Working with Keys and Values
The following sections show how to use Regedit to search, add, change, delete, and print configuration data. Before continuing, heed this advice: Back up the Registry before making changes that might harm the computer.
As is the case with most Microsoft programs, Regedit provides numerous ways to access each feature. Subkeys' shortcut menus have commands to rename, delete, and create new subkeys under them. Values' shortcut menus have commands to change, delete, and rename them. The main menu has similar commands that apply to the selected subkey or value. Of course, you can always edit a value by double-clicking its name in the value pane, and you can always use the keyboard shortcuts you learned about in Table 3.2, earlier in this chapter.
Searching
Regedit searches for subkeys, value names, and value data that match the text for which you're looking. It searches for full and partial matches. For example, Windows 2000 and Windows 98 both match the search string Windows. Use the search feature to find values relating to a specific product, find all values that reference a specific file, or locate values related to a particular device. Users frequently send me messages asking what value contains a particular bit of configuration data, such as usernames. My reply is usually to search the Registry for their names, and they're likely to find it. Here's how to search subkeys, value names, and value data for a particular string:
-
On the Edit menu, click Find.
-
In Find What, type text for which you're looking.
-
Click Find Next, and Regedit begins searching beginning with the selected subkey.
-
Press F3 to continue searching.
Regedit opens the Find dialog box in Figure 3.3.
){kind=link}
Figure 3.3 In the Look At area, deselect the portions of the Registry in which you don't want to search.
If you're searching for numbers in string values, try the decimal and hexadecimal notations because both formats are common in the Registry.
This sometimes takes a while—up to several minutes on slower machines. Regedit displays an hourglass while it's searching. If it finds a matching subkey, it selects that subkey in the key pane. If it finds a matching value, it opens in the key pane the subkey containing the value and selects the value in the value pane.
Regedit looks for the next matching subkey or value. When Regedit reaches the bottom of the Registry, it displays a message that says Finished searching through the Registry.
You can hasten the search if you know what portion of the Registry contains the string for which you're searching: subkeys, value names, or value data. In the Look At area, clear the Keys, Values, or Data check boxes if you don't want to search in one or more of those places. If you're pretty certain that the string you're finding is in a value's name, for example, deselect Keys and Data to limit Regedit to value names, speeding up the search. Limiting a search to subkeys can cut by half the amount of time the search takes. Also, selecting the Match Whole String Only check box when you don't want Regedit to search for partial matches speeds up the search, or so you'd think. But timing searches using this check box, I found otherwise. It makes no appreciable difference in the time Regedit takes to search the registry, so use this check box only to limit the number of matches. The following table illustrates some of my tests searching for a bogus string that's not in my computer's Registry:
|
Time |
Description |
|
|
|
|
|
|
|
|
|
A limitation of Regedit is that it only searches string values, not REG_BINARY, REG_DWORD, or other binary values. You simply can't search for 0x000000001 and expect Regedit to find matching REG_DWORD values. You can still locate these values, however, by exporting the Registry to a text file and searching the text file with your favorite editor. See the later section "Exporting and Importing" to learn how to export the Registry to Registration Entries (REG) files. What you need to know is how those values look in a REG file so you can search for them using a text editor. The only drawback is that you must convert strings to hexadecimal before searching binary values for strings. The following table shows the format of REG_BINARY, REG_DWORD, and REG_SZ values in the registry and in REG files:
|
Type |
Format in Regedit |
Format in REG File |
|
REG_BINARY |
a0 00 00 01 |
hex:a0,00,00,01 |
|
REG_DWORD |
0x00000054 |
dword:00000054 |
|
|
|
|
For example, if you were searching for the REG_DWORD value 0xA0B0C0D0, you would search the REG file for dword:A0B0C0D0. If you were searching for the binary value 0x052059021465, you would search the REG file for the string hex:05,20,59,02,14,65. To search for the string "Hi" in binary values, you would search for the string hex:48,69, its hexadecimal equivalent. Note that Regedit exports values other than REG_BINARY, REG_DWORD, and REG_BINARY as binary values, so search for strings in those types of values as though they were REG_BINARY.
Search Techniques
After getting to know the Registry, you should be able to predict where to find certain subkeys and values. With that knowledge, you can select a subkey somewhere near where you think you'll find the item and then use the search feature to find it. This takes much less time than searching the entire Registry for the item.
Here's an example. If searching for a file extension, open HKCR and do an incremental search to locate it more quickly. You can locate the program identifier associated with a file extension, which defines the commands available for the file, by looking at the file extension's default value.
Finding a program's configuration data is straightforward because most programs store the same types of data in similar places. File associations are in HKCR. Programs store settings in Software\Vendor\AppName\Version under HKLM and HKCU, where Vendor is the name of the company that produced the software, AppName is the name of the application, and Version is the version number of the program, CurrentVersion in many cases.
Recall that per-computer configuration data is in HKLM, and per-user data is in HKCU. Use that information to your advantage. If you're certain that the configuration data for which you're searching is computer-specific, select HKLM before searching. You'd search for any information about a particular device in this root key, for example. Otherwise, if you're certain the data is user-specific, select HKCU before searching.
Changing Values
To change a value, double-click it in the value pane, or select it and then click Modify on the Edit menu. When you open a value, Regedit displays a different dialog box, depending on the value's type. Regedit opens REG_BINARY, REG_DWORD, and REG_SZ values in the Edit Binary Value, Edit Dword Value, and Edit String dialog boxes, respectively. For values of types other than REG_DWORD and REG_SZ, Regedit opens them in the Edit Binary Value dialog box, so you're better off editing those values using Regedt32. The remainder of this section describes how to edit each type of value.
Using the Edit String dialog box to edit REG_SZ values is uneventful. In Value Data, change the string. Select the entire string and type over it to replace its contents. Also, the cut-and-paste feature is available in Value Data. Don't add quotation marks to the value unless you want to embed them in the actual string.
Regedit opens REG_DWORD values in the Edit DWORD Value dialog box, shown in Figure 3.4. Know the hexadecimal value? Type it in Value Data. If you want to enter the hexadecimal value 0x1234, type 1234, omitting prefixes that typically identify hexadecimal values. If you don't know the hexadecimal value, click Decimal, type the value in decimal notation, and let Regedit convert it for you. Here's a bonus: In the value pane, Regedit displays REG_DWORD values using both notations (decimal notation is in parenthesis).
){kind=link}
Figure 3.4 Choose Decimal if your hexadecimal math is a bit rusty. Regedit will convert the value to hexadecimal notation.
Figure 3.5 shows the Edit Binary Value dialog box, which Regedit opens when you edit anything other than REG_DWORD and REG_SZ values, including REG_BINARY values. In Value Data, you see three different columns of information. The first column shows the hexadecimal address of the first byte in that row. For instance, 0010 means that the first byte in that row of binary data is the 16th byte. The second column contains the actual binary data, which you read left-to-right and top-to-bottom. The third column shows the ASCII-character equivalent of each byte in the second column. You can edit values in either the second or third columns. Position the cursor anywhere in the second column and type hexadecimal digits, 0 through F. Position the cursor in the third column and type ASCII characters. No matter in which column you're editing, Regedit updates the other column after each change. In either column, you can select bytes and type over them to replace them with new bytes.
){kind=link}
Figure 3.5 The Edit Binary Value dialog box shows decimal values converted to hexadecimal values using Windows calculator in scientific mode.
One capability—I don't call it a feature—is that you can select the value's name in Value Name and copy it to the Clipboard. This works for each of the Edit Type dialog boxes and is a useful sanity-saver when writing about the Registry. It ensures that I get value names correct. It's also useful to make sure you spell value names correctly when creating scripts. If you missed the tip about copying subkey names to the Clipboard, you do so by clicking Copy Key Name on the shortcut menu. The sidebar, "Clipboard Techniques," later in this chapter, describes other ways to use the Clipboard in Regedit.
Windows 2000 or running programs might not immediately reflect changes you make to the Registry. To make sure they do reflect your changes, cause them to reread those values from the Registry. If you change values in HKLM, for instance, you might have to restart the computer in order for Windows 2000 to recognize them. If you change values in HKCU, you might have to log off and back on again. You can make most programs recognize changes by closing and restarting them. This is true except for services that start when the operating system starts. In those cases, you must stop and start the services or restart the computer to see your changes at work.
CAUTION
Use a bit of caution when changing values. The later sidebar "Protecting Yourself" provides some good tips for backing up the portions of the Registry in which you're working. This helps you recover from any problems that your edits might cause. The best I can offer when editing a value is to copy it by giving the original value an obscure name. Then add a new value that has the original name and value. If things go awry, you can remove the new value and restore the original from the backup.
Creating Keys and Values
Creating new subkeys or values is generally harmless and equally useless, unless, of course, you know for sure that Windows 2000 or another program will use them. It's the equivalent of an Easter egg hunt. You wouldn't hide Easter eggs in places that nobody will look because they won't find them. Likewise, don't hide subkeys and values in places that no programs will look because it's a futile exercise. So why create new subkeys or values? Microsoft's Knowledge Base frequently instructs users to create new values to fix varieties of problems. Chapter 7, "Customizing Windows 2000," describes a plethora of subkeys and values you can add to the Registry. Valid reasons for adding subkeys and values abound.
When you create new subkeys, Regedit creates a subkey called New Key #N, where N is a number starting with 1, and selects its name so you can rename it. When you create a new value, Regedit creates a value called New Value #N and also selects its name so you can rename it. In both cases, Regedit increments N to ensure that the subkey or value is unique within its scope, its parent subkey. Regedit sets the initial value of new REG_SZ values to an empty string, REG_BINARY values to an empty binary string, or REG_DWORD values to zero. Change the value as described in the preceding section.
To create new subkeys or values, do one of the following:
-
Select the subkey under which you want to create a new subkey. On the Edit menu, point to New, and click Key; then, type the name of the subkey.
-
Select the subkey under which you want to create a new value. On the Edit menu, point to New and then click String Value, Binary Value, or DWORD Value. Type the name of your new value. Edit the value as described in the preceding section.
Clipboard Techniques
Use the Clipboard to make tasks easier. You can copy to and paste from the Clipboard whenever you edit a subkey's name or value's name or data. Thus, consider these different ways to use the Clipboard in Regedit:
To copy the fully qualified name of a subkey to the Clipboard, click Copy Key Name on the subkey's shortcut menu.
To copy a value's name to the Clipboard, double-click the value to edit it. In Value Name, select the value's name and then press Ctrl+C to copy it to the Clipboard. Click Cancel to avoid changing the value accidentally.
To copy a value's data to the Clipboard, open the value to edit it. In Value Data, select the data, and then press Ctrl+C to copy it to the Clipboard. Click Cancel to avoid changing it accidentally.
To paste data from the Clipboard into a value, double-click the value to edit it, select the data you want to replace, and then press Ctrl+V.
To copy a subkey or value's name to the Clipboard, click Rename on the item's shortcut menu, and then press Ctrl+C to copy it to the Clipboard.
The third item in the list tells how to copy a value's data to the Clipboard. Use this technique to back up a value before changing it. Copy the value's data to the Clipboard and paste that data into a new value that has a bogus name. If you want to restore the original value, copy the backup data to the Clipboard and paste it back into the value.
Deleting Keys and Values
Be careful about deleting subkeys and values. You'll likely prevent Windows 2000 from working properly by deleting configuration data carelessly. To remove a subkey or value, follow these steps:
-
Do one of the following:
Press Delete.
-
Click Yes to delete the subkey or value.
In the key pane, select a subkey.
In the value pane, select a value.
Regedit prompts you to confirm that you want to delete the subkey or value.
A common use for deleting subkeys and values is to restore programs' default settings. This doesn't always work with large programs that choke when their settings are missing but works well with small programs that re-create their settings. For example, you learned how to remove Regedit's settings from the Registry to restore its configuration. Another example is removing .txt from HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\ FileExts in order to remove customizations to text files' shortcut menus.
Renaming Keys and Values
Renaming subkeys and values in Regedit is much like renaming folders and files in Windows Explorer, except you can't rename selected items by clicking their names. Instead, select the subkey or value you want to rename, click Rename on the Edit menu, and then type over the name to change it. Better yet, select the subkey or value, press F2, and then type over the name.
Renaming subkeys and values has a practical purpose. It's a good way to hide configuration data prior to deleting it permanently. Hiding items under obscure names is logically the same as removing them because no program knows to look for them if you give them funky names. If things go awry, however, you can restore items' original names to undelete them. For example, assume you want to remove IsShortcut from the lnkfile program identifier, which prevents Windows 2000 from displaying an overlay on shortcuts' icons. Instead of deleting the value, rename it to something like MyIsShortcut and test the change. Permanently remove MyIsShortcut after you're satisfied that everything works okay (seldom true in this case).
TIP
Renaming subkeys and values is a smart way to document your data that you delete. If you forever leave items in the Registry with obscure names, you'll always know what those items originally contained. The same goes for changing a value. Note the value's name and data before renaming it to some obscure name. Create a new value with the name and data you noted. Now you have one copy of the value you can change and one copy of the value serving as a reminder of its original contents.
Printing Subkeys
Some folks think printing the Registry is useful as a backup tool or for reading the Registry to better understand it. Considering that a full printout of the entire Registry would occupy hundreds of pages and that you can't import a printout back into the Registry, this position is nonsense.
Printing a small subkey does have merit, however. It serves as a useful guide when working within small portions of the Registry. You can restore the original data if you foul up, and it serves as a guide for the types of data that belong in each value. Also, it is sometimes helpful to print a small portion of the Registry that you need as a reference when working in another part of the Registry. This is particularly true because you can't open two copies of Regedit to view two portions of the Registry at the same time. Having a printout of a subkey keeps you from moving hither and thither between two distant subkeys.
To print a subkey, select it in the key pane, and then click Print on the Registry menu. Regedit includes the entire branch, beginning with that subkey, and sends the print job to the spooler. The resulting output looks almost similar to a REG file, as shown in Listing 3.1. The format is slightly different, however. Regedit doesn't put quotation marks around string values, for instance. It also doesn't prefix binary values with the string hex:. The most notable difference is that it writes REG_DWORD values as REG_BINARY values, reversing the bytes as required in a little-endian architecture (see Chapter 1). The following table describes how Regedit formats each data type when it prints it:
|
Type |
Format in Regedit |
Format in Printed Output |
|
|
|
|
|
|
|
|
|
|
|
|
Listing 3.1 Regedit Printer Output
[HKEY_CURRENT_USER\Control Panel\Desktop]
DragFullWindows=1
FontSmoothing=1
UserPreferencemask=a0,00,00,00
ScreenSaveUsePassword=00,00,00,00
SmoothScroll=01,00,00,00
MenuShowDelay=400
[HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics]
MenuWidth=-270
MenuHeight=-270
MinAnimate=0
Shell Icon Size=32
IconTitleWrap=0
test=01,00,00,00
[HKEY_CURRENT_USER\Control Panel\Desktop\WindowsMetrics]
MinAnimate=1