Hives

You can think of HKEY_USERS and HKEY_LOCAL_MACHINE as the only true root keys, because the Registry’s three other root keys are simply symbolic links, or mirrors, of different portions of these two. This means that these two branches are the only ones that actually need to be stored on your hard disk, and this is where hives come into play.

For every branch in HKEY_LOCAL_MACHINE, a corresponding hive file is stored in your \Windows\System32\config folder. For example, HKEY_LOCAL_MACHINE\Software is stored in a file called software (no filename extension). Because new branches can be added to HKEY_LOCAL_MACHINE, new hives can be generated at any time. Most systems will have the following hives: sam, security, software, components, and system.

Not all Registry data is stored on your hard disk, however. Some keys are dynamic, in that they are held only in memory and are forgotten when you shut down. An example of a dynamic branch is HKEY_LOCAL_MACHINE\HARDWARE, which is built up each time Windows is started (an artifact of Plug and Play). Only nondynamic branches are stored in hives, so you won’t see a hive called hardware.

The branches in HKEY_USERS, one for each configured user, are similarly stored in hives. The hive file for each user is called ntuser.dat, and it is located in \Users\ username.

Knowing which files comprise the Registry is important only for backup and emergency recovery procedures (see "Backing Up the Registry,” next) and for troubleshooting (and so that you ...

Get Windows Vista in a Nutshell now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.