Windows Registry & %SystemRoot%\\System32\\config
Understand how registry hives are structured, where they live on disk, and how to back them up or repair them safely.
Registry Architecture
The Windows Registry is a hierarchical database that stores configuration settings, driver information, security parameters, and application preferences. It is organised into hives, each of which maps to one or more files on disk. When Windows boots, the kernel loads these hive files into memory and exposes them under the five root keys (HKLM, HKCU, HKCR, HKU, HKCC).
Root Keys (Logical View)
- HKEY_LOCAL_MACHINE (HKLM): System-wide settings (hardware, services, SAM, SECURITY).
- HKEY_CURRENT_USER (HKCU): Current user profile (loaded from NTUSER.DAT).
- HKEY_CLASSES_ROOT (HKCR): File associations and COM class registrations (merged HKLM/HKCU).
- HKEY_USERS (HKU): All user profiles loaded on the machine.
- HKEY_CURRENT_CONFIG (HKCC): Hardware profile snapshot built at boot time.
Registry Building Blocks
- Keys: Containers analogous to folders.
- Values: Name/type/data pairs (REG_SZ, REG_DWORD, REG_BINARY, etc.).
- Hive Files: Backing files stored under
%SystemRoot%\System32\configor user profile folders. - Transaction Logs: ".LOG" files support crash consistency by replaying pending changes.
%SystemRoot%\System32\config Hive Files
| Registry Hive | Primary File | Backup/Logs | Purpose |
|---|---|---|---|
| HKLM\SYSTEM | SYSTEM | SYSTEM.LOG1 / LOG2, RegBack\SYSTEM | Hardware configuration, services, driver control sets. |
| HKLM\SOFTWARE | SOFTWARE | SOFTWARE.LOG1 / LOG2, RegBack\SOFTWARE | OS and application settings for all users. |
| HKLM\SAM | SAM | SAM.LOG1 / LOG2, RegBack\SAM | Security Accounts Manager – local user and group database. |
| HKLM\SECURITY | SECURITY | SECURITY.LOG1 / LOG2, RegBack\SECURITY | Local security policy, LSA secrets, DPAPI master keys. |
| HKLM\COMPONENTS | COMPONENTS | COMPONENTS.LOG1 / LOG2 | Windows servicing (WinSxS) component store metadata. |
| HKLM\BCD00000000 | BCD | BCD.LOG1 / LOG2 | Boot Configuration Data (boot manager settings). |
| HKU\.DEFAULT | DEFAULT | DEFAULT.LOG1 / LOG2 | Template profile used when creating new local users. |
Do not edit hive files directly while Windows is running. Use supported tools (regedit, reg.exe, PowerShell) or work from Windows Recovery Environment / offline media for low-level fixes.
Per-User Registry Files
NTUSER.DAT
- Stored under
C:\Users\<username>\. - Loaded into HKU\SID and HKCU when the user signs in.
- Contains desktop preferences, mapped drives, application settings.
UsrClass.dat
- Indexed under
C:\Users\<username>\AppData\Local\Microsoft\Windows. - Stores per-user COM registrations and shell configuration.
- Loaded into HKCU\Software\Classes.
Roaming profiles: NTUSER.DAT is synced with the profile server. Corruption or bloat in the hive affects logon performance.
Safe Editing & Backup Practices
Before You Edit
- Create a System Restore point or full backup.
- Export specific keys (
regedit.exe > File > Export) before modifying them. - Document the original value and change control reference.
- Avoid editing in production without testing in a lab first.
Tools & Automation
reg.exeand PowerShell cmdlets (Get-ItemProperty,Set-ItemProperty) for scripted changes.- Group Policy Preferences for managed registry deployment.
- Use
reg loadto mount offline hives from System32\config. - Clear transaction logs by running
esentutl /ponly as last resort (offline).
Recovering from Registry Corruption
- Boot into Windows Recovery Environment (WinRE) or use a WinPE USB.
- Backup existing hives to a safe location (
copy SYSTEM SYSTEM.bak). - Restore from RegBack (
%SystemRoot%\System32\config\RegBack) if backups exist in Windows 10 1803 or earlier. - Use Shadow Copies or
reg load+reg exportto extract keys from Volume Shadow Copy snapshots. - Manual hive replacement: copy working hive files from another system with identical build (ensure SID differences are considered).
- When all fails: perform an in-place upgrade/repair install to regenerate registry defaults.
Warning: Replacing SAM, SECURITY, or SYSTEM hives resets local passwords and machine secrets. Document the impact on services, DPAPI-protected data, and domain trust relationships.