HKEY_USERS and HKEY_LOCAL_MACHINE can be thought of as the only true root keys, since the Registry’s three other root keys are simply symbolic links, or mirrors, of different portions of these two. This means that these two branches are the only ones that actually need to be stored on your hard disk, and this is where hives come into play.

For every branch in HKEY_LOCAL_MACHINE, a corresponding hive file is stored in your \Windows\System32\config folder. For example, HKEY_LOCAL_MACHINE\Software is stored in a file called software (no filename extension). Since new branches can be added to HKEY_LOCAL_MACHINE, new hives can be generated at any time. Most systems will have the following hives: sam, security, software, and system.

Not all Registry data is stored on your hard disk, however. Some keys are dynamic, in that they are held only in memory, and are forgotten when you shut down. An example of a dynamic branch is HKEY_LOCAL_MACHINE\HARDWARE, which is built up each time Windows is started (an artifact of plug-and-play). Only non-dynamic branches are stored in hives, so you won’t see a hive called hardware.

The branches in HKEY_USERS, one for each configured user, are similarly stored in hives. The hive file for each user is called ntuser.dat, and is located in \Documents and Settings\ {username}. For example, the hive for the Administrator user is stored in the file \Documents and Settings\Administrator\ntuser.dat.

Knowing which files comprise the Registry is important ...