The Registry is split into a number of logical sections, or "hives". These are generally known by the names of the definitions used to access them in the
Windows API, which all begin "HKEY" (an abbreviation for "Hive Key"); often, they are abbreviated to a three- or four-letter short name starting with "HK" (e.g. HKCU and HKLM).
Each of these keys is divided into subkeys, which may contain further subkeys, and so on. Any key may contain entries with various types of values. The values
of these entries can be:
-
A constant (null-terminated, Unicode) string value
-
An "expandable" string value that can contain environment variables
-
A multi-string value, which is an array of strings
-
Binary data (any arbitrary data)
-
A DWORD value, a 32-bit unsigned integer (numbers between 0 and 4,294,967,295 [232 – 1]) (either big- or little-endian, or
unspecified)
-
A QWORD value, a 64-bit integer (either big- or little-endian, or unspecified)
-
A hardware or resource descriptor
Registry keys are specified with a syntax similar to Windows' path names, using backslashes to indicate levels of hierarchy. E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
refers to the subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of the HKEY_LOCAL_MACHINE key.
Values are not referenced via this syntax. Value names can contain backslashes
which would lead to ambiguities were they referred to this way. The Windows API functions that query and manipulate registry values take value names separately from the key path and/or handle that
identifies the parent key.
The HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER nodes have a similar structure to each other; applications typically look up their settings by first checking for
them in "HKEY_CURRENT_USER\Software\Vendor's name\Application's name\Version\Setting name", and if the setting is not found looking instead in the same location under the
HKEY_LOCAL_MACHINE key. When writing settings back, the reverse approach is used — HKEY_LOCAL_MACHINE is written first, but if that cannot be written to (which is usually the case if the logged-in user
is not an administrator), the setting is stored
in HKEY_CURRENT_USER instead.
HKEY_CLASSES_ROOT
Abbreviated HKCR, HKEY_CLASSES_ROOT stores information about registered applications, including associations from file extensions and OLE object class ids to
the applications used to handle these items. On Windows 2000 and above, HKCR is a compilation of HKCU\Software\Classes and HKLM\Software\Classes. If a given value exists in both of the subkeys above, the
one in HKCU\Software\Classes is used.
HKEY_CURRENT_USER
Abbreviated HKCU, HKEY_CURRENT_USER stores settings that are specific to the currently logged-in user. The HKCU key is a link to the subkey of HKEY_USERS that
corresponds to the user; the same information is reflected in both locations.
HKEY_LOCAL_MACHINE
Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are general to all users on the computer. This key is found within the file %SystemRoot%\System32\Config\system
on NT-based versions of Windows. Information about system hardware is located under the SYSTEM key.
HKEY_USERS
Abbreviated HKU, HKEY_USERS contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user registered on the machine.
HKEY_CURRENT_CONFIG
Abbreviated HKCC, HKEY_CURRENT_CONFIG contains information gathered at runtime; information stored in this key is not permanently stored on disk, but rather
regenerated at boot time.
HKEY_PERFORMANCE_DATA
This key provides runtime information into performance data provided by either the NT kernel itself or other programs that provide performance data. This key
is not displayed in the Registry Editor, but it is visible through the registry functions in the Windows API.
