Module 3: Configuring the
Windows NT Environment
Advantages of the Registry
- configuration settings are stored in one
location ð easier to
control
- supports settings from multiple users on a
single computer
- granular security => you can protect each
registry database entry with an access control list (ACL) which lists exact permissions
granted to each user or group
- different data type are supported
- .ini file only supported ASCII format
- NT 4.0 supports ASCII; binary; Unicode format
Type of information contained in the
registry:
- Installed hardware.
- Installed device drivers.
- Installed applications.
- Installed network protocols.
- Network adapter card settings.
- User information like: users, group membership,
permissions, and rights.
Six components that use the Registry:
Component |
Description |
Windows NT kernel |
- (Ntoskrnl.exe) Extracts information from the registry
during startup, such as which device drivers to load.
- The kernel passes back information on itself, such as
version number.
|
Device drivers |
- Pass data to the registry, and receive load and
configuration parameters.
- The device driver tells the registry what system
resources it uses, for example, IRQ and DMA settings.
|
Setup programs |
- Applications or hardware setups can add new information
to the registry, and extract information for verifying if the appropriate components are
installed.
|
Hardware data |
- Hardware configuration data is collected from the
registry during startup, and stored.
- On x.86 it is done through Ntdetect.com
- RISC-based computers it is extracted from the computer's
firmware.
|
Hardware profiles |
- Hardware Profiles are lists of hardware selected for the
current session.
|
User profiles |
- NT creates and maintains settings for a user's work
environment in user profile.
- Changes in the profile are first written to the
registry, then to the user profile.
|
The registry is structured like folders on
a hard disk, it has a hierarchical structure that contains: The Hierarchical Structure of the Registry
Hierarchies |
Description |
Subtree
or "Root key" |
- Are like the root folder on a hard disk. There
are five of them.
- Root keys are at the highest level of the
hierarchy and are made up of one or more HIVES.
|
Keys
and subkeys |
- Are analogous to folders and sub folders. Each
hive can contain keys and subkeys, just like a folder can have sub folders.
|
Values |
- Like files, they come at the end of the
hierarchy.
- They can contain one or more values.
- A value entry has three parts:
- the value name
- data type,
- the value.
|
Value
data types |
- REG_DWORD:
- "Double word"
- one value is allowed (1-8 HEX digits).
- REG_SZ:
- Readable text
- often involve a description or identification
- e.g. RegisteredOwner: REG_SZ: Grant Wilson
- one value is allowed (is interpreted as the
string to be stored).
- REG_EXPAND_SZ:
- Expandable data string
- like REG_SZ, but text can contain a variable
replaceable for by an application.
- e.g. DevicePath:
REG_EXPAND_SZ:%SystemRoot%\Media
- This tells the application to find what it
needs in the C:\Winnt\Media folder IF the %SystemRoot% is C:\Winnt.
- REG_BINARY:
- one value is allowed.
- String of HEX, pairs are interpreted as a byte
value.
- This is machine readable info and you should
never have to edit these data types.
- e.g. many of these have to do with system
hardware configurations
- REG_MULTI_SZ:
- contains a list of values, so multiple values
are allowed. Entries are separated by a null character.
|
Hive |
- Is a discrete body of keys, subkeys, and
values.
- Each hive has a corresponding registry file
and .log file that is used to record changes to the registry and to ensure its integrity.
- .log files and the hive files are located in
the
- \winnt_root\System32\Config
folder
|
The Maximum size for any
registry value is 1 MB |
The Five Subtrees of the Registry:
Subtrees |
Description |
HKEY_LOCAL_MACHINE |
- Data in this subtree is constant, regardless
of the user logged on.
- Contains local computer's hardware information
and settings for any device ever installed in the computer.
- Part of the data is used to boot Windows NT.
- Used by apps, device drivers and NT itself to
set the local computer configuration.
|
HKEY_USERS |
- Contains preferences for every user that has
ever logged into the computer.
It contains two subkeys:
- .DEFAULT contains the system default settings
used when the CTRL+ALT+DEL logon screen is displayed.
- The SID of the user currently logged on.
|
HKEY_CURRENT_USER |
- Contains the preferences of the user who is
currently logged on.
- a copy of the info is stored in the
\winnt_root\System32\Config
folder
- the file used the first 5 letters of the user's account name and 3
unique digits to name the file.
- HKEY_CURRENT_USER takes precedence over
HKEY_LOCAL_MACHINE for duplicate data
- Receives stored information from the user's
subtree located in HKEY_USERS\SID.
|
HKEY_CLASSES_ROOT |
- Contains information about OLE classes and
file associations.
- It contains the same information that is
typically stored in the reg.dat.
- It points to the Classes subkey of the
HKEY_LOCAL_MACHINE\SOFTWARE
- Provides compatibility with Windows 3.1
database
|
HKEY_CURRENT_CONFIG |
- Contains settings for all hardware devices
currently installed in the computer (the active hardware profile).
- This data is extracted from the SOFTWARE and
SYSTEM hives.
|
An Example of a
Subtree: HKEY_LOCAL_MACHINE
The HKEY_LOCAL_MACHINE subtree provides a good example
for the registry because the structure for all the subtrees is similar.
It has five subkeys (see below) which are all (except
HARDWARE which is dynamically created when the computer is started) considered hives
because they have corresponding files in the "winnt_root\system32\config"
folder. Applications can query all these subkeys but can only add information to the
SOFTWARE and the SYSTEM subkeys.
Subkeys of HKEY_LOCAL_MACHINE
Subkey |
Description |
HARDWARE |
- This subkey is volatile because it's
constructed from information gathered each time the computer is booted.
- It does not map to a file on disk because it
is build every time the computer starts up. Here you can see what driver should be
installed, you can see what kind of hard ware is found by Windows NT.
- The information under
HKEY_LOCAL_MACHINE\Hardware can be used to determine this info:
- the right driver to install for a piece of
hardware. This is done by booting NT and then seeing what hardware device was detected
- whether a device driver is failing to load
because the hardware is no longer being detected. Maybe there's a hardware failure or a
conflict with a newly installed piece of hardware.
|
SAM |
- SAM = Security Accounts Manager
- Contains the directory database for the
computer.
- Applications must use appropriate APIs
to query this key.
- the SAM hive maps to the SAM and sam.log
in
\winnt_root\System32\Config
folder
- this hive is a pointer to
HKEY_LOCAL_MACHINE\Security\SAM
|
SECURITY |
- Contains all the security information for the
local computer.
- Keys cannot be modified by applications.
|
SOFTWARE |
- contains information on about the software on
the local computer.
- independent of the user
- e.g. software manufacturer and version number
|
SYSTEM |
- contains information about the devices and
services on the system.
- A backup of the system hive is kept in the
"System.alt" file. This is used if the original is corrupted somehow.
- When device drivers or services are installed
or configured, they will add or modify info here
|
Applications
can modify ONLY the SOFTWARE and SYSTEM Subkeys Control Panel Hardware Settings
The Windows NT Control Panel contains
programs, used to configure specific sections of the registry. Some of these applications
are used to control configurations on the computer, these are not user dependable.

- You can create different hardware profiles with the
Hardware Profiles tab through the system Properties program in the Control Panel .
- One of the profiles is used when starting up the
computer. If more profiles are available, you will have to choose one as the computer is
starting up.
- You can also choose the time that the computer should
wait before it starts up the hardware profile with the highest priority, or if it should
wait indefinitely. If you set the time to wait at 0, it will start without prompting, to
overrule this you can press the spacebar at startup.
NOTE: To create a new profile: copy the original, them modify and
save. This will guard against accidentally disabling one of the boot devices causing an NT
boot failure. |
How to Configure a Network-disabled Profile
All hardware profiles have a Network tab with a single option:
Network-disabled hardware profile
- This disables all networking devices and services
- supposed to prevent "One or more services failed to start" message.
- BUT using the network-disabled hardware profile can create confusion: the services
program in Control Panel and "net start" command will show all services as
started. If a user tries to access the network, error messages give the impression a
network service failed during startup.
NOTE: There are two other programs that
can modify the hardware profiles
Both are located in the control panel and have Hardware
Profile buttons. |
Configuring COM ports
- To modify COM ports, use the Ports program in Control
Panel. Here you can add up to 256 COM ports. If a device is attached to a port, or if
another device is using the same interrupt, the port will not be shown in the port
program.
To determine what device is using an unlisted serial
port, use the registry editor and look under:
\HKEY_LOCAL_MACHINE\HARDWARE\Description\
System\MultifunctionAdapter
Or
\HKEY_LOCAL_MACHINE\HARDWARE\Description\System\
EisaAdapter\0\SerialController
Under the SerialController key are subkeys for each
port, with
0 for COM1
1 for COM2
2 for COM3...etc.
Configuring the Display
- In the display properties, the Test button is used to
test a configuration, this only works when the driver to test does not conflict with the
current driver. If the VGA driver is installed, the SVGA cannot be tested or installed
because it conflicts.
- List All Modes button - gives you the option to
configure color, desktop size and refresh frequency all at once.
Note: only users with
the "Load and unload device drivers" user right can
change the video drivers. By default only the administrators group has this user right. |
Configuring SCSI Adapters and
Tape Devices |
- Use the SCSI Adapters, and Tape Devices programs in the
Control Panel to configure the appropriate hardware (SCSI devices and Tape devices). If
you install a new SCSI device, you will have to restart the computer, not if you have
installed a new Tape device.
- Both programs have two tabs, Devices and
Drivers. Tape devices can be automatically detected clicking on the
Detect button.
- Use the Properties button to find device info, such as
SCSI ID number, firmware info and SCSI host adapter.
- To configure an Uninterruptible Power Supply (UPS), use
the UPS program in Control Panel .
During a power failure, UPS will keep the system
running (but pauses the Server service) until:
- Power is restored.
- Administrator or UPS shut down.
- The UPS signals that its batteries are low.
Make sure to test the UPS once you have installed it
particularly on x86-based computers. During startup Ntdetect.com sends a detection signal
to its Serial ports and some UPS will shutdown in response. If that happens you will have
to modify the "Boot.ini". use the /NoSerialMice switch in the
"Boot.ini" to prevent the detection signal from being sent to the serial port.
Options in the UPS program:
Select this checkbox |
If |
This setting corresponds to |
Power
failure signal |
It
can send a message when the power supply fails. |
Clear
to send (CTS) pin signal for the UPS serial port connection. |
Low
battery signal at least 2 min before shutdown |
It
can send a warning signal. |
Data
Carrier Detect (DCD) pin signal for the UPS serial port connection. |
Remote
UPS shutdown |
The
device can accept a signal from the UPS service to shutdown.. |
Data
Terminal Ready (DTR) pin signal for the UPS serial port connection. |
For the preceding selections: the default UPS interface voltage
setting is negative, it can be set to positive. |
Select this checkbox |
To |
Use these parameters |
Execute
Command File |
Execute
command file just before shutdown. |
This
can be any .com, .exe, .bat, or .cmd file and it has 30 seconds to complete its task. |
Use this option |
To adjust |
Range and default |
Expected
battery life |
Time,
in minutes that the system can run on battery power |
Range: 2-720 minutes Default: 2 minutes |
Battery
recharge time per minute of runtime |
Amount
of time to recharge the battery. This is the amount of time without protection. |
Range: 1-240 minutes Default: 100 minutes |
Time
between power failure and initial warning message |
|
Range: 0-120 seconds Default: 5 seconds |
Delay
between warning messages |
|
Range: 5-300 seconds Default: 120 seconds |
- Also in control panel located, is the PC Card program.
- Make sure you turn off the computer before physically
adding or removing a PC Card.
- The correct driver is usually detected by Windows NT.
Control Panel Software Settings |
- To change the startup and shutdown settings you should
select the "Startup/Shutdown" tab in the system properties box. Two sections can
be modified here:
- System startup: select one of the
startup options to be the default. You can also set the time for the system to wait, for
you to choose a startup option before it starts up the default. Setting it to
"0" will bypass the option to choose at all.
- Recovery: here are four options to
choose from if there is a stop (fatal system error).
- Write event to system log
- Send administrative alert to computers specified in the Alerts box of the server program in control panel.
- Write debugging information to specified file (can be
helpful for MS-support engineers).
- Auto reboot. Choose only when "Write debug
information" is selected.
Configuring Virtual Memory (p105) |
This is the Virtual Memory dialog box accessed from the Performance | Change
buttons.
- On the Performance tab of the System Properties dialog box, click "Change"
to configure the virtual memory. Here you can adjust the pagefile.sys size.
- Minimum size of the page file is 2 MB
- Paging file size:
- NT Server: Default = physical memory. If you have less than 22 MB RAM, default=22 MB
or available disk space, whichever is smaller.
NT WS: Default=RAM+12, or the available disk, whichever is smaller.
After a page file is created, it will not shrink below
its initial size. When a Windows NT computer is restarted, page size will be reset to the
initial size. Make sure that when you change the size of the page file to click the Set button, to really make the change.
You can enhance performance by creating more paging
files on multiple disks, and not putting the paging file on the same disk as the
winnt_root directory is.
- In this tab you can also set the maximum size of the
registry.
- Enhancing performance with paging file:
- Creating a paging file for each disk.
- Moving paging file away from boot disk to avoid competition between various reading
and writing requests.
- Setting INITIAL paging file size to equal the MAXIMUM size suggested by the system to
eliminate the time needed to enlarge the size.
Setting Environment Variables (p107) |
- The Environment tab of the System Properties is used to set variables that are important to Windows
NT for controlling the behavior of the various applications. There are two types of
variables to edit here:
- System environment variables.
- Can be changed only by administrators.
- apply to the system as a whole and therefore all users:
e.g. path to the Windows NT files
- User environment variables.
- Can be modified by any user, and are different for each
user
- include user defined and application defined variables
such as the path to the application files.
How NT sets Environment Variables
Windows NT searches the Autoexec.bat
for various variables, like "Path" and adds them to the system variables, every
time Windows NT is booted.
Windows NT sets the Environment variables in the
following order:
- Autoexec.bat files. Windows NT can be prevented to
search it by modifying the following registry key: ParseAutoexec : REG_SC =0. You can also
do this by using the policy editor: under Local User click Windows NT System, and select
the Parse Autoexec.bat check box.
- System and environment variables.
- User environment variables ( so this can overrule a
statement in the autoexec.bat, like the Temp directory).
Adding and Removing Windows NT Components |
- Under Add/Remove programs, you can install or remove
software. Windows NT components can be added or removed by clicking the Windows NT Setup
tab, and selecting the components you need, or don't need.
- System Policy Editor is part of NT Server ONLY
- allows more changes to the registry than the Control
Panel
- it is available in the Administrator Tools Folder to the
members of the Administrator's Group
There are two modes to work in:
- used to edit registry of local or remote computers
- some changes take effect immediately; other require
reboot to take effect
Policy File Mode
- changes take effect when the use logs on and the Policy
file is downloaded from server
Registry Settings are organized into two
hierarchies:
- used to control the environment of the user who is
currently logged on
Local Computer
- used to configure the computer itself
Examples of policy:
- creating a warning logon banner
- disabling the display of the last logged on user name
- You can start the Windows NT registry editor by entering
the regedt32.exe at the command line, or run box (located in start menu).
- a shortcut to the editor isn't found in any folder.
Regedit.exe vs. Regedt32.exe
You can also use the regedit.exe command that launches
the Win 95 registry editor.
REGEDIT.EXE Cons:
- NO security menu
- No auditing
- NO Read-only mode
- Does not support REG_EXPAND_SZ or REG_MULTI_SZ
- Using Regedit will display these data types as REG_SZ
REGEDIT.EXE Pro:
- You can see all the keys in the window; Regedt32 displays each key in a separate
window.
- Regedit.exe allows you to find keys, values, and data in the registry. Regedt32.exe
only allows you to search keys and subkey, but NOT value entries or actual data values.
- You can use right-clicking to find, delete, rename or copy a key name
Command |
Function |
Find key |
- A search only for keys not values.
- The search begins at the currently selected key.
- a search is only performed on the subtree in which the
search was started
|
Save key |
- Saves part of the registry in a binary format.
- It saves the currently selected key and all the subkeys.
- This is used to test changes to the registry. In a
sense, it's a backup.
|
Restore |
- Loads the data into the currently selected key.
- Used with the SAVE KEY
|
Save
Subtree as |
- Saves the currently selected key and all the subkeys in
a text file.
- Can be used to determine date and time of key value
modifications.
|
Select
Computer |
- Accesses the Registry of the remote computers
- Remote access is restricted to the Administrators Group
on NT Server, but on NT Workstation anyone with a valid user account is allowed remote
registry access
- This can be altered by creating the following LONG key:
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\SecurePipeServers\winreg
(type REG_DWORD to a value of 1)
- Permissions of this key define who can have remote
access to the registry
- By default, this key exists only on server. For WS, you need to add it.
|
NOTES:
SAM
Each NT computer contains a security accounts database known as the SAM. This keeps
track of user and group permissions.
NT Workstation computers: SAM contains security info for the local computer ONLY
NT Server Domain Controllers: SAM contains security info for local computer AND the
entire domain
Registry Hives and their log files
- .log files provide stability in case of system failures
Here's what happens: each registry update is recorded in the .log file and isn't
considered complete until it is entirely finished at which point the change is entered in
the log. If the system fails half way through, at reboot the info in the log file is used
to ROLL BACK the transaction and restore the Registry to a stable state.
Recovering the Registry Using the Last Known Good Configuration
Much of the information necessary for Windows NT to start up is stored in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet subkey. If youor a program on your
systemmake invalid changes to one of the value entries in this subkey, your
system
could fail to boot. Or, if it does boot, it could prevent you from logging on.
To help protect against these kinds of accidental problems, NT keeps copies of the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet in
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002.
If your NT system fails during startup and you suspect it has something to do with a
Registry change you just made or a device you just installed, you can tell NT to use
the
backup version of the control set by pressing the SPACE BAR during the boot process
when NT displays the message Press spacebar NOW to invoke Last Known Good Menu.
When you invoke this option, you lose any changes made to the Registry since the
last
time a user successfully logged on to the system.
Using the Registry Editor Remotely
One of the great strengths of the Registry Editor, and of Windows NT, is the
capability to
remotely access and edit the Registry database. From a Windows NT machine, you can
use the Registry Editor (REGEDT32.EXE) to connect to a remote system running Windows
NT.
Using REGEDT32, choose the Registry | Select Computer menu option. This will display
a
browse window, enabling you to locate a remote computer.
Using the browse box, select the computer whose Registry you want to view, or type
the
computer's name into the Computer field.
You are now connected to the remote computer's HKEY_LOCAL_MACHINE and HKEY_USERS
root keys.
NOTE: Remember, the
other root keys are simply links to other subkeys, either in the
HKEY_LOCAL_MACHINE or the HKEY_USERS root keys.
When you are finished viewing or making changes to the remote computer's Registry,
select the Registry | Close menu option to close the connection to the remote Windows
NT
system.
NOTE: When you connect
to a remote NT system's Registry, you are granted the level
permission determined by your user account and the privileges
granted to it on
the remote system.
Securing and Auditing Information in the Registry
- use Regedt32.exe for applying access permissions: Regedit.exe can't do this!
- security for Registry keys and subkeys is supported REGARDLESS for the file system:
FAT or NTFS
- you can also AUDIT changes to certain subkeys; this could causes a LOT of entries in
Event Viewer though.
Backing Up and Restoring the Registry
The REPAIR DISK Utility (RDISK.EXE) takes a "snapshot" of the state
of the Registry and saves that file to a floppy disk (the EMERGENCY REPAIR DISK)
It saves:
- The accounts database (including passwords, security settings and groups)
- the configuration of your hard drive
- hardware profile information
- Device drive configuration
- Network settings
- Computer Identification
- name
- workgroup or domain status
|