A hacker's guide to the Windows Registry


The Windows Registry is a bit like the engine in your car. You know it's there, and broadly speaking you know what it does. But few of us fully understand its inner workings, and even when things go wrong, we'd probably be hesitant to dive in and start trying to make fixes and adjustments.

There's no need to be intimidated, though. The Registry is fundamentally quite a simple thing, and while some of its contents are best left untouched, there are plenty of useful tweaks and adjustments you can make as long as you have a little knowledge of what you're doing.

What is the Registry?

The Registry has been part of Windows since 1992, when it made its debut in Windows 3.1. Simply put, it's an internal database storing settings for Windows and applications. Some of those settings are very technical, and aren't intended for humans to edit, or indeed understand; others are quite straightforward, and can be safely tweaked.

On disk, the Registry is made up of several different files, dotted around different locations. These are known as "hives" (supposedly an insider joke, to do with the developer's aversion to bees). Four of these hives live in C:\ Windows\System32\config, under the names SAM, SECURITY, SOFTWARE and SYSTEM. These contain machine-wide settings.

Create a new Registry value by right-clicking in an empty area of the right-hand pane

Additionally, for every registered Windows user, there's a hive called NTUSER.DAT file that contains information about their identity, personal settings and so forth. You'll find your own copy sitting in your user folder, although you'll have to enable "Hidden items" in Windows Explorer to see it.

While it may be useful to know the locations of these hives, once you open the Registry Editor, you'll see that the database is internally structured as a virtual tree that doesn't directly correspond to the arrangement of the on-disk hives. From here on, we'll focus on that tree structure, since that's how Registry locations are normally described but if, in the future, you come across a reference to the hive files themselves, you'll know what they are.

How is the Registry structured?

At its highest level, the Registry is split into five sections:

HKEY_CLASSES_ROOT Contains technical information that enables applications to exchange information with one another

HKEY_CURRENT_USER Contains personal settings for the currently logged-in user

HKEY_LOCAL_MACHINE Contains system-wide settings that apply regardless of who's logged in

HKEY_USERS Stores the personal settings of all registered users, including special system accounts that are used for administrative tasks

HKEY_CURRENT_CONFIG Contains information about which hardware and drivers are installed and running at the moment

Unhelpfully, these sections are also often referred to as hives, although they don't perfectly correspond to the hive files on your hard disk. However, Since their names are a bit of a mouthful, they're commonly abbreviated to HKCR, HKCU, HKLM, HKU and HKCC.

As we've mentioned, the Registry has a tree structure. If you launch the Registry Editor and click on the arrow next to HKEY_CURRENT_USER (or double-click on its name), you'll see about a dozen items Registry keys appear below it, mostly with meaningful names such as Network, Printers, Software and so on. Some of these keys will themselves have arrows, indicating that you can open them up to reveal further nested keys.

You'll notice that the structure of the Registry looks a lot like a familiar tree of folders and files, and nested keys are addressed in a similar way, using backslashes to indicate their paths. What's more, while Registry keys can contain subkeys, they can also store values: for example, click once on HKCU\Console and you will see a big long list of values appear in the right-hand pane.

You might like to think of these values as analogous to data files inside a folder; in this case, each "file" contains data specifying something about the appearance and behaviour of a command prompt window.

Why might I want to edit the Registry directly?

The Registry isn't really designed for users to tinker with. When the likes of you and me want to configure our Windows settings, we're expected to use the friendly graphical interfaces built into Windows, such as the PC Settings app or the Device Manager. These bits of software then access and update the Registry behind the scenes.

However, using the Registry Editor, you can access options that aren't available via the user-friendly apps: for example, as you'll see below, you can customise context menus, and modify which icons appear in Explorer.

By tweaking the Registry you can add a time-saving "Take Ownership" option to the Explorer context menu

Sometimes these options have been hidden away because they're too complex to bother users with. Sometimes they're just waiting for Microsoft to implement a front-end: in the original release of Windows 10, you had to edit the Registry to activate "Dark Mode", to disable Aero Snap or to make the Recycle Bin appear in This PC, but now these options are all available in the PC Settings app.

Inside the Registry, the settings themselves are stored in a few different formats. The most common is the DWORD a "double word", which is jargon for a 32-bit number but the Registry can also store binary code, text strings and various other types of data. If you look in the right-hand pane of the Registry Editor, you'll see the "Type" column shows what sort of data each value is.

The most common file format in the Registry is DWORD, or "double word", which is Microsoft jargon for a 32-bit number

Strings are abbreviated as SZ" short for String-Zero, because the text is terminated with a zero-value byte. You can edit these values in the Registry Editor, by double-clicking on the name of one and typing in new data.

You can also create new keys and values from the context menu that appears when you right-click on an existing key (or anywhere in the right-hand pane). If you're creating a new value, make sure you set the correct data type, or Windows is likely to ignore it; if you're editing a value within a Registry key, you won't be allowed to enter a value that isn't of the right type.

Is it safe to edit the Registry?

There are keys and values in the Registry that could, if deleted, cause applications to stop working properly, or prevent Windows from booting. However, if you're browsing around HKCU and HKLM, you'll see a lot of values with fairly self-explanatory names, and to be honest if you want to experiment with changing them, the danger is minimal.

We have a few caveats, though. First, some changes will only take effect when you restart Explorer, or sign out, or restart Windows completely. So even if a change doesn't immediately appear to do anything, it could reveal its effect later on.

Second, if you do make a silly mistake, there's no easy way to undo Registry edits. Before you delete or edit a value, it's a good idea to back it up by right-clicking on the key in the Registry Editor and selecting Export. This will save a backup file (with a REG) extension containing all the data within that key; if you repent of your changes, you can just double-click on the REG file to import the old settings. To back up the entire Registry, click on Computer at the top of the tree and select Export.

If you mess up the settings in HKCU, you can also go and look in HKU\.DEFAULT this contains many default settings that are applied for new users, so you may be able to copy values from here to restore your own account to default behaviour.

Is it safe to use Registry-tweaking tools?

There are many freely downloadable, third-party apps out there that offer an easy way to apply Registry hacks, and customise Windows in other ways. If you're nervous about getting hands-on with the Registry then such a tool might suit you nicely. However, these programs have to contend with the fact that Windows is a moving target, and tricks that work in one version might not work in the next.

The hacks we recommend below have all been tested on the latest edition of Windows 10, and most will work on older releases, too. Be more sceptical of tools that claim to find and fix Registry errors. These apps usually focus on removing references to applications and resources that have been deleted. They won't do you any harm, but it's unlikely that they'll fix any serious problems, and they almost certainly won't be able to help you out if you have manually changed a setting you shouldn't have.

It's a similar story with Registry compacting tools. It's true that the Registry takes up space on your hard disk, and parts of it are cached in RAM, so clearing out superfluous data will give you more free disk space, and more available memory. However, by modern standards the hive files are very modestly sized typically less than 200MB on a single-user system so compacting them is unlikely to make a noticeable difference.

Darien Graham-Smith

Darien began his IT career in the 1990s as a systems engineer, later becoming an IT project manager. His formative experiences included upgrading a major multinational from token-ring networking to Ethernet, and migrating a travelling sales force from Windows 3.1 to Windows 95.

He subsequently spent some years acting as a one-man IT department for a small publishing company, before moving into journalism himself. He is now a regular contributor to IT Pro, specialising in networking and security, and serves as associate editor of PC Pro magazine with particular responsibility for business reviews and features.

You can email Darien at darien@pcpro.co.uk, or follow him on Twitter at @dariengs.