Windows Registry for CompTIA A+ 220-1102

The Windows Registry is a hierarchical database organized into hives (root keys). Five root hives: HKEY_LOCAL_MACHINE (HKLM): machine-wide settings. Hardware, installed software, security policy, boot configuration. Stored in: C:\Windows\System32\config\SAM, SECURITY, SOFTWARE, SYSTEM. HKEY_CURRENT_USER (HKCU): settings for the currently logged-in user. User-specific software settings, desktop preferences. Stored in: C:\Users\Username\NTUSER.DAT. HKEY_USERS (HKU): all user profiles loaded in memory. HKCU is a link into HKU for the current user. HKEY_CLASSES_ROOT (HKCR): file type associations and COM class registrations. A merged view of HKLM\SOFTWARE\Classes and HKCU\SOFTWARE\Classes. HKEY_CURRENT_CONFIG (HKCC): current hardware profile (display, printer settings). A link into HKLM\SYSTEM\CurrentControlSet.

Registry entries (values) have names, types, and data. Common value types: REG_SZ: string (text) — most common. Application names, paths, simple settings. REG_DWORD: 32-bit number — on/off switches, small numeric values. 0 = false/disabled, 1 = true/enabled typically. REG_QWORD: 64-bit number — large numeric values. REG_BINARY: raw binary data — hardware settings, security information. REG_MULTI_SZ: multi-string — list of text strings. REG_EXPAND_SZ: expandable string — contains environment variable references like %SystemRoot% which expand to actual paths. Keys: containers (like folders) that hold values and subkeys. Keys have names and can be nested arbitrarily deep. Values: the actual settings stored in keys.

Startup programs (run at logon): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (all users, all logins). HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (current user only). RunOnce keys: same paths with \RunOnce — entries deleted after running once. File associations: HKCR\.[extension] → (Default) value points to ProgID. HKCR\ProgID\shell\open\command → contains the application path to open the file type. Uninstall information: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (32-bit). HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall (32-bit apps on 64-bit Windows). Windows version: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion → ProductName, CurrentVersion, CurrentBuild. Environment variables: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment (system-wide). HKCU\Environment (user-specific).

Open Registry Editor: Win+R → regedit → Enter (requires admin for HKLM changes). Navigation: left pane shows tree structure; right pane shows values in selected key. Address bar: type path directly to navigate (e.g., HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion). Editing: double-click a value to edit it. Right-click key to create new key or value. Before any edit: File → Export → select the key to back up (creates a .reg file). To restore: double-click the .reg file or File → Import. Reg files: text files with .reg extension. Can be double-clicked to merge registry settings. Format: Windows Registry Editor Version 5.00 on first line, then [HIVE\Key\Path] followed by value lines. Remote registry: can connect to remote computers' registries (requires Remote Registry service running and admin access).

Registry corruption: can cause boot failures, application errors, or missing features. Common causes: incomplete uninstallation, abrupt power loss during write, malware, corrupted update. SFC /scannow can repair some registry-related system file issues. DISM /RestoreHealth repairs the Windows image. Manual registry fixes: documented Microsoft KB articles provide exact registry keys/values to fix known issues. Always export before editing. Malware and registry: malware commonly uses Run/RunOnce keys to persist through reboots. Autoruns (Sysinternals): comprehensive tool showing all autostart locations — much more thorough than Task Manager's Startup tab. Registry cleaner tools: controversial — Windows itself does not need registry cleaning; poorly written cleaners can cause more harm than the 'orphan entries' they remove. Avoid third-party registry cleaners.