Registry Troubleshooting for windows 10 and windows 11
The Registry is what has always set Windows apart from other operating systems; in fact, it’s only Windows that does things the Registry way. Whereas Unix-based operating systems such as Linux, Android, and Mac OS use a series of folders such as /etc that contain configuration files for the operating system and installed applications, the Windows Registry consists of a series of binary database files.
You might think that this would make the Registry more secure than the Unix approach, in which many of the configuration files are readable as plain text, with the Registry’s “security through obscurity” approach, as said by Q in the James Bond movie Skyfall (though he wasn’t talking about the Registry now was he; Ed) to be more effective.
Sadly, while the base security in Unix systems, where a user does not have administrative privileges, is highly effective, just about anybody can open, read, and even delete a Registry file if they put their mind to it. This means that, as these files are so open in the overall file system, they can be prone to corruption, unauthorized changes, and malware infection. So what is the Registry then, and how can we manage it and troubleshoot problems with it?
The Registry consists of a series of binary databases, as I have already mentioned, that are stored in different locations on the PC. The main store for Registry files, known as Hives,1 is the %SYSTEMROOT%\System32\Config folder (see Figure 19-1) in which the following Registry files can be found.
1When the Registry was being created during the development of Windows NT, the people working in the development team were all fans of bees, so they snuck in as many bee references as they could, calling Registry files “hives” and having Registry data stored in “cells.”
Figure 19-1. The core Registry files are in the Windows/System32 folder
- SAM – Security Accounts Manager, contains information about network domains the PC is connected to and stores the username, a unique identifier for the domain, the location of the server’s Registry hive, and the user’s password as a cryptographic hash. SAM appears empty unless the user has appropriate administrative permissions.
- SECURITY – Contains security settings and policies when the user is connected to a domain. SECURITY appears empty unless the user has appropriate administrative permissions.
- SOFTWARE – Contains keys for the current Windows installation and installed software and apps. Keys are organized by vendor name.
- SYSTEM – Contains keys related to Windows setup, settings, the default configuration, and details of any currently mounted and attached hardware devices and drives.
- DEFAULT – Contains the default system configuration information and keys.
- HARDWARE – Is not stored as a file, but is created each time the PC starts, and is discarded when the PC is switched off.
- DRIVERS – Is also created when the PC starts and discarded at shutdown.
- Userdiff (only used when the OS is being upgraded).
In addition to these Registry files, there are two more that are unique to each user account, with each user account having them:
- %USERPROFILE%\ntuser.dat – Contains user profile, customization, and configuration settings and options
- %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass. dat – Contains additional user settings such as user-specific file associations
Registry Keys and Values
Database entries within each hive are called keys and values (clearly, the developers ran out of appropriate bee-related words by this point). There are five main sections within a Registry file containing these.
Keys and values for installed applications are stored here, including file associations. If a key is added or modified here that is also found in HKEY_CURRENT_USER, then HKCU is used as the master.
This contains configuration options for the currently signed-in user, including locations for User Shell Folders (Documents, Pictures, etc.), Control Panel, and other settings, and application configuration options. It pulls its data from the Registry files in the %USERPROFILE% folder.
This is where most Registry changes made by administrators and end users are made. Here are the keys for Windows, drivers, and installed applications. These are generic keys and values for all users on the PC. In this section are loaded the following Registry hives:
This contains settings and options for the currently signed-in user that are pulled from the NTUser.dat Registry hive.
This contains information gathered at PC startup and that is only relevant to the current working session. It is discarded when the PC is shut down.
This is hidden in the Registry and contains performance data provided by the Windows kernel (the core OS files), drivers, installed applications, and services. This data only relates to the current session, and it is discarded when the PC is switched off.
Registry Value Types
Within these key areas (bad joke there, but I get it; Ed) are different types of Registry value. These are as follows:
- REG_BINARY keys store raw binary data.
- REG_DWORD are variable-length 32-bit integers.
- DWORDS are commonly used to define parameters for strings, settings, drivers, and configuration options.
- REG_SZ are field-length string values.
- REG_EXPAND are expandable length string values, also used to contain environment variables.
- REG_MULTI_SZ are multiple string arrays that can contain a list of values, normally separated by a comma or space.
- REG_RESOURCE_LIST is a list of resources in a nested array; these are used by device drivers.
- REG_RESOURCE_REQUIREMENTS_LIST is an array list of hardware resources that is used by device drivers.
- REG_FULL_RESOURCE_DESCRIPTOR are nested arrays used to store resource lists for physical hardware.
- REG_LINK are symbolic links to other Registry keys. They specify both the root and target key.
- REG_NONE is data that does not have a specific type.
- REG_QWORD are variable-length 64-bit integers.
Important Registry Locations
Having access to the Registry and being able to create, modify, and delete individual keys is useful, but locating what you’re actually looking for in such a large database can seem daunting. There are a few common areas however that you will find yourself in where the most important and relevant Registry keys will always be found:
- HKEY_CURRENT_USER ➤ Control Panel – Is where you will find Control Panel Registry values related to input, accessibility, and desktop appearance
- HKEY_CURRENT_USER ➤ Software – Is the location for installed apps (normally win32) settings and configuration
- HKEY_CURRENT_USER ➤ Software ➤ Microsoft ➤ Windows ➤ CurrentVersion – Is where you will find settings related to Windows
- HKEY_CURRENT_USER ➤ Software ➤ Microsoft ➤ Windows ➤ CurrentVersion ➤ Explorer – Is the location for desktop configuration options for the current user including the all-important User Shell Folders
The Registry Editor
Windows includes a tool for managing and editing the Registry snappily called the Registry Editor (see Figure 19-2). You can find it by searching for it in the Start Menu or launching regedit.exe from the command line (which also works from the Windows Recovery Environment).
Figure 19-2. You can manage the Registry using the Registry Editor
Here, the different Registry hives and keys are organized in a tree hierarchy, with right and down clickable arrows to the left of items that allow you to expand and close individual Registry sections.
From the Edit menu, you can copy Registry key names and search the Registry. You can also create new keys which can also be done by right-clicking in either the left or right panels of the editor.
Backing Up and Restoring Registry Hives
You can create backups of Registry hives, specific keys, or the entire Registry at any time, and it is always good practice to do so before making any changes to the Registry. This is done from the File menu using the Export and Import options when you have clicked, to highlight, a part of the Registry you want to back up.
To back up the entire Registry, click Computer at the top of the left panel and then choose Export from the File menu. When you import a Registry key, you do not need to have anything selected in the left panel, as the location of where and in which hive the key is stored will be within the file you are importing.
Working the .REG Files
Registry hives might be binary databases, but when you export a key, or even the entire Registry, it is saved in plain text as a .REG file (see Figure 19-3). This enables you to modify keys easily for implementation on multiple PCs or to check and perhaps edit keys that you have been sent or have downloaded from the Internet. This can be useful for reasons of maintaining basic security.
Figure 19-3. .REG files contain plain text versions of the Registry
Creating and Modifying Registry Keys
As I have already mentioned, you can create new Registry keys and values by rightclicking in the left or right panels of the Registry Editor (see Figure 19-4). When you do so, I would imagine that you will be following specific instructions from a software or hardware vendor, or from a reputable website, as frankly there’s little reason to start creating keys randomly as they won’t do anything.
Figure 19-4. You can create new Registry keys
You also need to be sure you are creating the right type of key, as I detailed on the “Registry Value Types” section earlier in this chapter. When you right-click and select New from the context menu, a fly-out submenu will appear where you can choose the right key value type.
You can modify a value by either right-clicking it and selecting Modify or by doubleclicking the value. This will display a dialog where you can change the value (see Figure 19-5), but you can also modify the raw binary data should that be a requirement for the change you need to make.
Figure 19-5. You can modify Registry values
Editing Hives for Other Users on the PC
If you need to edit the Registry for a user on the PC who is not currently signed in,perhaps because you are fixing a configuration error with their user account, you can load their Registry hive into the Registry Editor.
With HKEY_LOCAL_MACHINE or HKEY_USERS selected in the left panel, open the File menu and a Load Hive option will be available. You will need to have Hidden files visible in File Explorer to see the hive file. You will then be asked for a name for the Hive, and this is the name under which it will appear in the Registry Editor (see Figure 19-6), where I have loaded the hive for a user on the PC called “Jake.”
Figure 19-6. You can load the hives for other users on the PC
With that hive selected in the left panel, you can then select Unload Hive from the File menu when you are finished and want to close the hive.
Editing Hives on Other PCs on the Network
If you need to edit the Registry hive for a different PC on your network, or for a specific user on one of those PCs, you can select Connect Network Registry from the File Menu (see Figure 19-7). This will enable you to connect to the PC remotely as has been described earlier in the “Editing Hives for Other Users on the PC” section.
Figure 19-7. You can connect to the Registries of other PCs on your network
Enabling Remote Administration on Networked PCs
In order for you to be able to connect to the Registries on networked PCs, you have to do a few things first. In the Group Policy Editor, search for gpedit in the Start Menu, and navigate to Computer Configuration ➤ Administrative Templates ➤ Network ➤ Network Connections ➤ Windows Defender Firewall and then either the Standard or Domain profile as required.
Once there, look for the Windows Defender Firewall: Allow inbound remote administration rule and enable it on all the PCs you want remote access to (see Figure 19-8).
Figure 19-8. You need to change the Allow Remote Administration Group Policy rule
Tip:You can also enable or disable the Remote Administration policy from the Command Prompt by using the command netsh firewall set service type = remoteadmin mode = [mode] where [mode] is either enable or disable.
Next, you need to open Ports 135 and 445 in the Windows Firewall. Search in the Start Menu for firewall and open Windows Defender Firewall with Advanced Security. Click inbound rules, and from the option in the top right of the window, create a new rule in which you can allow access through these two ports (see Figure 19-9).
Figure 19-9. You need to open two ports in the Windows Firewall
The last thing to do is to enable the Remote Registry service. Search in the Start Menu for services, and when you have the Services panel open, scroll down the list until you get to Remote Registry. You need to set the status of this service to Automatic and then to start it (see Figure 19-10).
Figure 19-10. You need to activate the Remote Registry service on PCs you wish to administer
Tip:You can also enable the Remote Registry service from the Command Prompt by typing sc start RemoteRegistry or by typing sc config RemoteRegistry start = auto to have the service start automatically every time Windows starts.
Using the Registry Editor from the Recovery Console
As I mentioned earlier in this chapter, the Registry Editor can be run from the Windows Recovery Console. Select Troubleshoot, then Advanced Options, and lastly Command Prompt. When the Command Line interface appears, type regedit and press Enter (see Figure 19-11).
Figure 19-11. You can edit the Registry from the Recovery Console
The thing to bear in mind when doing this is that you’re actually editing the Registry hives for the Recovery Console itself, and not for the PC. This means you will need to click HKEY_LOCAL_MACHINE or HKEY_USERS and then select Load Hive from the File menu to load a Registry hive for the host PC.
Note:You cannot use Connect Network Registry from the Recovery Console as there is no networking support available.
REG.EXE and REGINI.EXE
As with everything in Windows, the Registry can be edited and managed using scripting. There’s PowerShell of course, which we’ll talk about shortly, but also the Command Line tools reg.exe and regini.exe. These tools do the same thing as each other with the sole exception being regini’s ability to run scripts.
There are 11 commands you can use with Reg.exe to manipulate and edit the Windows Registry files:
- REG ADD to add an entry to the Registry.
- REG COMPARE to compare two different Registry entries, perhaps in HKCR and HKCU.
- REG COPY is used to copy a Registry key to a new location on a local or a remote PC.
- REG DELETE to delete a Registry key.
- REG EXPORT to export a key, a hive, or the whole Registry.
- REG IMPORT to import a key, a hive, or the whole Registry from a backup.
- REG LOAD to load a Registry hive.
- REG QUERY will return a list of subkeys and entries located at a specified place in the Registry.
- REG RESTORE will write saved subkeys back into the Registry.
- REG SAVE to save a copy of specified keys to a .reg file.
- REG UNLOAD to unload a Registry hive that has previously been loaded.
Unlike other Command Line tools, each of these is its own command, meaning that each Reg.exe command has different switches to the others. Rather than list them all here and take up the next ten pages when you’re much more likely to use the Registry Editor or PowerShell anyway.
Regini works with text files containing the commands I detailed earlier for Reg.exe, and it has its own command structure. Use Regini.exe in the format
regini [-m \\pcname | -h hivefile hiveroot][-i n] [-o outputWidth][-b] textFiles...
where the following switches are used:
-m \\pcname specifies the name of a remote computer to connect to.
-h <hivefile hiveroot> specifies the local Registry hive to modify and the root of the hive to use.
-i <n> specifies the level of indentation to use for the tree structure of the Registry keys in the command.
-o <outputwidth> specifies the width of the command output in characters; the default value is 240 character.s
-b specifies that regini.exe be compatible with older versions of
regini.exe and older scripts.
textFiles specifies the names of the text files in ANSI or Unicode format that contain the commands.
Editing the Registry with PowerShell
As you might expect, the amount of control and the number of available commands you can get with PowerShell to manage and edit the Windows Registry is pretty large, with literally dozens of commands available to manipulate the Registry files on the local or on remote PCs.
Tip:To make sure PowerShell works as you expect it to, you need to check thecommand execution policy. You can do this in the PowerShell interface with the command Get-ExecutionPolicy, and you may find it is set to Restricted. You should then use the command Set-ExecutionPolicy Unrestricted so that your commands will run.
Third-Party Registry Utilities
There are also some very useful third-party utilities that exist that can be used to manage, edit, and manipulate the Windows Registry. These tools can also be highly useful in troubleshooting, especially if the PC is unbootable. These all work in various ways, but the best tools available are
- PCRegEdit – Found by searching online
- Hiren’s Boot CD – www.hiren.info/pages/bootcd
- Lazesoft Recovery Suite Home, Recovery CD – www.lazesoft.com/lazesoft-recovery-suite-free.html
- UBCD4Win – ubcd4win.org
- Microsoft Desktop Optimization Pack (DaRT) – Available through Software Assurance
Comparing Registry Files
In addition to third-party Registry editors and utilities, there are also third-party tools you can use to compare two Registry files. You might want to do this to compare the Registry files of a PC containing software or a hardware driver that is causing problems and cannot be cleanly uninstalled with the Registry files on a similar PC on which this is not installed. Some of the tools you can use for this include
- InstallWatch Pro – http://installwatch-pro.en.lo4d.com/
- Process Monitor (Windows Sysinternals) – http://technet.microsoft.com/sysinternals/bb896645.aspx
- Regshot – www.aplusfreeware.com/categories/util/registry.html
- Tiny Watcher – http://kubicle.dcmembers.com/watcher/
- Total Commander – http://ghisler.com/
- What Changed – www.majorgeeks.com/files/details/what_changed.html
- WinDiff – www.grigsoft.com/download-windiff.htm
- WinMerge – http://winmerge.org
Troubleshooting the Registry with Sysinternals
There are a couple of highly useful tools available as part of the Microsoft Sysinternals suite that you can use to help you manage and troubleshoot the Windows Registry.
RegJump is a Command Line tool that has one very simple job. RegJump will open the Windows Registry Editor at a specific path in a hive. Use it in the format Regjump <<path>> | -c where <<path>> is a pathname in the format HKLM\Software\ Microsoft\Windows and the -c switch copies the path from the Windows clipboard.
So what happens when you have a program, such as a startup entry where an essential Registry key is missing, incorrect, or corrupt? Well, if it’s a program that you’re launching from the Start Menu, Taskbar, or from a shortcut on the desktop, you can find out what error has occurred by using the Event Viewer, which will tell you which key cannot be found or loaded.
With Startup programs, services, drivers, and other essential parts of the operating system, it can be much more difficult. This is where Microsoft’s Sysinternals program AutoRuns comes in handy.
When you use AutoRuns, you will see a great many tabs along the top of the window for everything from codecs to drivers, to logon scripts, and scheduled tasks. Anything that is not found however is automatically highlighted in yellow (see Figure 19-12).
Figure 19-12. Startup items that cannot be found are highlighted in yellow in AutoRuns
This can make it very straightforward to find startup items on the PC that are causing
or reporting errors. You can then simply uncheck the item to leave it in the Windows startup items, but mark it as inactive, or you can delete it entirely from a right-click.
If the item that is not found is a program, or another non-Registry element such as a DLL, you can right-click it, and from the context menu that appears, select Jump to entry.
This will open the Registry editor at and highlighting the Registry entry for the offending item (see Figure 19-13). It is then a simple process of correcting the Registry entry or deleting it if it is no longer required.
Figure 19-13. The Registry Editor can be directly invoked from AutoRuns
A healthy Registry means a healthy Windows installation as the Registry really is both the brain and the nervous system that makes everything work, properly and reliably. There really is nothing worse than pop-up error messages telling you that X or Y won’t start or won’t load because Z Registry key cannot be found and then having to troubleshoot that. Speaking of startup, there is nothing worse than a PC that won’t boot to the desktop.
All is not lost however, and it’s not the case that you will automatically have to reimage the PC or reinstall a fresh copy of Windows 11. In the next chapter, we’ll look in depth at startup troubleshooting and what you can do to fix problems that arise.