Registry Hives
Windows API Reference - WinregIntroduction
Registry hives are the fundamental building blocks of the Windows registry. They are a collection of registry keys, subkeys, and values that are stored in a single file on disk. Each hive represents a specific part of the system or user configuration. When the system starts, these hive files are loaded into memory and form the hierarchical structure of the registry.
Understanding registry hives is crucial for developers who need to interact with system or user settings, manage application configurations, or troubleshoot system behavior.
Major Registry Hives
The Windows registry is composed of several predefined root keys, each representing a major hive. These root keys are accessible from the application programming interface (API).
| Root Key | Hive File Location (Typical) | Description |
|---|---|---|
HKEY_CLASSES_ROOT (HKCR) |
%SystemRoot%\System32\config\RegDoc.dat (Merges HKCU\Software\Classes) |
Contains information about file associations, COM objects, OLE, and drag-and-drop operations. This hive is a merged view of
HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes. |
HKEY_CURRENT_USER (HKCU) |
%USERPROFILE%\NTUSER.DAT |
Contains configuration settings for the currently logged-in user, including desktop appearance, user preferences, and application settings specific to that user. |
HKEY_LOCAL_MACHINE (HKLM) |
%SystemRoot%\System32\config\SAM (Security Accounts Manager)%SystemRoot%\System32\config\SECURITY (Security)%SystemRoot%\System32\config\SOFTWARE (Software)%SystemRoot%\System32\config\SYSTEM (System) |
Contains hardware, software, and operating system configuration settings that are common to all users of the computer. |
HKEY_USERS (HKU) |
(Contains subkeys for each user profile, including default user and loaded user hives) | Contains the default user profile settings and the profiles for all users on the system. Each subkey under HKEY_USERS corresponds to a Security Identifier (SID) of a user. |
HKEY_CURRENT_CONFIG (HKCC) |
(Dynamic, represents current hardware profile) | Contains information about the hardware profile currently being used by the local computer. This is typically a link to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current. |
Hive Loading and Unloading
The Windows registry uses a dynamic loading mechanism for hives. Certain hives, like user profiles,
are loaded when a user logs in and unloaded when they log out. System-critical hives are loaded at boot time.
Developers can programmatically load and unload specific hives using functions like RegLoadKey and RegUnloadKey.
Note: Loading and unloading hives requires administrative privileges and should be performed with extreme caution. Incorrect manipulation can lead to system instability or data loss.
Related API Functions
The following Winreg API functions are relevant for working with registry hives:
- RegLoadKey
- RegUnloadKey
- RegOpenKeyEx (used to open handles to root keys)
- RegCreateKeyEx (used to create keys, which become part of hives)