Registry structure

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Registry structure

The registry is organized in a hierarchical structure of subtrees and their keys, subkeys, and entries.

The contents of the registry for one computer may vary widely from that of another, depending on the devices, services, and programs installed on each computer.

Keys can have subkeys and subkeys can, in turn, have subkeys. While most information in the registry is stored on disk and is considered permanent, some information, stored in volatile keys, is overwritten each time the operating system starts.

Registry subtrees

Windows Server 2003 family operating systems have two registry subtrees: HKEY_LOCAL_MACHINE and HKEY_USERS. However, to make the information in the registry easier to find, the Registry Editor utilities display five subtrees, three of which are aliases of other parts of the registry. These five subtrees are listed and described in the following table.

Root key name Description


Contains information about the local computer system, including hardware and operating system data such as bus type, system memory, device drivers, and startup control data.


Contains information used by various OLE technologies and file-class association data. A particular key or value exists in HKEY_CLASSES_ROOT if a corresponding key or value exists in either HKEY_LOCAL_MACHINE\SOFTWARE\Classes or HKEY_CURRENT_USER\SOFTWARE\Classes. If a key or value exists in both places, the HKEY_CURRENT_USER version is the one that appears in HKEY_CLASSES_ROOT.


Contains the user profile for the user who is currently logged on interactively (as opposed to remotely), including environment variables, desktop settings, network connections, printers, and program preferences. This subtree is an alias of the HKEY_USERS subtree and points to HKEY_USERS\security ID of current user.


Contains information about actively loaded user profiles and the default profile. This includes information that also appears in HKEY_CURRENT_USER. Users who are accessing a server remotely do not have profiles under this key on the server; their profiles are loaded into the registry of their own computers.


Contains information about the hardware profile used by the local computer system at startup. This information is used to configure settings such as the device drivers to load and the display resolution to use. This subtree is part of the HKEY_LOCAL_MACHINE subtree and points to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current.

Each root key name begins with HKEY_ to indicate to software developers that this is a handle that a program can use. A handle is a value used to identify a resource so that a program can access it.


  • The behavior of HKEY_CLASSES_ROOT in Windows 2000 and Windows Server 2003 family operating systems is different from that of the same key in previous versions of Windows. In Windows 2000 and Windows Server 2003 family operating systems, a feature called per-user class registration provides a view of HKEY_CLASSES_ROOT that contains both user-specific class registrations and computer-specific class registration. With this feature, different users can have different sets of class registrations (including those for file associations, COM components, and MIME types). Previously, all users shared registrations, so that one user could alter registrations for other users. Per-user class registration isolates each user's registrations and allows the administrator to increase security on HKEY_LOCAL_MACHINE\Software\Classes.

Registry hives and files

The term hive describes a body of keys, subkeys, and values that is rooted at the top of the registry hierarchy. A hive is backed by a single file and a .log file that are in the systemroot\System32\Config or the systemdrive\Documents and Settings\username folders. The string systemroot is a placeholder for the directory name that contains the Windows Server 2003 family system files; the string systemdrive is a placeholder for the partition that contains the Windows Server 2003 family system files. For example, if the Windows Server 2003 family system files for a user named Annie are in a directory called Windows in the C: partition, the hive files are stored in the C:\Windows\System32\Config and C:\Documents and Settings\Annie folders. Hives may also be called registry files or registry log files.

By default, most hive files (DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM) are stored in the systemroot\System32\Config folder. In the Windows Server 2003 family of operating systems, the location of user profile information for each user of a computer, including the Ntuser.dat and Ntuser.dat.log, may depend on whether the installation of the operating system was a fresh installation or whether it was installed as an upgrade from Windows NT or Windows 2000. In fresh installations, the Ntuser.dat and Ntuser.dat.log files are stored in the systemdrive\Documents and Settings\username folder. In installations that are upgrades from Windows NT or Windows 2000, the Ntuser.dat and Ntuser.dat.log files are stored in the systemroot\Profiles\username folder.

Each hive in the Windows Server 2003 family registry is associated with a set of standard files. The following table shows the standard hives and files for a computer running an operating system in the Windows Server 2003 family.

Registry hive File names


Sam and Sam.log


Security and Security.log


Software and Software.log


System and System.log


System and System.log


Ntuser.dat and Ntuser.dat.log


Default and Default.log

Entries in the registry keys

Each registry key or subkey can contain data called entries. Some entries store information that is specific to each user, while others store information that applies to all users of a computer. An entry has three parts: the name of the value, the data type of the value, and the value itself. The three parts of entries always appear in the following order.

Structure of entry

Data types describe the format of the data. Data types from 0 through 0x7FFFFFFF are reserved for definition by the system. Programs are encouraged to use these data types, but data types from 0x80000000 through 0xFFFFFFFF are also reserved for use by programs.

The following table lists the data types currently defined and used by the system.

Data type Description


Raw binary data. Most hardware component information is stored as binary data and is displayed in Registry Editor in hexadecimal format.


Data represented by a number that is 4 bytes long. Many parameters for device drivers and services are this type and are displayed in Registry Editor in binary, hexadecimal, or decimal format.


A variable-length data string. This data type includes variables that are resolved when a program or service uses the data.


A multiple string. Values that contain lists or multiple values in a form that people can read are usually this type. Entries are separated by spaces, commas, or other marks.


A fixed-length text string.


A series of nested arrays designed to store a resource list for a hardware component or driver.


For more information about managing the registry, see "Windows Server 2003 Family Registry Reference" at the Microsoft Windows Resource Kits Web site.