with a newly installed piece of hardware.
SAM
  • SAM = Security Accounts Manager
  • Contains the directory database for the computer. 
  • Applications must use appropriate API’s to query this key.
  • the SAM hive maps to the SAM and sam.log in 

\winnt_root\System32\Config    folder   

  • this hive is a pointer to 

HKEY_LOCAL_MACHINE\Security\SAM 

SECURITY
  • Contains all the security information for the local computer. 
  • Keys cannot be modified by applications.
SOFTWARE
  • contains information on about the software on the local computer.
  • independent of the user
  • e.g. software manufacturer and version number
SYSTEM
  • contains information about the devices and services on the system. 
  • A backup of the system hive is kept in the "System.alt" file. This is used if the original is corrupted somehow.
  • When device drivers or services are installed or configured, they will add or modify info here

  Applications can modify ONLY the SOFTWARE and SYSTEM Subkeys   Control Panel Hardware Settings

The Windows NT Control Panel contains programs, used to configure specific sections of the registry. Some of these applications are used to control configurations on the computer, these are not user dependable.

  • You can create different hardware profiles with the Hardware Profiles tab through the system Properties program in the Control Panel .
  • One of the profiles is used when starting up the computer. If more profiles are available, you will have to choose one as the computer is starting up.
  • You can also choose the time that the computer should wait before it starts up the hardware profile with the highest priority, or if it should wait indefinitely. If you set the time to wait at 0, it will start without prompting, to overrule this you can press the spacebar at startup.
NOTE: To create a new profile: copy the original, them modify and save. This will guard against accidentally disabling one of the boot devices causing an NT boot failure. 

How to Configure a Network-disabled Profile

All hardware profiles have a Network tab with a single option: Network-disabled hardware profile

 

  • This disables all networking devices and services
  • supposed to prevent "One or more services failed to start" message.
  • BUT using the network-disabled hardware profile can create confusion: the services program in Control Panel and "net start" command will show all services as started. If a user tries to access the network, error messages give the impression a network service failed during startup.
NOTE: There are two other programs that can modify the hardware profiles  
        • Devices 
        • Services

Both are located in the control panel and have Hardware Profile buttons. 

  Configuring COM ports

  • To modify COM ports, use the Ports program in Control Panel. Here you can add up to 256 COM ports. If a device is attached to a port, or if another device is using the same interrupt, the port will not be shown in the port program.

To determine what device is using an unlisted serial port, use the registry editor and look under:

\HKEY_LOCAL_MACHINE\HARDWARE\Description\

System\MultifunctionAdapter

Or

\HKEY_LOCAL_MACHINE\HARDWARE\Description\System\

EisaAdapter\0\SerialController

Under the SerialController key are subkeys for each port, with
0 for COM1
1 for COM2
2 for COM3...etc.
 

Configuring the Display

    • In the display properties, the Test button is used to test a configuration, this only works when the driver to test does not conflict with the current driver. If the VGA driver is installed, the SVGA cannot be tested or installed because it conflicts.
    • List All Modes button - gives you the option to configure color, desktop size and refresh frequency all at once.
    Note: only users with the "Load and unload device drivers" user right can change the video drivers. By default only the administrators group has this user right.

     

    Configuring SCSI Adapters and Tape Devices
  • Use the SCSI Adapters, and Tape Devices programs in the Control Panel to configure the appropriate hardware (SCSI devices and Tape devices). If you install a new SCSI device, you will have to restart the computer, not if you have installed a new Tape device.
  • Both programs have two tabs, Devices and Drivers. Tape devices can be automatically detected clicking on the Detect button.
  • Use the Properties button to find device info, such as SCSI ID number, firmware info and SCSI host adapter.
 Configuring a UPS
  • To configure an Uninterruptible Power Supply (UPS), use the UPS program in Control Panel .

During a power failure, UPS will keep the system running (but pauses the Server service) until:

  • Power is restored.
  • Administrator or UPS shut down.
  • The UPS signals that its batteries are low.

Make sure to test the UPS once you have installed it particularly on x86-based computers. During startup Ntdetect.com sends a detection signal to its Serial ports and some UPS will shutdown in response. If that happens you will have to modify the "Boot.ini". use the /NoSerialMice switch in the "Boot.ini" to prevent the detection signal from being sent to the serial port.

Options in the UPS program:

Select this checkbox

If

This setting corresponds to

Power failure signal It can send a message when the power supply fails. Clear to send (CTS) pin signal for the UPS serial port connection.
Low battery signal at least 2 min before shutdown It can send a warning signal. Data Carrier Detect (DCD) pin signal for the UPS serial port connection.
Remote UPS shutdown The device can accept a signal from the UPS service to shutdown.. Data Terminal Ready (DTR) pin signal for the UPS serial port connection.
For the preceding selections: the default UPS interface voltage setting is negative, it can be set to positive.

Select this checkbox 

To

Use these parameters

Execute Command File Execute command file just before shutdown. This can be any .com, .exe, .bat, or .cmd file and it has 30 seconds to complete its task.

Use this option

To adjust

Range and default

Expected battery life Time, in minutes that the system can run on battery power Range: 2-720 minutes    

Default: 2 minutes

Battery recharge time per minute of runtime Amount of time to recharge the battery. This is the amount of time without protection. Range: 1-240 minutes    

Default: 100 minutes

Time between power failure and initial warning message Range: 0-120 seconds    

Default: 5 seconds

Delay between warning messages Range: 5-300 seconds    

Default: 120 seconds

  

Configuring PC Cards 

 

  • Also in control panel located, is the PC Card program.
  • Make sure you turn off the computer before physically adding or removing a PC Card.
  • The correct driver is usually detected by Windows NT.
Control Panel Software Settings 

 

  • To change the startup and shutdown settings you should select the "Startup/Shutdown" tab in the system properties box. Two sections can be modified here:
  • System startup: select one of the startup options to be the default. You can also set the time for the system to wait, for you to choose a startup option before it starts up the default. Setting it to "0" will bypass the option to choose at all.
  • Recovery: here are four options to choose from if there is a stop (fatal system error).
      • Write event to system log
      • Send administrative alert to computers specified in the Alerts box of the server program in control panel.
      • Write debugging information to specified file (can be helpful for MS-support engineers).
      • Auto reboot. Choose only when "Write debug information" is selected.
Configuring Virtual Memory (p105) 

 

This is the Virtual Memory dialog box accessed from the Performance | Change buttons.

  • On the Performance tab of the System Properties dialog box, click "Change" to configure the virtual memory. Here you can adjust the pagefile.sys size.
  • Minimum size of the page file is 2 MB
  • Paging file size:
    • NT Server: Default = physical memory. If you have less than 22 MB RAM, default=22 MB or available disk space, whichever is smaller.

    • NT WS: Default=RAM+12, or the available disk, whichever is smaller.

    After a page file is created, it will not shrink below its initial size. When a Windows NT computer is restarted, page size will be reset to the initial size. Make sure that when you change the size of the page file to click the Set button, to really make the change.

    You can enhance performance by creating more paging files on multiple disks, and not putting the paging file on the same disk as the winnt_root directory is.
     

  • In this tab you can also set the maximum size of the registry.
  • Enhancing performance with paging file:
    • Creating a paging file for each disk.
    • Moving paging file away from boot disk to avoid competition between various reading and writing requests.
    • Setting INITIAL paging file size to equal the MAXIMUM size suggested by the system to eliminate the time needed to enlarge the size.
Setting Environment Variables (p107) 

 

  • The Environment tab of the System Properties is used to set variables that are important to Windows NT for controlling the behavior of the various applications. There are two types of variables to edit here:
  • System environment variables.
    • Can be changed only by administrators.
    • apply to the system as a whole and therefore all users: e.g. path to the Windows NT files
  • User environment variables.
    • Can be modified by any user, and are different for each user
    • include user defined and application defined variables such as the path to the application files.

How NT sets Environment Variables

Windows NT searches the Autoexec.bat for various variables, like "Path" and adds them to the system variables, every time Windows NT is booted.

Windows NT sets the Environment variables in the following order:

    • Autoexec.bat files. Windows NT can be prevented to search it by modifying the following registry key: ParseAutoexec : REG_SC =0. You can also do this by using the policy editor: under Local User click Windows NT System, and select the Parse Autoexec.bat check box.
    • System and environment variables.
    • User environment variables ( so this can overrule a statement in the autoexec.bat, like the Temp directory).
Adding and Removing Windows NT Components 

 

  • Under Add/Remove programs, you can install or remove software. Windows NT components can be added or removed by clicking the Windows NT Setup tab, and selecting the components you need, or don't need.
System Policy Editor 

 

  • System Policy Editor is part of NT Server ONLY
  • allows more changes to the registry than the Control Panel
  • it is available in the Administrator Tools Folder to the members of the Administrator's Group

There are two modes to work in:

    Registry Mode

    • used to edit registry of local or remote computers
    • some changes take effect immediately; other require reboot to take effect

    Policy File Mode

    • changes take effect when the use logs on and the Policy file is downloaded from server

Registry Settings are organized into two hierarchies:

    Local User

    • used to control the environment of the user who is currently logged on

    Local Computer

    • used to configure the computer itself

Examples of policy:

  • creating a warning logon banner
  • disabling the display of the last logged on user name
Registry Editor 
  • You can start the Windows NT registry editor by entering the regedt32.exe at the command line, or run box (located in start menu).
  • a shortcut to the editor isn't found in any folder.

Regedit.exe vs. Regedt32.exe

You can also use the regedit.exe command that launches the Win 95 registry editor.

REGEDIT.EXE Cons:

  • NO security menu
  • No auditing
  • NO Read-only mode
  • Does not support REG_EXPAND_SZ or REG_MULTI_SZ
    • Using Regedit will display these data types as REG_SZ

REGEDIT.EXE Pro:

  • You can see all the keys in the window; Regedt32 displays each key in a separate window.
  • Regedit.exe allows you to find keys, values, and data in the registry. Regedt32.exe only allows you to search keys and subkey, but NOT value entries or actual data values.
  • You can use right-clicking to find, delete, rename or copy a key name
  • By default only administrators have the Full Control rights for editing the registry, others have read-only rights.
  • An administrator can modify the rights through the Security menu in the Registry Editor.
  • to prevent accidental and potentially system wide problems: click READ ONLY MODE on the OPTIONS menu.
  • An overview of some useful registry commands

Command

Function

Find key
  • A search only for keys not values. 
  • The search begins at the currently selected key. 
  • a search is only performed on the subtree in which the search was started
Save key
  • Saves part of the registry in a binary format.
  • It saves the currently selected key and all the subkeys.
  • This is used to test changes to the registry. In a sense, it's a backup.
Restore
  • Loads the data into the currently selected key.
  • Used with the SAVE KEY
Save    
Subtree as
  • Saves the currently selected key and all the subkeys in a text file.
  • Can be used to determine date and time of key value modifications.
Select    
Computer 
  • Accesses the Registry of the remote computers
  • Remote access is restricted to the Administrators Group on NT Server, but on NT Workstation anyone with a valid user account is allowed remote registry access
  • This can be altered by creating the following LONG key: HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Control\SecurePipeServers\winreg  
(type REG_DWORD to a value of 1) 
 

  • Permissions of this key define who can have remote access to the registry 
  • By default, this key exists only on server. For WS, you need to add it.

NOTES:

SAM

    Each NT computer contains a security accounts database known as the SAM. This keeps track of user and group permissions.

    NT Workstation computers: SAM contains security info for the local computer ONLY
    NT Server Domain Controllers: SAM contains security info for local computer AND the entire domain

Registry Hives and their log files

  • .log files provide stability in case of system failures

Here's what happens: each registry update is recorded in the .log file and isn't considered complete until it is entirely finished at which point the change is entered in the log. If the system fails half way through, at reboot the info in the log file is used to ROLL BACK the transaction and restore the Registry to a stable state.
 

Recovering the Registry Using the Last Known Good Configuration

Much of the information necessary for Windows NT to start up is stored in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet subkey. If you—or a program on your
system—make invalid changes to one of the value entries in this subkey, your system
could fail to boot. Or, if it does boot, it could prevent you from logging on.

To help protect against these kinds of accidental problems, NT keeps copies of the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet in
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002.

If your NT system fails during startup and you suspect it has something to do with a
Registry change you just made or a device you just installed, you can tell NT to use the
backup version of the control set by pressing the SPACE BAR during the boot process
when NT displays the message Press spacebar NOW to invoke Last Known Good Menu.

When you invoke this option, you lose any changes made to the Registry since the last
time a user successfully logged on to the system.

Using the Registry Editor Remotely

One of the great strengths of the Registry Editor, and of Windows NT, is the capability to
remotely access and edit the Registry database. From a Windows NT machine, you can
use the Registry Editor (REGEDT32.EXE) to connect to a remote system running Windows
NT.

Using REGEDT32, choose the Registry | Select Computer menu option. This will display a
browse window, enabling you to locate a remote computer.

Using the browse box, select the computer whose Registry you want to view, or type the
computer's name into the Computer field.

You are now connected to the remote computer's HKEY_LOCAL_MACHINE and HKEY_USERS
root keys.
 

     NOTE:      Remember, the other root keys are simply links to other subkeys, either in the
     HKEY_LOCAL_MACHINE or the HKEY_USERS root keys.
 

When you are finished viewing or making changes to the remote computer's Registry,
select the Registry | Close menu option to close the connection to the remote Windows NT
system.
 

     NOTE:      When you connect to a remote NT system's Registry, you are granted the level
     permission determined by your user account and the privileges granted to it on
     the remote system.

Securing and Auditing Information in the Registry
 

  • use Regedt32.exe for applying access permissions: Regedit.exe can't do this!
  • security for Registry keys and subkeys is supported REGARDLESS for the file system: FAT or NTFS
  • you can also AUDIT changes to certain subkeys; this could causes a LOT of entries in Event Viewer though.

Backing Up and Restoring the Registry

The REPAIR DISK  Utility (RDISK.EXE) takes a "snapshot" of the state of the Registry and saves that file to a floppy disk (the EMERGENCY REPAIR DISK)

It saves:

  • The accounts database (including passwords, security settings and groups)
  • the configuration of your hard drive
  • hardware profile information
  • Device drive configuration
  • Network settings
  • Computer Identification
      • name
      • workgroup or domain status

E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Wednesday, March 10, 1999 Grant Wilson, Tisdale, SK. Canada