The Microsoft Windows 98 Registry Revealed

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

By Brien M. Posey, MCSE for TechRepublic.com

When many people think of the Microsoft® Windows® registry, they have mental images of this deep, dark secret lair that should be avoided at all costs. Some adventurous souls may make the occasional registry change, but only when absolutely necessary and with fear in their hearts. It's only a select few who bravely exploit the registry to the fullest without fear. Whether you view these people as the brightest minds that the computing community has to offer or as reckless, computer kamikazes, chances are that you have at least some envy of their knowledge.

Fact is, the registry is large, complex, and dangerous. However, the upside is that like most things in the world of computers, the registry follows an organized structure. Therefore, if you understand the structure, as well as a few rules, you can edit the registry much more freely. In this article, I'll show you the organizational structure behind the registry, and teach you some techniques for editing it.

Before We Begin

Before we begin, it's important that I point out a few things. First, the techniques and structure that we'll cover in this article are intended only as guidelines. Almost every computer's registry is different. For example, every time you add hardware or software or change a Control Panel option, the registry changes. Although every registry is different, there are still elements that all registries have in common. It's those common factors that I'll be focusing on in this article.

However, even though I'm limiting the article to common registry elements, space doesn't permit me to discuss each common registry key. Doing so would produce a very large book. Rather, my goal is to provide you with enough understanding of the registry that you feel more comfortable making common alterations.

Also, as I said before, editing the registry is dangerous. If you make a mistake, you can destroy Microsoft Windows, and/or any other programs that you've loaded. Therefore, you should edit the registry only if you completely understand the total effect of your changes. I can't be held responsible for data loss or corruption.

Making a Backup

Because making a mistake while editing the registry can be catastrophic, it's important to make a backup before you begin. There are two basic ways to back up the registry.

The first method of backing up the registry involves using the Windows Backup program. The Full System Backup template that's included with the Windows Backup program includes instructions for backing up the registry.

However, the downside to using this method is that to restore a backup, Windows must be functional. Therefore, if you make a change to the registry that destroys Windows, you'll have to reinstall Windows so that you can use the Windows Backup program to restore your registry.

Another method of backing up the registry is to boot to MS-DOS mode and copy the files that make up the registry to a backup directory. If you use this method and make a registry change that renders Windows unusable, you can boot to MS-DOS mode and copy the backup files to their original location. It's important to point out, though, that to make a reliable backup, you must perform this operation in MS-DOS mode. Simply copying the files using Windows Explorer or an MS-DOS Prompt isn't sufficient, because the registry files may be open at the time that you back them up. I'll tell you which files the registry contains later on. The registry is made up of two hidden files in the Microsoft Windows directory, User.dat and System.dat.

The Registry Editor

The primary tool for making manual registry changes is the Registry Editor. Because of the Registry Editor's destructive capability, Microsoft didn't create an icon for it within Windows. Therefore, you must either create your own icon or run the REGEDIT program from the Run prompt.

As you can see in Figure A, the Registry Editor looks similar to Windows Explorer. There are six primary registry keys beneath My Computer. Each of these primary keys has a plus sign beside it that you can click to expand the key, as shown in Figure B.

Figure A: The Registry Editor functions similarly to Windows Explorer.

Figure B: You can click any plus sign to expand its corresponding key.

Any time that you see a plus sign, you can further expand the registry. When you reach the deepest key in a given path, you can click on the key to see the key's values, as shown in Figure C.

Figure C: The lower level registry keys contain values.

Each value consists of a name and the value's data. Any time you need to make a change to an existing value, simply right-click it. Doing so brings up a shortcut menu that allows you to modify, rename, or delete a value. Renaming a value allows you to change only the name portion of the value, while modifying a value allows you to edit only the data portion.

To create a new key or value, navigate to the desired location and select the New command from the Edit menu. Creating a new key works exactly like creating a new folder under Windows Explorer. However, there are three different types of values that you can create; String, Binary, and DWORD.

Some of these value types' names are misleading. As you might have guessed, a string value can contain alphanumeric data. However, Binary values can actually contain hexadecimal numbers. DWORD values are also numeric. You can see an example of each type of value in Figure D.

Figure D: The Windows 98 registry contains three types of values.

There are two other features of the Registry Editor that deserve to be mentioned. First, the Registry Editor has the ability to edit a remote computer's registry via the Connect Network Registry command on the Registry menu.

The other feature that deserves to be mentioned is the Find and Find Next commands on the Edit menu. These commands allow you to locate specific keys and values throughout the registry. You can even search on a partial word or value. As you become more comfortable editing the registry, you'll use the Find feature a lot, because the registry tends to be very large and can potentially contain multiple instances of a given value.

The Registry Structure

The registry is composed of six basic keys. Each of these keys is responsible for controlling a different portion of Windows. In the sections that follow, I'll explain the function of each of these keys.

HKEY_CLASSES_ROOT

The HKEY_CLASSES_ROOT section of the registry contains registered file types and references to modules that plug into Windows. It also contains the security ID for various Windows modules.

For example, Windows Write registers the WRI file extension. In Figure E, you can see that the WRI extension appears in the registry and has a default value of WRIFILE.

Figure E: The WRI file extension points to a registry entry called WRIFILE.

You can then locate the WRIFILE entry, which is also located in the HKEY_CLASSES_ROOT section of the registry. As you can see in Figure F, there are multiple entries below the WRIFILE key. The class identification (CLSID) entry contains the security ID (SID) number associated with the program, as shown in Figure G. The DefaultIcon entry contains the actual location of the program's executable file, as shown in Figure H.

Figure F: The WRIFILE entry contains several subkeys.

Figure G: The CLSID subkey contains the program's security ID number.

Figure H: The DefaultIcon entry shows the location of the executable file.

As you can see in Figure I, the Shell subkey has subkeys beneath it for Open, Print, and Printto. Each of these subkeys has a command subkey beneath it. The command subkeys control the behavior of some of the corresponding program's context menu options. For example, in Figure I, you can see the actual command that corresponds to the Open option on Write's context menu.

Figure I: This command resides behind the Open option on Write's context menu.

If you open Windows Explorer and select the Options command from the View menu, you'll see the Options properties sheet. Click the File Types tab and select Write Document from the Registered File Types list. Next, click the Edit button. You'll then see a list containing the same commands found in the registry. If you select one of these commands and click Edit, you'll see the same command found in the registry's Command subkeys.

We mentioned that one of the subkeys was the CLSID key, which contains the program's SID (security ID) number. Any program's SID number also corresponds to another registry entry under HKEY_CLASSES_ROOT|CLSID. This entry tells Windows how to treat the program and also contains another reference to the program's physical location.

HKEY_CURRENT_USER

The HKEY_CURRENT_USER key, shown in Figure J, contains the options available to the user who is currently logged on. For example, this registry key holds the recently opened documents list and the keyboard layout settings. It also controls which Control Panel icons are visible to the current user.

Figure J: The HKEY_CURRENT_USER key controls user-specific Microsoft Windows options.

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE controls aspects that relate specifically to the physical computer and the software loaded on it. One of the main sections under HKEY_LOCAL_MACHINE is the SOFTWARE section. The SOFTWARE subkey contains information about most software that's installed on your system. Keep in mind that only software designed for Windows 95 or later will create an entry in this section. Also, some simpler programs may not require registry entries. As you can see in Figure K, every program that does depend on registry entries has its own subkey below HKEY_LOCAL_MACHINE|SOFTWARE. Some software manufacturers such as Microsoft may rely on an additional subkey containing the name of the company. For example, software published by Microsoft places its registry keys under HKEY_LOCAL_MACHINE|SOFTWARE|MICROSOFT.

Figure K: HKEY_LOCAL_MACHINE|SOFTWARE contains references to most programs.

If you look deeper into the SOFTWARE|MICROSOFT subkey, you'll see that there's an entry for Windows. Windows stores registry entries directly related to the performance of the operating system under HKEY_LOCAL_MACHINE|SOFTWARE|MICROSOFT|MICROSOFT WINDOWS|CURRENTVERSION. Beneath this key, you can find data relating to everything from installed fonts to the behavior of Windows Explorer. You can see a sample of the type of information stored beneath the MICROSOFT WINDOWS|CURRENTVERSION subkey in Figure L.

Figure L: The HKEY_LOCAL_MACHINE|SOFTWARE|MICROSOFT|MICROSOFT WINDOWS|CURRENTVERSION registry key contains information about the behavior of Windows.

It's not uncommon for the registry to contain large numbers of subkeys for programs other than Microsoft Windows. Many programs such as Microsoft Office also contain lots of registry keys.

How often have you tried reinstalling a program that you were having trouble with, only to have it retain its original settings, thereby reproducing the problem? Perhaps you've even deleted the program files but still had the same results. When you reinstall a program that you've previously removed only to have it retain its original settings, it's usually because the program still has one or more entries under the HKEY_LOCAL_MACHINE|SOFTWARE section of the registry. You can usually delete the subkey relating to the software that you're trying to remove, and the problem will go away.

However, this isn't always the case. Some programs, such as Microsoft Office 97 embed hundreds of entries into the registry. These entries aren't always clearly marked. Fortunately, there's a method you can follow for removing such programs. To do so, try using the Find command to search for the program's path. For example, if you're searching for Microsoft Office, you might search for C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE. Make sure that you begin your search at My Computer.

When the search begins, you'll find entries under HKEY_CLASSES_ROOT that may resemble the entry shown in Figure M. In such a situation, although the path shows up under the DEFAULTICON key, the DEFAULTICON key is actually part of the Excel.Addin key. Therefore, you'd want to delete the Excel.Addin key, which in turn deletes the subkeys.

Figure M: The DEFAULTICON key is part of the Excel.Addin key.

Later in the search you'll find references to your search criteria under HKEY|CLASSES|ROOT|CLSID. The subkeys in this section of the registry use long numeric names that match some Windows internal SID numbers. Any references that you find to Microsoft Office in this section will be stored under a subkey of the key with the numeric name, as shown in Figure N. However, you should delete the key with the numeric name that contains the subkey.

Figure N: You'll find other references to Microsoft Office under HKEY_CLASSES|ROOT|CLSID.

As your search progresses, it's much more obvious to figure out what to do with some of the other keys. Just use the basic rule that you should always check the key above the one that you're looking at to see if it relates entirely to the program that you're trying to remove. Delete the highest level key that relates exclusively to that program, and all of the keys contained within it will be deleted automatically.

For most stubborn programs, this method will remove the program well enough to successfully reinstall the program. However, it's nearly impossible to completely remove all registry entries relating to a program, unless you know exactly what you're looking for. For example, Microsoft Office also creates registry entries relating to a file named MOS97.DLL. This file is contained under the Windows directory. Because it doesn't fall under the OFFICE directory and doesn't use a really obvious name, you probably wouldn't remove registry entries relating to this file, unless you knew of their existence. Fortunately, such entries are rarely the cause of problems related to reinstalling a program.

HKEY_USERS

The HKEY_USERS key stores profiles for each user with an account that resides on the computer. When users log on, their settings are read from HKEY_USER and copied to HKEY_CURRENT_USER. You can see an example of the HKEY_USERS key in Figure O.

Figure O: The HKEY_USERS key stores the profile for any user with an account on the computer.

HKEY_CURRENT_CONFIG

The main purpose of the HKEY_CURRENT_CONFIG key is to store video and printer settings. All of the aspects relating to how your video card is configured are stored under HKEY_CURRENT_CONFIG|DISPLAY|SETTINGS, as shown in Figure P.

Figure P: HKEY_CURRENT|CONFIG stores all of your computer's video card settings.

Likewise, you can find configuration information for all of your printers under HKEY_CURRENT_CONFIG|SYSTEM|CURRENTCONTROLSET|CONTROL|PRINT|PRINTERS, as shown in Figure Q.

Figure Q: The HKEY_CURRENT_CONFIG key contains configuration details for all your printers.

HKEY_DYN_DATA

The HKEY_DYN_DATA section tends to be a bit more complex than some of the other sections. It controls some of the operating system's low-level functions. For example, plug and play information and other device settings are stored under HKEY_DYN_DATA|CONFIG MANAGER|ENUM. You're probably better off not touching these keys and values, because they tend to be very cryptic, and if you don't know what you're doing, it would be very easy to make a mistake.

The final section of the registry is the HKEY_DYN_DATA|PERFSTATS section. Beneath this section are five subkeys. These subkeys are responsible for starting and stopping some of the internal Windows services on startup and shutdown. They are also responsible for collecting data related to the performance of the operating system. Much of the collected data is used in various self-tuning mechanisms of Windows.

What if Something Goes Wrong?

As we said earlier, you should always make a backup before attempting to edit the registry. However, in the real world, not everyone follows this practice. If you've made a change to the registry that has left Windows unbootable, you won't be able to access the Registry Editor to undo your changes. However, in some situations, you may still be able to correct your registry if you know exactly what changes you've made.

The first thing that you should do is to try booting Windows in Safe Mode. Many times, Windows will boot in Safe Mode when it won't boot in Normal Mode. This is because when you boot to Safe Mode, Windows loads a minimal driver set. Most of the critical registry keys are ignored in Safe Mode.

If Windows won't boot in Safe Mode, you have one last shot at fixing your registry. However, this last-ditch effort is a little messy, to say the least. The method involves booting to MS-DOS Mode and exporting your registry to a text file. Once the registry is in text mode, you must use a text editor that supports large files to edit the file. After you've made the necessary changes, you can import the changes back into the registry. Unfortunately, this text file tends to be very large. Therefore, the MS-DOS editor won't usually work because it has a file size limit. However, there are many MS-DOS-based text editors with unlimited file size capability available on the Internet. Although you can import and export the registry via the Registry Editor's Registry menu, this method only works when Windows is functional.

Conclusion

In this article, I've described how the Microsoft Windows 9x registry is organized. As I did, I've shown you some basic techniques that you can use for solving common registry problems.

Brien M. Posey is an MCSE and a freelance technical writer. He also works as a network engineer for the Department of Defense. You can contact him via e-mail at Brien_Posey@xpressions.com. (Because of the large volume of e-mail that he receives, it's impossible for him to respond to every message. However, he does read them all.)