What is the Registry? The 95 Registry has been made out to be a phenomenal mystery--probably due to the CLSID keys alone--and as such has
inspired a number of books (by Que, O'Reilly, even Microsoft at last...), FAQs, Web-Sites...you name it. Quite simply, the Registry is one huge (and I
mean huge; after installing Visual C++ and MS Outlook, my system.dat is 2.2 MB) configuration database, storing information such as where certain dll's are
found, what programs are associated with which extensions, what are the most recent network connections made/URL's visited, what position was an application window
in when the user last exited the program, what color is the desktop, what driver is used for the modem, what shows up on the right-clisk menu....all sorts of things.
In fact, it is often more suprising to find what isn't recorded in the Registry that to find what is. The Registry is contained in two files in the Windows
directory (in NT they are called "hives"): system.dat and user.dat, with backup copies system.da0 and user.da0. The Registry database is accessed with regedit.exe (in
the Windows directory), or with shareware utilities such as grep_reg or RegSearch&Replace, and consists of six keys: HKEY_LOCAL_MACHINE (all of the settings for the machine,
such as software location and drivers), HKEY_CURRENT_CONFIG (a subset of HKEY_LM that details the current configuration), HKEY_USERS (all of the settings for the users of
the machine, such as favorite application settings and URL history), HKEY_CURRENT_USER (a subset of HKEY_USERS that details out the profile of the current user), HKEY_CLASSES_ROOT
(a subset of HKEY_LM\SOFTWARE that lists all of the software "classes" and extensions), and HKEY_DYNAMIC_DATA (dynamic information regarding the PC that is built at startup and
is good only until shutdown). Registry keys can be exported to .REG files which may then be modified in Notepad and double-clicked to have their contents be appended to the Registry--note that this provides a fantastic way to implement Registry patches on a large number of computers (LAN), or to keep your customizations on floppy so that they follow wherever you go. The Microsoft documentation warns you to NOT mess with the Registry as it may render your machine unusable...that is, unless you know DOS and can go in
via the command line, then replace the Registry files either with backups or with someone else's Registry files (yes, this works, though you have to do a hardware-detect and a lot
of your software settings will be toast...). Fortunately most of us ignore Microsoft's documentation as it never really tells you anything anyway.....
windows 95 registry
Indispensable Tools:
Install-Watch is fantastic utility for uncovering just what is happening to your hard drive
under the veil of an "Install Wizard". Install-Watch allows you to monitor all of the system files and directories for additions, changes,
and deletions (all of which are recorded in a log), as well specific registry keys and directories of your choosing. In addition,
this program comes with an Uninstall feature that is quite frankly the only one that WORKS. The 95 Registry Monitor is a must-have tool for those who want to delve deep into the "mystery" of the 95 registry; it monitors Registry calls in the background while other
applications are running (like Filemon for the registry....).
In the Windows GUI, everything--every file, every directory, every applet, every link, every drive--is treated as an object; every object has certain properties associated with it. The HKCR key contains the list of object types and their properties. The main functions configured by HKCR are: 1) Associating a file extension with an object type, 2) Associating an icon with a object type, 3) Associating a series of command-line actions with an object type, 4) Defining Context Menu options for an object type, and 5) Defining Property Sheet options for each object type. In Windows 95, the Context Menu is the menu that pops up when you right-click an object; the Property Sheet is the dialogue box that opens when you select the Properties... option for an object.
What does this mean? It means that by changing the settings in HKCR you can change the default association for a given file extension, change the default icon for a file type, and add or remove items from the Context Menu of a given object type (or all object types). HKCR contains three basic types of subkeys: the \??? or file extension subkey, the \object type subkey, and the \CLSID subkey. The file extension subkey links file extensions to object types and provides control over the Context Menu, Property Sheet, and Action association. The object type subkey defines an object type in terms of its default icon, its Context Menu and Property Sheet, its action associations and its CLSID links. The CLSID subkey provides OLE and DDE information for object types and may have icon, Context Menu, or Property Sheet information contained in its subkeys.
A note on subkeys: Apparently documentation on the Registry was so scarce in the early days of '95 that most programmers were making up Registry fixes as they went along. As a result, there is some overlap within the HKCR subkeys, such that a subkey such as \shell can be found under a \.??? key, an object type key, or a CLSID key. The typical "code" keys (being keys that do not identify an object type or name but that actually describe the properties of an object), if you will, are usually 1) shell, 2) shellex, 3) ShellNew, and 4) DefaultIcon. Shell keys have an "action" subkey, such as "open", which in turn has a command subkey; the command subkey has a Default string value that contains the command line for the program to be run. Placing an "open" subkey in an object type's shell subkey will put an "open" option on the Context Menu for that object type, and giving the open subkey a command key with the default string value "C:\Windows \Notepad.exe %1" will cause Notepad to be the default application used to open that object type. Other action options include View, Print, Copy, Virus Scan, etc.. Shellex keys have a subkey for ContextMenuHandlers and/or PropertySheetHandlers. Each of these contains subkeys that point to CLSID entries to perform OLE and DDE functions fo that object type (an example being Quickview, a ContextMenuHandler subkey under * that points to a CLSID key with a string value that lists the .dll file containing the file-viewing function). ShellNew contains a "command" string value that contains the command line for opening a "new" instance of that object type (for example, new .txt file would have a "command" value of "C:\Windows \Notepad.exe"). DefaultIcon subkeys contain a "Default" string value that contains a command line pointing to the icon (for example, "C:\Windows \System \shell32.dll,2" where 2 is the third icon--count starts at 0, remember-- in the shell32.dll).
HKCR\file extension The following subkeys will demonstrate the modifications that can be made in HKCR: *, .386, .dll, .exe, .zip
HKCR\object type The use of this key can be illustrated by the following selection of subkeys: Allfile, drive, exefile, file, fndfile, folder,, mailto, regfile, unknown
HKCR\CLSID This is probably the most disconcerting key to look at. Each CLSID number must be unique--in fact, Microsoft has produced a CLSID-generation program just for this purpose--and as a result you tend to get strings of 32-digit hex numbers. For the most part these keys are of no interest unless you are programming or reverse engineering; they contain memory management models, client-server configurations, and links to .dll's for OLE handling.
Here are some sample .REG files for Context-Menu actions:
This key contains the settings for the current user drawn from that user's profile in the HKU key at startup. For the most part, HKCU contains all of the information about the system that HKLM does not; for example, software settings and user preferences. Probably the most interesting subkey is \Software; most everything else can be set through the Control Panel.
\AppEvents This key contains the sounds that are linked to application or OS events, as set in "Sounds" in the Control Panel. EventLabels contains subkeys that provide the names of the events, Schemes\Apps provides the paths to the .wav files, and Schemes\Names provides the names for the sound schemes.
\Control Panel This contains more options that are configured via the Control panel, notably Accessibility (wheelchair options as set in the Accessibility Property Sheet with the following subkeys: HighContrast, KeyboardResponse, MouseKeys, SerialKeys, ShowSounds, SoundSentry, Stickykeys, TimeOut, ToggleKeys), Appearance (color scheme set in the Appearance tab of the Display Properties Sheet along with definitions for all schemes), Colors (current color scheme as set in Appearance, given in hex RGB values for each window, border, button, etc), Cursors (scheme definitions), Desktop (Misc settings such as wallpaper, drag option, icon size, and background pattern), International (string value: Locale), and Sound (string value: Beep).
\Install LocationsMRU M.R.U. is Microspeak for Most-Recently-Used; in this case it refers to the M-R-U install locations....here you find a list of directories where software was installed via the InstallWizard (bigbrotherbigbrother). Very useful to scan if you are a software vendor and want to delete the competition's software from your users' hard drives.
\keyboard layout This key defines your....wait for it....keyborad layout. Yes, the Reigstry isn't always as mysterious as Microsoft makes out. The preload subkey defines you key configuration according to some obscure numbering system.
\Network The Network subkey lists your past network connections in two subkeys: Persistent (the drives and devices you have mapped to with the "reconnect at logon" option checked, organized by subkeys labelled with the drive letter or device name, each containing your network client--i.e. Client For Microsoft Networks--your user ID, and the full network path to the driver or device) and Recent (the last 20 or so network connections you have made without the "reconnect at logon" option checked, organized in subkeys named with the full network path of the connection, and contain the same info as the Persistent subkeys). The Persistent connections are all connected and given "My Computer" icons at startup; the Recent connections appear in the drop-down list box for "Path" when you map a network drive.
\RemoteAccess This key contains the scripts for Dialup Networking. It consists of two subkeys: Addresses, whihc contains a binary key for each connection, and Profile, which contains a subkey for each connection with values for IP addresses, vendor-supplied scripts, domain names and user ids..
\Software All of the sub-keys under this key represent software installed on your computer, listed by vendor name (note that some of the same vendors will have keys under HKLM, but the contents of the key will differ). The software settings contained in these keys will be user-specific (hence the HKCU placement), such as user preferences, location of log files, default directories for saving files, etc. A fine example can be had in the one key everyone will have, \Microsoft\Windows\CurrentVersion, which has just about all of your windows settings not covered elsewhere. The following subkeys branch off: Applets, explorer (look at all the MRU's here as well as the "recent docs" key, lots of keys to "clean"....), GrpConv (convert 3.1 progman groups to 95 explorer), Multimedia, Policies (what you are/are not allowed to do according to your sysadmin--if you do not have access rights, tailor this key at home and export it to a .REG file that you run after login to restore your lost user rights), Profile Reconciliation (where to look for profile info upon login), Secondary Profiles, and Taskman.
The HKLM key stores the system information for the computer. This covers everything from software settings (such as file locations, registered/unregistered status, version number) to network and hardware configurations.
\Config This key stores all of the different hardware configurations for your computer (the ones you create in the System Properties Sheet of the Control Panel). The configuration that is currently in use is copied to HKCC at startup.
\Enum This is where the majority of your hardware settings are located, including the information for PNP (Plug N' Play) cards. Subkeys include ESDI, FLOP, HTREE, ISAPNP, Monitor, Network, Root, SCSI, and VIRTUAL.
\hardware The hardware subkey has two further subkeys: the DESCRIPTION key, which leads to a Floating Point Processor key (poss present: 0/1), and a devicemap key, whihc leads to a serialcomm key that lists all of your com ports.
\Network This key has one subkey, Logon, that contains the values LMLogon (local machine logon? 0=False 1=True), logonvalidated (logon must be validated 0/1), Policy Handler, Primary Provider (primary logon, i.e., client for MS networks), username, and UserProfiles.
\Security There are two subkeys to the Security key, the first being Access (which leads ultimately to a Remote key that lists the source for network security,i.e., access rights), and Provider (containing keys that list the network "address book" and "address server").
\SOFTWARE Most of the subkeys exist simply to provide a version number for the installed software. Once again, however, we can find some interesting settings under \Microsoft\Windows\Current Version, which has the following subkeys: App Paths (program locations for just about all of the 32-bit software that you have ever installed on your machine), Applets, Compression, Controls Folder (contains Property Sheet add-ons for Control Panels like Display), Detect, explorer (the most interesting subkeys here are the Namespace keys of Desktop and My Computer--they point to CLSID strings for the Recycle Bin and Dialup Networking--and the Tips subkey that lets you create your own tips), Extensions (a list of extension associations, this time associating extensions with specific executable files rather than with object types), Fonts, fontsize, FS Templates (File System templates, i.e. Server, Desktop or Mobile, from the System Property Sheet), MS-DOS Emulation (contains an App Compatibility subkey which has binary values for a ton of outdated programs), MS-DOS Options (settings for Himem.sys, CD-ROMs, etc, in DOS mode), Network (configurations for your network drivers), Nls, Policies (more things that your sysadmin thinks you should not be allowed to do), ProfileList (list of all of the usernames that have ever been used to log on to your machine, very handy), Run (programs that are run on startup: VERY IMPORTANT), RunOnce (programs that are run at startup only one time ala WinInit.exe, this wil usually be blank except after an install that requires a reboot), RunServices (like Run but contains "services" which are unlike normal programs in that they are elite or "system" programs...however they are not VXDs, just stuff like McAfee or RegServ), RunServicesOnce (just like RunOnce, but for "services", Setup (tons of windows setup parameters: mostly string values containing system directory locations, with subkeys for '95 Updates, Optional Installed Components, and Windows Boot Directory), SharedDLLs (a list of the shared DLLs, each given a number rating on an unknown system of measurement), Shell Extensions (lists "approved" OLE registry patches, with links to the relevant CLSIDs), ShellScrap (contains a subkey called PriorityCacheFormats which contains a blank numbered value...most likely derivative of the old SmartDrive command-line switches), Time Zones (the main string value is your current time zone; the subkeys define all of the possible time zones. Snore.), Uninstall (this stores the programs that show up in the Add/Remove programs dialogue box; the subkeys contain paths that point to the vendors' uninstall programs. So much for InstallWizard.....), WinLogon (contains the text strings used for logon legal notices).
\System The system subkey contains a CurrentControlSet subkey that branches off into the ComputerName, FileSystem, IDConfigDB, InstalledFiles (being dlls, vxds, and exes), keyboard layouts (pointers to the files that define various keyboard layouts), MediaProperties, MediaResources (string names and dll links for various multimedia resources), NetworkProvider, Nls, PerfStats (Performance Stats, with the following subkeys: Kernel, SMBRedir, VFAT, VMM--does not provide actual statistics but instead defines labels for use by a peformance monitor program), Print (provides the configuration information for the printers defined in HKCC\System\CurrentControlSet), PwdProvider (lists the password manipulation files--usually .cpl or .dll--for the various network clients that 95 is running), ServiceProvider, SessionManager (contains many intersting-sounding subkeys such as AppPatches, CheckBadApps, CheckVerDLLs, HackINIFiles, Known16DLLs, KnownDLLs, and WarnVerDLLS; most of these are of no practical interest unless you have software that you are trying to fool 95 into running), Shutdown, TimeZoneInformation, Update, and VMM32Files (a listing of the VXDs installed on your system; if you write your own VXD, you may want to register it here) subkeys.
HKU contains the profiles for all of the users on the system; at startup, the login profile is copied to HKCU..
\.Default Structure is the same as HKCU.
\username Structure is the same as HKCU.
The contents of the HKCC key are taken from the appropriate configuration profile in the HKLM\Config key at startup.
\Display Has the subkey Fonts which provides string values listing the fonts available for the main screen font, and the subkey Settings which has string value settings for BitsPerPixel, Resolution, MouseTrails, DPI, and VGA Fonts.
\System Has a single subkey, CurrentControlSet\control\Print\Printers, which defines the printers that are placed in the Printers object (in My Computer) at startup.
The HKDD key contains information about your system that is detected at startup. The information in this key is, as the name explains, dynamic, and is subject to change while the OS is running. Changes made to this key do not appear to be saved to disk.
\Config Manager This key has a single subkey, Enum, that branches into further subkeys that describe the PNP devices detected at startup.
\PerfStats The actual performance statistics are recorded in binary values in subkeys of this key (StartSrv, StartStat, StatData, StopServ, StopData). It seems each of the primary string types (VMM, SMBRedit, VFAT, and KERNEL) correspond to a section of the '95 System Monitor applet (Memory Manager, Microsoft Network, File System, and Kernel).
\Security This key has a single subkey, Provider, that mirrors the Security\Provider key in HKLM. It is likely that this key is constantly updated to keep up with changes in the network, while the HKLM key remains static.
Serious enthusiasts are directed to John Woram's The Windows 95 Registry from MIS Press .
Explorer Command Line Options
The following command-line options may be used with explorer in a DOS box or the Run dialogue box:
Notes: IDlist: The Registry uses an idlist parameter but it seems to have no effect. NameSpace: Explorer.exe uses "namespaces" instead of directories. A namespace is more or less a "virtual directory"; specifically, it includes everything in the client area of a window. The root window is the desktop window; therefore the "root" namespace for explorer.exe is the Desktop. The child windows of Desktop include My Computer (with its sub-windows of all of your drives), Network Neighborhood, the Trash Can ('scuse me, Recycle Bin, how PC....), the Inbox, etc. Note that a namespace contains more than just real files; it can contain applets such as the Network Neighborhood and the Control Panel. You can move these "special folders" around by including them in a namespace (for example, the namespace of My Computer) in the registry or by turning them into actual folders with TweakUI.
Command-Line Networking Utilities:
Other command-line programs:
Useful Keyboard Commands for '95/NT4:
Windows 95 can be converted to a command-line operating system with multiple virtual terminals, reminiscent of a crippled version of Linux. To start off, do not set GUI=0 in MSDOS.SYS; this merely disables 95 from entering Protected Mode at all. Instead, set shell=command.com in SYSTEM.INI (instead of shell=explorer.exe)--though you can use NDOS or 4DOS if you prefer. What will happen is that Windows will run (yes, it is still slow-loading) and produce a DOS box; after you hit ALT-ENTER you will get a full-screen DOS terminal, and this will stay in effect through subsequent reboots. Additional DOS terminals can be created by typing start command.com at the DOS prompt; ALT-TAB will switch you between DOS terminals (and open windows applications). Windows applications can be run using the same start command (i.e., start explorer.exe); the DOS terminal will minimize, and the Windows application will run over your background bitmap (it is a good idea to create batch files for running your most-used apps, and put them in a directory in your path). One final note: to shut down this "version" of Windows, you must hit CTRL-ESC to bring up the Task List, then choose File->Shutdown Windows from the menu.
[AutoRun]
OPEN=autorun.exe
with Autorun.exe being the name of the file you want to run automatically (perhaps virus.com? claymore.exe?)
It still seems pretty limited...anybody know how to get this to work with a floppy?
Normally this is of no real consequence as it only works with CD-ROMS--but somehow I got it to
kick in on my hard drive as well. Basically you create an AUTORUN.INF text file, in the root directory of the disk, that contains the following:
getting in
How to get the most out of your machine with the least amount of effort:
Windows NT: the wave of the future. Just when Windows got to Plug-and-Pray, now we take a few steps back to the 3.1 days of "how do I get my SCSI card to work?"; if NT stays like this and becomes an industry standard, expect the MacIntosh to make a comeback. But yes, OK, the system is more stable than 95 (remarkably so), is much more efficient than 95 on high-RAM (48+ MB) systems, and is reasonably secure (unless you have a floppy drive, see below... ), so I guess some improvements have been made after all. N.B.: most of the tips about 95 (especially where the UI is concerned; for some reason both of these OSs use EXPLORER.EXE) listed above apply to NT as well.
Services: Order of Loading
Services Automatically Started
NT loads these services automarically, unless you configure it not to:
"Kernel-Mode" Drivers Automatically Started
The drivers listed below are loaded automatically by NT, even when no network is running. This is a bare-bones boot:
Typical NT Driver Initialization
The following is a sequence of drivers initialized during a typical NT bootup, as captured at M$oft by a kernel debugger:
The following information is culled from Micro$oft's Technet techncian's reference and not from my own personal experience/experimentation, therefore I cannot attest to its accuracy or reliability. I trust the inclusion of such third-party information will not compromise the integrity of my page....