Wednesday, March 14, 2007

Windows Registry : Something you must know

Intro
Whats this all about ? Registry is the place where most windows programs store some data associated with that program. Moreover, registry is used by windows to store much of the configuration information, file associations, start up programs, etc ...

The registry is mainly divided into 5 sections

HKEY_CLASSES_ROOT
HKEY_CURRENT_USER : Current User Preferences.
HKEY_LOCAL_MACHINE (HKLM): Global Preferences.
HKEY_USERS
HKEY_CURRENT_CONFIG : Current System Configuration.

Using the Registry

The Regedit is similar to the explorer, the left side consists of a Tree View with the various folder locations, and the right side shows the contents of the particular folder. A folder contains sub folders, key-value pairs and a (default) value.
To edit the key values right click to see the menu or double click the key.
To open a folder just double click or use the left side tree to navigate to the folder.

Important Registry Locations

Start Up

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
: This location consists of all the programs that are executed by the computer after windows has loaded. Check this location periodically, most virus makes an entry here to startup when windows runs.

Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Stores all shell folder locations like My Documents, Music, Pictures etc,.

System Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System 
: Certain critical applications such as the task manager and registry editor can be disabled by entries in this folder.
If DisableRegistryTools, DisableTaskMgr
has a value 1, then regedit.exe and taskmgr.exe (registry editor and task manager cannot be run !!) Some viruses make use of this to disable the end tasking of virus applications.