THE WINDOWS NT 4.0 REGISTRY
Lance Jensen
Executive Software Technical Support
and
John Sankey
The Registry is NT's management information system, a unified database containing
information about hardware, installed software, and the settings for their
use, set up in a tree hierarchy. It is normally maintained by programs such
as Control Panel and program installs. However, viewing it can often help
to trace a problem, and editing it directly can be very useful in special
cases.
Warning: Neither of the authors (nor Microsoft for that matter) accepts any
responsibility whatsoever for changes you make directly to a registry. You
can easily make a mistake while using the registry editors, and they will
not warn you if you do. Editing the registry can disrupt your system to the
point where your only option is to re-install Windows NT. Even if you know
exactly what you are doing and are completely certain what the results will
be, you should always back up your registry before making any changes, using
NTBackup or the Windows NT Resource Kit programs regback.exe and regrest.exe.
The old registry editor regedit.exe has a complete search capability (the
new one, regedt32.exe, only searches keys, not values) but regedit cannot
be used to edit the new EXPAND_SZ or MULTI_SZ value types or to implement
registry auditing. So, you have to use regedit to find values in the Registry,
then switch to regedt32 to make these changes. Regedt32 also has a read-only
switch (Menu, Options) which is a good safety feature to prevent changes
from being made until you are ready for it - regedit doesn't. Hopefully,
in NT5 the two teams will get their act together.
Each major set of keys is called a hive. Within each hive there are keys,
which may have sub-keys, and sub-sub-keys, and so on. At the lowest level
there is a value entry comprised of a name, a data type, and a value. Data
types are BINARY (16 bits!), DWORD (4 bytes, displayed in binary, hexadecimal
or decimal), SZ (text string), EXPAND_SZ (expandable text string that contains
a variable such as %systemroot%), and MULTI_SZ (multiple line string; each
"line" is separated by a null). Each hive is rooted at the top of the Registry
hierarchy, and most are backed by a main file, a save file and a log file
in the folder %systemroot%\system32\config. The main file has no extension,
the others have the extensions .sav and .log. Exceptions are
LOCAL_MACHINE\HARDWARE, which has no files, and CURRENT_USER, which stores
its files in %systemroot%\Profiles\%username%.
The following facts concerning the registry are in the same format as you
see them in the registry editors. Setup your browser on one side of the screen,
and a registry editor the other, to keep track of things. Q numbers refer
to Microsoft Knowledge Base Articles available at
http://support.microsoft.com/support/. Much of the information is also available
in descriptive format in the NT Focus eletters at
http://www.execsoft.com/eletters/.
This information is as accurate as the authors can make it. If, despite our
care, you find an error in this document, please email bf250@freenet.carleton.ca
immediately.
LOCAL_MACHINE holds information about the local machine, hardware and installed
software. It contains five hives:
-
HARDWARE contains information about your hardware, including cards in expansion
slots, connections through ports, and the related interrupts. Most of this
data is determined and stored on boot-up, so it is not saved in any files.
You almost never need to edit any data here, but it's a useful source of
troubleshooting information.
-
DESCRIPTION System devices are listed in the Registry by names or codes.
This is where those names and codes are defined. The source of this data
depends on your computer. On an Alpha system, the data is copied from the
ARC configuration database in the firmware. On an x86 system, the Hardware
Recognizer NTDETECT.COM gathers the data during startup. On a non-x86 system
the data is gathered by a version of NTDETECT.COM provided by the OEM.
-
System contains value entries defining the System and Video BIOS and the
motherboard itself. It's a convenient place to check your BIOS version and
revision date.
-
CentralProcessor lists the CPUs, each under its own number sub-key 0, 1,
etc. Each sub-key has five value entries describing the CPU, including the
vendor and clock speed. The first three value entries are also found under
each of the number keys (0, 1, etc.) under System.
-
Component Information, BINARY. Contains version information.
-
Configuration Data, REG_FULL_RESOURCE_DESCRIPTOR. Contains data such as the
I/O port addresses and the IRQ number. (If this data is not available, this
value entry will not appear.)
-
Identifier, SZ. Contains the name of the device.
-
VendorIdentifier, SZ. Identifies the CPU manufacturer.
-
~MHz: the approximate rated speed of the CPU.
-
FloatingPointProcessor lists the math co-processors in sub-keys, which have
the same value entries as CentralProcessor, describing the co-processor.
-
MultifunctionAdapter, has three sub-keys which hold the data about the adapters
in your system that are BIOS-controlled.
-
0 holds the configuration data for the PCI bus, with subkeys for any
BIOS-supported devices that are plugged into it.
-
1 will hold the configuration data for the Plug and Play BIOS, but, since
Plug and Play is not fully implemented in Windows NT 4.0, there are no sub-keys.
-
2 holds the configuration data for the ISA bus, with subkeys for any
BIOS-supported devices that are plugged into this bus.
Under these number keys there are several more sub-keys for controllers.
Which key you will find them under depends on which bus they are connected
to. Each sub-key will have one or more sub-keys, depending on how many
controllers you have. For example, you probably only have one keyboard
controller, and thus only the 0 subkey under KeyboardController, but if you
have two disk controllers, you will have 0 and 1 under DiskController. (Note:
The numbers here do not refer to the type of bus.)
-
DiskController contains the data for your hard-disk and floppy-disk controllers.
Under each number key it will have the sub-keys DiskPeripheral and/or
FloppyDiskPeripheral, which will have number keys for each attached disk
drive.
-
KeyboardController contains the data for your keyboard controller. Under
the number key will be a sub-key KeyboardPeripheral, which contains a number
key describing the keyboard itself.
-
ParallelController contains the data for your parallel port controller. It
has a number key for each installed parallel port.
-
PointerController contains the data for your mouse port controller. It has
a number key for each installed mouse port.
-
SerialController contains the data for your serial port controller. It has
a number key for each installed serial port. Under each of these last three
keys, if there is a device plugged in to a port, there will be a xxxPeripheral
subkey, such as PointerPeripheral for a mouse or touchpad, which contains
a number key describing the device.
-
DEVICEMAP Here we find several subkeys, each containing at least one value
entry. The value entries contain either a string defining where in the Registry
the driver data is stored, or a string containing a port name. The Registry
location is LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services; usually the
ControlSetnnn is the same control set that is mirrored in CurrentControlSet.
The sub-keys under Services contain data on the drivers and on their associated
hardware. You maintain this data from Control Panel, using the Devices, Network,
Services and UPS icons.
-
One sub-key, Scsi, deserves more explanation. Here you will find a sub-key
for each SCSI host device, in the order that the system discovers them. Under
each SCSI host device will be a sub-key for each bus on that device. Under
each bus will be subkeys for each SCSI device attached. If you are
trouble-shooting an unfamiliar system, this can be useful in locating all
SCSI devices on the system and exactly where they are.
-
OWNERMAP: If any devices are owned (controlled by another device), the device
and its owner are recorded in value entries here.
-
RESOURCEMAP: Here you will find the connection settings and addresses for
your system devices.
-
Hardware Abstraction Layer names in its sub-key the type of HAL in use on
your system. There are many possible HALs, such as Compaq and PowerPC. On
my system, this subkey is UP MPS 1.4-APIC platform
-
KeyboardPort\PointerPort, has a sub-key defining the keyboard controller
chip. If you use a standard keyboard, the sub-key will be i8042prt.
-
LOADED PARALLEL DRIVER RESOURCES and
-
LOADED SERIAL DRIVER RESOURCES: contain data on the parallel and serial port
drivers, in value entries within the subkeys Parport and Serial.
-
OtherDrivers holds the data on drivers that are not standard system operations
drivers. For example, I have a subkey sndblst for my audio card.
-
PointerPort hold sub-keys containing data for pointers such as a mouse or
touchpad.
-
ScsiAdapter holds sub-keys for any SCSI adapters installed, with their settings.
-
System Resources contains memory settings, including Virtual and Reserved
memory, in its subkeys PhysicalMemory and Reserved.
-
VIDEO contains your video driver information. The subkey depends on your
video driver. For example, my system has stlth3d. But there are two other
sub-keys. VgaSave describes the VGA driver which is used when the installed
video card fails, or when you boot to VGA mode. VgaStart notes which of the
video drivers is currently in use.
-
SAM is the Security Accounts Manager, containing user account names and passwords
and security settings. As in SECURITY, most of the information is encrypted
and stored in binary format. You should never need to change anything here,
as it is maintained on Workstations via User Manager, or on Servers by User
Manager For Domains. Files: Sam, Sam.sav and Sam.log. It contains only one
sub-key, SAM, which is mapped to the sub-key SAM under SECURITY. Thus any
change made to one sub-key also changes the other.
-
Domains. It has two sub-keys, Account and Builtin, and they each have three
sub-keys, Aliases, Groups and Users. Each of these has a code-number sub-key
for each member (if any), plus Names, which contains as sub-keys the actual
names of the members (such as Administrators or Users). Account\Users\Names
will contain the names of user accounts, as maintained in the User Manager
program. Builtin\Aliases\Names will contain the built-in groups Administrators,
Backup Operators, Guests, Power Users, Replicator and Users.
-
RXACT, which stands for Registry Transaction. It's usually empty.
-
SECURITY This contains the security information for the local machine, including
all group names, all user names and passwords, what rights each user has
and what groups each user belongs to. It is maintained via User Manager.
The information is encrypted and is stored in binary format, so you can't
edit it with REGEDT32 or REGEDIT. About the only thing you can do is view
the user and group names. Files: Security, Security.sav and Security.log
-
SOFTWARE contains data for all of the 32-bit software installed on your system.
Each software package may appear as a sub-key of SOFTWARE, but there will
also be sub-keys which are manufacturers (such as Microsoft or Executive
Software) with software packages listed as sub-keys below the company sub-key.
The data under the software sub-keys includes configuration settings, file
associations and OLE information. This data can include build number,
registration information, paths to executable and data files, and anything
else the manufacturer wants. If permission for Everyone on this key, and
on the subkey for each manufacturer, is restricted to QueryValue, Enumerate
Subkeys, Notify and Read Control, only administrators will be able to install
software with InstallShield. The entire subtree must not be locked using
this setting because that will prevent applications from running that use
the registry to store state information.
-
Classes In this sub-key, OLE (Object Linking and Embedding) and DDE (Dynamic
Data Exchange) classes are defined. It contains a sub-key for each class,
such as .exe (executable) and .gif (graphic image). Each sub-key has a value
entry whose value is the program used to open this type of file; this program
is what you are asked to specify when you see the Open With dialogue box.
-
[ext]_auto_file: each extension in the "open with" dialog has an entry here
-
[filetype]\EditFlags: set to 00000000 to save, otherwise filetype is
played/displayed directly. Setting this to 0 is how you reverse clearing
the "prompt for this type of file" box.
-
[type]\Shell\edit\Default: the executable used to edit the file type. These
are all most easily set from within NT Explorer.
-
Clients: This section defines clients such as your internet e-mail package,
and other applications such as Microsoft Outlook. Sub-keys and data vary
greatly depending on the application
-
CLSID: a list of all program identity numbers
-
DefaultIcon: {path}.ico,0 is the desktop icon used for each program. Any
desired icon can be set here for any program, in particular of My Computer
(CLSID {20D04FE0-3AEA-1069-A2D8-08002B30309D}), Network Neighbourhood
{208D2C60-3AEA-1069-A2D7-08002B30309D} and the Recycle bin
{645FF040-5081-101B-9F08-00AA002F954E}.
-
Description: where Windows NT stores the names and versions of your software.
It is useful for information, but should never be changed manually.
-
Http\Shell\Open\Command\Default: the command to start the default Internet
Browser
-
Lnkfile\IsShortcut: Delete this value to remove the arrows marking shortcuts
if you don't like them. (A right-click will still tell you which is which.)
-
Paint.Picture\DefaultIcon: By default this is the name of a bitmap viewer.
Replace it with %1 and a thumbnail of each graphic file will appear as its
icon in NT Explorer. Handy if you have a lot of bitmaps, and set View in
Explorer to large icons.
-
Unknown\Shell: one entry for each item in the right-click menu
-
Program Groups Descriptions of any program groups, as maintained with Program
Manager, are stored here.
-
Secure: apparently a storage location for keys that require more than the
usual amount of security.
-
Microsoft
-
Internet Explorer\Main
-
URLTemplates: when you type in a URL, this is where IE gets the suggestions
it puts in that blue type-ahead. Add your own specials as desired, in the
order desired (match the syntax and type of those already there).
-
Multimedia: Control Panel settings
-
Ntbackup
-
BackupEngine\Backupfilesinuse: set to 0 to prevent open files from being
backed up, which can produce errors with update-in-place apps. (Q159218)
-
UserInterface\Skipopenfiles: used if Backupfilesinuse is 1. Set to 0 to wait
until the open file can be backed up, 1 to skip files that are open/unreadable,
2 to wait for open files to close for Waittime seconds)
-
Waittime: the time used by Skipopenfiles=2
-
RAS Autodial
-
Addresses: network address for which RAS is to autodial
-
Control\DisabledAddresses: network addresses for which autodial is not desired
-
Windows\CurrentVersion
-
Explorer\Tips
-
Next: the message number to be shown next Explorer start
-
Show: 01000000 to display a different message each time Explorer is opened,
0 otherwise
-
[n]: text of each message
-
Policies\System
-
DisableRegistryTools: 1 if the user is not permitted to use the registry
editors
-
Explorer\LinkResolveIgnoreLinkInfo: set to 1 to disable link tracking of
shortcuts
-
Run: each program listed here will be run each time any user logs on. Since
such programs run at System privilege, Everyone permission on this key and
the three following should be restricted to Read to prevent unauthorized
additions (Q126713). If everyone has problems with NT Explorer start-up errors,
check for a null ("") program entry here or in Windows NT\Current Version
(regedt32 required - regedit can't see this kind of entry).
-
RunOnce: each program listed here will be run the next logon then removed
from the list.
-
RunServices: a way of starting a service (TSR in DOS language).
-
RunServicesOnce: a way of running a service once.
-
SharedDlls: has a value under the name of each DLL in the system that is
used by more than one program. Entering the name of a non-NT DLL here with
value 1 will stop NT uninstall from offering to delete it.
-
Telephony: Control Panel entries
-
Uninstall: contains a key for each program that can be uninstalled by NT.
In any secure installation, Everyone access to this key should be removed
(NOT set to NoAccess! - Everyone includes Administrators). If a botched install
leaves an inoperative entry in the uninstall list, delete it here.
-
Windows NT\CurrentVersion
-
AeDebug: delete this to stop Dr.Watson from generating its huge dump files
-
Fonts: installed fonts (Control Panel)
-
Hotfix: records which hotfixes have been applied
-
InternetSettings: Control Panel settings
-
Perflib: the permissions on this key determine who can see data such as the
list of running processes.
-
ProductId: 50036-xxx-yyyyyyy-71345 where xxx-yyyyyyy is the CD-ROM key
-
ProfileList: lists each valid SID on the local machine and matching profile
locations. By default when a user logs on for the first time at a machine
a directory %systemroot%\profiles\%username% is created. If the directory
already exists, an alternate directory <username>.nnn will be created,
starting with 000. This mapping is stored here.
-
RegisteredOrganization: your company name
-
Run, Run Once: some installs put programs here (they should be put under
Windows\Current Version)
-
Unimodem: modem data (Control Panel)
-
Windows
-
ErrorMode: 1 to display only application errors, 2 to suppress all error
dialogs (noone but developers should use this or NoPopUpsOnBoot)
-
NoPopUpsOnBoot: 1 to suppress boot error popups
-
Winlogon
-
AllocateCDRoms: if 1, the drive will be secured for a user (C2 security),
if 0 default administrative sharing is allowed
-
AllocateFloppies: does the same for floppy drives
-
AutoAdminLogon: 1 to force automatic logon using the username and password
set below. Users must be restricted to read-only access to the Winlogon key
to enforce this.
-
AutoRestartShell: should be 1 so if your shell (default Explorer) crashes
it will automatically restart.
-
CachedLogonsCount: this basically enables roaming profiles; set to 0 to disable
them (Q172931)
-
DefaultDomainName, DefaultPassword, DefaultUserName: for autologon
-
DeleteRoamingCache: by default, profiles are cached locally to machines,
however this can be disabled by setting this to 1
-
DontDisplayLastUserName Value: To prevent display of a user name in the Logon
dialog box, give this the value 1 (C2 security)
-
IgnoreShiftOveride: by default any user can prevent programs in start folders
from running by holding down the Shift key during logon. Set this to 1 to
prevent this.
-
KeepRasConnections: keep RAS connections open when the user logs off
-
LegalNoticeCaption, LegalNoticeText: if present require each user to 'accept'
(click OK) the text
-
LogonPrompt: the place for custom logon instructions
-
PasswordExpiryWarning: the number of days prior to password expiring that
a warning message is displayed
-
PowerdownAfterShutdown: if you have an ATX power supply, setting this to
1 will power down the computer on shutdown. (Without an ATX, it makes it
always reboot.)
-
Shell: explorer.exe by default, can be changed to progman.exe for nostalgia
-
Show: the timeout for options displayed at logon e.g. profile choice
-
ShutdownWithoutLogon: set to 0 to remove the shutdown button from the logon
screen
-
TaskMan: set to TaskMan.exe to enable the old Ctrl-Esc activation of Task
Manager
-
Welcome: the place for a custom welcome message
-
Policies\Ratings\Key: password for the IE content advisor (encrypted). Delete
value then set a new password with Internet Options - Content if you forget
it
-
[Software Packages name]: The data stored for each software package varies
widely. For example, Executive Software's entry can tell you that Diskeeper
is installed at D:\ExecSoft\Diskeeper (from Diskeeper), that it is version
3.0 build 172 (from CurrentVersion) , it was upgraded from version 2.0 (from
2.0) , and that it is set to run at the lowest priority (from UserSettings).
Much of the data may not be understandable, but at the minimum you can find
where the files are. When an Uninstall fails, this is where you find the
information to manually uninstall a package.
-
SYSTEM This is the most useful as well as the most dangerous hive, because
it contains the startup data that cannot be calculated during startup. This
data is stored in ControlSet sub-trees. One of these, CurrentControlSet,
is actually a link to one of the others (ControlSet001, ControlSet002, etc.)
which contains the data set currently in use. This data is normally modified
via utilities in Control Panel. Files: system, system.sav and system.log.
There is also system.alt, which is a backup of the system hive, and makes
it possible to undo changes that had unexpected side-effects.
-
CurrentControlSet contains the parameters for the system's services and devices
currently in use. When the system starts, the numbered set used (usually
ControlSet001) is copied into Clone, and CurrentControlSet is linked to that
numbered set. The copy in Clone also replaces the LastKnownGood configuration,
once the startup is declared good (generally meaning there were no Severe
or Critical errors, and a successful logon was done). This lets you revert
your Registry to the way it was prior to the changes by invoking the Last
Known Good menu on reboot if you accidentally botch registry changes. Note
that this will only work of you have not fully rebooted since the changes.
If you have, then your changes to the Registry will have already been saved.
A way to be sure every time is to back up your Registry prior to making any
changes, so that you always have a good copy of the Registry to fall back
on.
-
Control contains parameters necessary for the system to start. There are
several sections here that you should leave alone, as changes can prevent
the system from starting or running or can make it impossible for anyone
to log in. Let Control Panel and the system maintain these whenever possible.
-
CurrentUser, SZ. This is for holding the username of you, the user who is
currently logged on.
-
RegistrySizeLimit: The default is 25% of the paged pool (see PagedPoolQuota),
minimum 4MB, maximum 80% of the paged pool (which has a maximum size of 128MB).
The RegistrySizeLimit is a maximum, not an allocation, so setting a high
value will not reserve the space nor does it guarantee the space will be
available. This is best configured using the System Control Panel applet
Performance tab (Q124594).
-
ServiceGroupOrder: determines the order in which services are started at
startup (Q102987)
-
SystemStartOptions: If the firmware passes system arguments to the system,
they are listed here. You will not need to change anything here.
-
Update\UpdateMode: set to 0 to make NT Explorer refresh the screen automatically
after each change
-
WaitToKillServiceTimeout: default 20,000 ms. Sets how long the service control
manager will wait for each service to complete the shut-down request. If
you have a long wait to complete shutdown, this is usually the reason; it
can be reduced significantly on non-networked systems.
-
BootVerificationProgram: ImagePath, defaults to blank. This value entry contains
the path and filename of the program which the service controller uses to
verify the Last Known Good configuration. If you change this from the default,
you must also go to LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\WinLogon and set the value entry ReportBootOK (SZ) to 0.
These sub-keys should be left at the default unless you are certain you know
what you are doing. For one thing, you'll probably have to write the program
it calls.
-
Class: You'll find a dozen or more sub-keys under Class, each with a cryptic
name. Don't worry about them, because you should not modify them. These sub-keys
define devices such as keyboard, mouse, modem, etc., and are modified from
Control Panel.
-
ComputerName: This has two sub-keys, ActiveComputerName and ComputerName
(yes, the name is identical). The value entry ComputerName, SZ, will be in
the first sub-key, and may be in the second. This is the network name of
the computer. You can change it in Network\Identification in Control Panel.
-
CrashControl: Workstation default=0, Server default=1 for most
-
AutoReboot: if 1 the system will automatically reboot when it crashes.
-
CrashDumpEnabled: if 1 a dump file will be written when when the system crashes
if you have a pagefile on your system partition which is larger than your
total RAM.
-
DumpFile: default %SystemRoot%\Memory.log. This is the path and file name
of the crash dump file.
-
LogEvent: if 1 an entry will be written to the System log when the system
crashes.
-
Overwrite: if 1 the dump file will be overwritten when the system crashes;
a value of 0 means the crash dump data will be added to the existing dump
file.
-
SendAlert: if 1 and LogEvent is 1 and Overwrite is 0, then when the dump
file is full, the logged-on user will receive an administrative alert. An
acknowledgement must be received from the user before the system will proceed.
-
FileSystem
-
NtfsDisable8dot3NameCreation: default 0. If set to 1, long file names can
not be used on your NTFS partitions. If Windows NT is taking a long time
to process directories, it may be due to having a large number of long file
names. If so, setting this value to 1 may speed up the directory processing.
On the other hand, you will not be able to use long file names, and you will
not be able to use MS-DOS shortcuts that have long file names.
-
NtfsDisableLastAccessUpdate: default 0. Whenever Windows NT accesses a file
or folder, even if it's just to display the name in a list of folder contents,
the Last Accessed Date is updated. If you normally deal with large numbers
of files and folders, this could slow you down. To disable this feature,
set this value to 1.
-
Win31FileSystem: default 0. Controls whether the FAT will allow creation,
enumeration, opening, or querying of long file names, and whether extended
time stamp information (CreationTime and LastAccessTime) is stored and reported.
Set it to 1 to revert to basic Win3x (and Windows NT 3.5) semantics. Changing
this value does not change any disk structures, it simply changes how the
system behaves.
-
Win95TruncatedExtensions: when set to 0, this makes all file extensions look
like 3-character extensions. NT will then consider .LIS, .LIST, .LISTS, .LISTED,
.LISTING, and so on to be identical, and any action done on *.LIS will be
performed on all of these files. To disable this feature, set this value
to 1.
-
GraphicsDrivers contains sub-keys for any graphics drivers installed on the
system. Within these sub-keys you may find value entries for controlling
the drivers.
-
GroupOrderList: This contains a series of value entries which, along with
the Tag value under the specific Services subkeys lay out the order in which
services within a group will be loaded on startup. See ServiceGroupOrder
below. They should be maintained only by the system.
-
IDConfigDB identifies the current system configuration. It has one sub-key
Hardware, which has sub-keys 0001, 0002, etc. These are entries in your Last
Known Good menu. Each has several value entries, including FriendlyName,
SZ, (the name as it appears in the configuration menu) and PreferenceOrder,
which is the sequence these appear in the menu.
-
Keyboard Layout: KeyboardLayout, SZ. This key contains the name of the .DLL
file which the system loads to map your keyboard. You will probably never
need to change this. It contains two sub-keys.
-
DosKeybCodes: This contains a set of value entries, each of which is an MS-DOS
style layout name. The system uses it to convert Windows NT layout names.
Each value entry is the code. For example, US is 00000409. Note that these
are text strings, so the value type is SZ.
-
Substitutes: If a particular user prefers a keyboard layout which is different
from the default, the code for the layout is recorded here. When that user
logs in, the system loads the corresponding .DLL file. As under DosKeybCodes,
each value entry is the code. The type is SZ, Default is blank.
-
Keyboard Layouts: Under this key we have a sub-key for each layout name,
(as listed in Keyboard Layout\DosKeybCodes). Each sub-key contains the name
of the .DLL file, an ID number and descriptive text
-
Lsa: (Local Security Authority)
-
CrashOnAuditFail: If this exists, it is set to 2 by the operating system
just before the system crashes due to a full audit log, so that only the
administrator can logon - this allows saving of the logs. If set to 1, the
system stops immediately on audit full.
-
Notification Packages: if this contains PASSFILT, users may enter only strong
passwords. (User Manager is not restricted by this value.)
-
RestrictAnonymous: 1 to block null session attacks
-
MediaProperties: the properties of your system's multimedia devices.
-
MediaResources: descriptions of your multimedia devices and their drivers.
-
NetworkProvider contains one subkey, Order, which contains one value entry,
ProviderOrder, SZ. The default, when only a single network is installed on
the system, is LanmanWorkstation. If there are other network providers available,
they will be listed, separated by commas. The order in which they are listed
is the order in which they will be accessed. Each entry also appears as a
sub-key under LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. This list
is maintained from Control Panel\Network.
-
Nls (National Language Support). This key contains subkeys that define
information for languages and code pages. It has two subkeys: Code Page contains
value entries for all code pages that Windows NT supports; Language contains
value entries for all languages that Windows NT supports. When an application
runs, it looks in these value entries to find the file name of the code page
or language it needs. If the code page or language is not installed on the
system, there will be no file name in the value entry.
-
Print: data pertinent to your printers. There will be sub-keys for DLLs and
drivers that are neccesary for the printers and print spoolers, and possibly
sub-keys installed by OEMs.
-
Environments: hardware system descriptions for Windows 4.0, Alpha_AXP, PowerPC,
R4000, x86, each of which contains
-
Directory value is the driver directory. In Windows NT X86 this value is
W32X86
-
Drivers: For each printer that you have configured on this system, there
will be one or more sub-keys. They will contain value entries for data that
applies to the printer, such as the names of the configuration files and
driver DLLs. The files will reside under the driver directory.
-
Print Processors: value Driver, the name of the print DLL.
-
Monitors
-
Local Port: Driver, SZ. Contains the name of the local monitor DLL.
-
Permissions: the permissions on this determine who can add printers
-
PJL Language Monitor: PJL stands for Printer Job Language. This sub-key contains
the value entries Driver, whose value is the PJL DLL file name, and EOJTimeout,
whose value is the number of milliseconds to End-of-Job timeout.
-
Provider Network Port contains the value entry Driver, whose value is the
name of the DLL for the print monitor. It also has a sub-key Options which
contains several value entries defining connection, buffers, timers, etc.
-
Printers: several useful value entries, most only used by servers
-
DefaultSpoolDirectory, SZ. This is the path to the default print spooler
directory, used by all of the printers.
-
SpoolDirectory, SZ. If you want a particular printer to use a different spooler
directory, add this with value the path to your alternate print spooler
directory. Note that if you misspell the path, or the directory does not
exist, the default print spooler will still be used.
-
JobPrintsWhilstSpooling, 0=disabled, 1=enabled. See below
-
FastPrintWaitTimeout, Default 24,000ms. This is the time the port thread
will wait for data. If it times out, then the print job will be paused, and
the next print job will start. NOTE: If JobPrintsWhilstSpooling is enabled,
the port thread must synchronize with the spooling application.
-
FastPrintSlowDownThreshold: Default FastPrintWaitTimeout divided by
FastPrintThrottleTimeout. If JobPrintsWhilstSpooling is enabled, your printer
may pause if no data is received for a specified period.
FastPrintSlowDownThreshold is used to prevent this pause.
-
FastPrintThrottleTimeout, Default: 2,000ms. When the FastPrintSlowDownThreshold
is reached, the print spooler cuts the speed at which it sends data, so that
there will not be a long enough period between data packets to allow the
printer to pause.
-
NetPrinterDecayPeriod, Default: 3,600,000ms (1 hour). There is a list of
printers available to the browser. This value specifies how long a network
printer will be kept on that list.
-
PortThreadPriority: Sets the priority of the threads that carry data to the
printer, , default 0 (Normal), but can be set to 1 (High) or 0xFFFFFFFF (Low).
-
SchedulerThreadPriority: Sets the order that threads get access to the printer
(High threads go first, then Normal, then Low).
-
SpoolerPriority: Sets the priority of the spooler as an application.
-
A subkey for each installed printer on the local machine. Their values are
all set through Control Panel Printers.
-
Providers
-
EventLog, , default 1. When a print job completes, an entry is made in the
event log. Set this to 0 to disable the logging, then go into Control
Panel\Services and stop and start the spooler.
-
NetPopup, default 1. When a print job completes a notification pops up. Set
this to 0 to disable the notification.
-
LanMan Print Services
-
Name, SZ, whose value is the name of the DLL file for the service.
-
DisplayName, SZ, whose value is the name which is displayed to identify the
service.
-
Monitors
-
LanMan Print Services Port has a value entry Driver, SZ, whose value is the
name of the printer driver DLL.
-
LanmanServer\Shares: contains all the file sharing information: If you wish
to copy shared files to another host, this information has to be copied to
the new host machine's registry.
-
Servers, has one sub-key for each server in the network; the sub-key name
is the server name.
-
Forms: which has a BINARY value entry for each defined print form.
-
Printers: a sub-key for each installed network printer
-
PrinterDriverData: value entries defining the printer and its driver. They
are all set through Control Panel Printers.
-
PriorityControl has one value entry, Win32PrioritySeparation, default 2,
which controls the relative priority between foreground and background
applications. This should be controlled through Control Panel\System\Performance.
On Windows NT Workstation, a value of 0 means foreground and background threads
get the same amount of processor time; 1 and 2 give more time to foreground
threads. On a Windows NT Server, the processor time that threads get is fixed.
The Win32PrioritySeparation value instead determines the priority boost given
to foreground processes, with 2 being the highest boost.
-
SecurePipeServers has one sub-key, winreg. It is used primarily to define
who may have access to the Registry itself. In Windows NT 4.0, by default,
only members of the Administrators group can access the Registry. You can
alter the default in several ways: 1) To change the default, go to winreg
and add the value entry Description (SZ) and set the value to Registry Server.
Highlight winreg, then select Security on the menu bar, then Permissions.
Enter the users and groups you want to add, with the type of access you want
them to have. 2) To allow access to certain Users or Groups, add a sub-key
AllowedPaths under winreg, leaving Class blank. Then add the value Machine,
MULTI_SZ. Enter the following string values:
-
System\CurrentControlSet\Control\ProductOptions
-
System\CurrentControlSet\Control\Print\Printers
-
System\CurrentControlSet\Services\Eventlog
-
Software\Microsoft\Windows NT\CurrentVersion
-
System\CurrentControlSet\Services\Replicator
If you want to allow access only to certain parts of the Registry, add the
value name Users, MULTI_SZ, and enter the locations. You also use this key
for allowing users to monitor server performance. First, in USERS, select
the SID of the local server user. Then select Control Panel\International\Locale
and note the basic language ID (the value for English is 409). Subtract 400
to get the number to use below. If your system partition is NTFS format,
make sure you have read access to these server files:
%windir%\system32\PERFCnnn.DAT, %windir%\system32\PERFHnnn.DAT. Now highlight
winreg and select Security on the menu bar, then Permissions. Enter the user
ID and set type of access to READ (or a higher permission). Then do the same
for LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib, but
this time check the "Replace permissions on all sub-keys" box.
-
SecurityProviders contains data regarding system security. It has one sub-key
SCHANNEL, which includes the sub-keys CertificationAuthorities, Ciphers,
Hashes, KeyExchangeAlgorithms and Protocols. Any of these that are in use
on your system will contain further sub-keys. For example, under
CertificationAuthorities you will find a sub-key for each authority you use,
such as AT&T Certificate Services. Each of these sub-keys will have three
value entries:
-
CACert, BINARY, containing a certification code.
-
Enabled, value 0x1 if the authority is enabled.
-
Type, (I have never found a definition for this value entry).
-
ServiceGroupOrder contains sub-keys which each have three value entries which
define the order in which groups of services are loaded on startup. See
GroupOrderList above. If Start is 0, the system will load the driver, but
not initialize it till the kernel has started. If Type is 0x1, the driver
will be started as part of loading the kernel. The List, MULTI_SZ, value
indicates the sequence to load the drivers. The default order is: SCSI miniport,
port, Primary disk, SCSI class, SCSI CDROM, class filter, boot file system,
Base, Keyboard Port, Pointer Port, Keyboard Class, Pointer Class, Video,
file system, Event log, Streams Drivers, NDIS, TDI, NetBIOSGroup, NetDDEGroup,
extended base, network.
-
ServiceProvider: contains two sub-keys. Order defines the sequence in which
existing providers will be used, and lists any providers to be excluded.
ServiceTypes contains sub-keys defining the types of service providers available,
such as Microsoft Internet Information Server. Value entries under these
last sub-keys contain data defining the provider, such as the TCP port.
-
Services: each service contains:
-
ErrorControl: if the driver can't be loaded or started, 0x00 to ignore the
problem and display no error, 0x01 to produce a warning but let bootup continue,
0x02 to switch to last known good config and continue with it, 0x03 to record
the current startup as a failure and run diagnostic if it is the last known
good config.
-
Start: 0x00 to kernel load this driver as it is needed to use the boot volume
device, 0x01 to load by the I/O subsystem, 0x02 toAutoload (always load and
run), 0x03 if the service must be manually started by the user, 0x04 if the
service is disabled and should not be started
-
Type: 0x01 kernel-mode device driver, 0x02 kernel-mode device driver that
implements the file system, 0x04 information used by the Network Adapter,
0x10 a Win32 service that should be run as a stand-alone process, 0x20 a
Win32 service that can share address space with other services of the same
type
-
Browser\Parameters
-
IsDomainMaster: sets the machine to be the preferred master browser on a
network
-
MaintainServerList: No for the computer to be a non-browser, Yes for the
computer to be a master or backup browser, Auto to be a master, backup or
potential depending on the number of browser currently in action
-
Cdrom
-
Autorun: 0x1 to enable, 0x0 to disable autorun of CD's for all users
-
EventLog: contains a subkey for each system log with value File set to the
log location. RestrictGuestAccess under each can be set to 1 to prevent Guest
and Anonymous users from accessing log files. (Restrict access to the EventLog
key itself otherwise anyone can delete this restriction.)
-
ftpsvc\Parameters
-
MsdosDirOutput: 0 to force FTP service to use Unix (Netscape) naming rather
than NT (IE) naming
-
Hidden: if 1 hides the machine from network browsers (you can still connect
to it)
-
LanmanServer\Parameters
-
AutoShareWks: if present with a value zero disables the creation of default
administrators shares
-
OptionalNames: alternative (extra) NetBIOS names for the machines (useful
for migration)
-
Users: the maximum number of users that can be logged in at one time (max
10 for Workstation)
-
Value: the description of the machine that is displayed in Network Neighborhood
-
NdisWanx\Parameters\Tcpip (where x is the profile number)
-
MTU: By default, NT uses a Maximum Transmission Unit (packet size) over the
path to a remote host of 576. Throughput will be reduced if the data is sent
over routes that cannot handle data of this size and the packets get fragmented.
It will also be reduced if the MTU is smaller than the route can handle.
If your Internet throughput is substantially lower than it should be (based
on your modem speed), try setting this parameter.
-
Netlogon\Parameters: PDC/BDC Synchronization
-
ChangeLogSize: Default size for the Change Log. By default 64KB with a maximum
of 4MB
-
Pulse: the gap in seconds between replication from the PDC to the BDC's.
The lowest value is 60, and the max is 3600 (1 hour). The default is 300
(5 minutes). You may want to increase this time if the BDC's are over a slow
WAN link.
-
PulseConcurrency: The number of BDC's that the PDC sends pulses to concurrently.
By default this is 10.
-
PulseMaximum: The PDC performs a check that the BDC's are still there every
so often. This is in seconds, minimum 60, maximum 86,400.
-
Randomize: The number of seconds a BDC waits after an announcement before
answering. 1 by default.
-
ReplicationGovernor: This is a percentage of the 128K blocks that are sent.
If you had a slow link you may not want the PDC sending 128K blocks so you
could change this to 25, meaning only 32K would be sent at a time so they
are sent more frequently
-
Update: Setting this to Yes will cause everything to be replicated even if
there is no change. This needs to be set on the import server.
-
Parallel\Start: this should be 2 for most systems; if it is 0 you may get
"System could not find the file" when trying to use a parallel port
-
Parport and ParVdm: services needed for parallel printing
-
Pnpisa: if you use the (unsupported) PlugandPlay driver (pnpisa.inf on your
NT CD), it will put a lot of entries here. If you replace a non-pnp card
by a pnp one, delete the subkey for the card here so NT will ask you next
boot about installing it.
-
RasMan
-
Parameters
-
DisableSavePassword: prevents users from saving account passwords
-
Logging: if 1, each dial-up session will be appended to the file
%systemroot%/system32/RAS/device.log (useful for debugging scripts)
-
NumberOfRings: the number of rings the RAS Server waits before answering
the phone (1-20).
-
PPP\COMPCP
-
ForceStrongEncryption: 1 to force 128-bit encryption (NT 4.0 SP3 or later),
0 to use 40-bit
-
RemoteAccess\Parameters
-
AuthenticateRetries: 0-10 default 2
-
AuthenticateTime: after this time has elapsed it will count as a logon failure.
20 to 600 seconds
-
Replicator\Parameters
-
GuardTime: Sets the amount of time the export folder must have had no changes
before files are replicated, default 5 minutes.
-
Interval: How often an export server looks for changes in the replicator
folders, default 2 minutes
-
Pulse: Number of times the import computer repeats the change notice after
the initial announcement, default twice.
-
Schedule\UseOldParsing: 1 to use NT 3.x AT parsing
-
Tcpip\Parameters: The auto-tuning of NT results in close to optimum throughput
under most conditions, so these should not appear unless there is an unusual
TCP/IP route in your vicinity. Many others used by servers and routers are
described in Q120642
-
DefaultTTL: the number of seconds+hops allowed to reach another system on
the network. NT 4 defaults to 128, which is usually adequate - increase it
if known-good remote sites frequently cannot be reached.
-
EnablePMTUBHDetect:Some routers do not return ICMP Destination Unreachable
messages when they fragment an IP datagram with the Don't Fragment bit set.
TCP depends on these messages to perform Path MTU Discovery. With this option
set to 1, TCP will try sending segments without the Don't Fragment bit set
if several transmissions of a segment go unacknowledged. Setting this option
increases the maximum number of retransmissions performed for a given segment,
and therefore may decrease overall throughput.
-
EnablePMTUDiscovery: if 1 tells NT to determine and use the maximum MTU of
all connections that are not on the local subnet to minimize fragmentation
slowdown.
-
NameServer: entries for all DNS servers
-
TcpRecvSegmentSize: the largest segment of TCP data that the Winsock is prepared
to receive on a particular connection. If this is too low, it will increase
segment overhead, too high will lead to large packets that will tend to fragment
in transit where other networks may have small MTU's.
-
TcpWindowSize: determines how much data the receiving computer is prepared
to receive. A high value will result in greater data loss if the packet is
lost or damaged in transit, a low value will increase packet overhead.
-
Sermouse\Parameters\OverrideHardwareBitstring: set to 1 to force NT to use
COM1 for your mouse, 2 for COM2 (Q102990)
-
Session Manager: contains global variables. Note that you may have another
sub-key called SessionManager (no space between the words). Leave this one
alone and just work in the one with the space.
-
ProtectionMode Value A value of 1 here sets security on base system objects
to C2 level. (Appendix D of the Windows NT Resource Kit Version 4.0 Update
Guide details the impact of this setting.)
-
AppPatches: This contains sub-keys containing value entries which document
patches that have been applied to various applications.
-
DOS Devices: These are links that Windows NT creates at startup. You shouldn't
change these.
-
Environment: Paths to various subsystems such as OS2. The value entry Path
refers to Windows NT logon, and Windir points to the Windows NT folder. If
you get either of these wrong, you may have to re-install Windows NT. However,
if the type of Path is not EXPAND_SZ, %SystemRoot% will not be expanded when
you use it in a command - deletion and recreation of this value with expand
type seems to be the only way to fix this problem.
-
Executive: These value entries are for advanced system tuning such as creating
additional process threads. (A thread is an agent of a process, which runs
program code. A process can have several threads, so several sections of
program code can be executing concurrently.) Unless you have a thorough
understanding of Windows NT, leave these alone.
-
FileRenameOperations: System files that are locked cannot be changed while
Windows NT is running. However, there are ways to copy, move or rename them.
When this is done, the change is not completed till the system is rebooted.
The value entries at this location are used to complete the change when you
reboot. There is nothing here that you will ever need to change manually.
-
GlobalFlag. If you have applications that can run under both OS2 and MS_DOS,
they will run under OS2 if GlobalFlag is set to the default 0x21100000 or
under MS-DOS if you change the value to 0x20100000. Many applications written
for OS/2 run faster under a Virtual DOS Machine (VDM) because NT allocates
more resources to a VDM than to the OS/2 subsystem.
-
KnownDLLs: Dynamic Link Libraries (DLLs) are essentially subroutines that
applications use during execution. The DLLs listed here are loaded into memory
during startup, and stay there. It's not worth the danger of removing any
of them.
-
MemoryManagement: This is the most likely area to need tuning. Most of the
value entries are maintained from Control Panel System Virtual Memory, but
there are a couple you may tweak manually.
-
ClearPageFileAtShutdown: When this is set to a Value Type of and a value
of 1, all data in the paging file will be cleared upon system shutdown (C2
security).
-
DisablePagingExecutive: When set to zero (default), this allows Windows NT
to page the kernel pools to the paging file; set it to one, and the kernel
pool will stay in memory. If you have a huge amount of unused memory, or
if your paging disk is unusually slow, this might be of value. It also may
slow your system to a crawl, so if you are going to try changing this, pick
a time when your system can be out of production for a while.
-
IoPageLockLimit: This value is the maximum bytes of memory that can be locked
for I/O operations. A value of 0 defaults to 512KB. If your system is fairly
I/O intensive, you may benefit from raising this value which can increase
the effective rate at which data is read from or written to the hard disks.
I recommend you do not set this value beyond the number of MB of RAM times
128. That is, if you have 16 MB RAM, do not set IoPageLockLimit over 2048;
for 32 MB RAM, do not exceed 4096, and so on. First, benchmark your common
tasks. See how long it takes to load and save large files, how long it takes
to search a database or run a common program; just do your normal tasks,
timing them to record how fast they are. Then run the same benchmark after
any change to ensure you pick the best value for your system.
-
LargeSystemCache: 0 tells the system to favor the processes working set,
non-zero means to favor the system-cache working set. For most systems, your
applications will run faster if this value is set to zero; if it is non-zero,
your paging file may be over-active. (If you have a noisy hard drive, check
to see if LargeSystemCache is non-zero). Servers may benefit from setting
it to one.
-
PagedPoolQuota, PagedPoolSize: Also Min, Max, and others, and all of these
for NonPagedPool. Pool is all of the system memory, Paged means it can be
paged, or written, to the disk, NonPaged means it can't be written to the
disk. The values in the Registry are normally zero, which tells Windows NT
to calculate default values based on the amount of RAM on your computer.
You should leave these alone because changing these values can cause Windows
NT to miscalculate other resource allocations, and incorrect values can cause
Windows NT to malfunction and possibly even cause file system corruption.
A professional who knows what side-effects will occur may benefit from reducing
the pool allocations (setting values larger than the defaults will have no
effect), but I'm sure that very few people outside Microsoft know enough
to safely tinker with this (Q126402). The error "Not enough server storage
is available to process this command" usually results from adding a system
component and not re-applying the current service pack after, but setting
PagedPoolSize to non-zero can also do it.
-
PagingFiles: Data about existing paging files (location and sizes) is stored
here. You should use Control Panel\System\Performance to adjust your paging
files, but this value can be handy if you get in trouble. For example, if
your paging file is smaller than your physical memory or your system partition
does not have enough free space to record a crash dump file, then if you
get a bug check (the blue screen crash), your system may go into a continuous
series of reboots (Q174630).
-
SecondLevelDataCache: This is the amount of L2 cache Windows NT will use.
It defaults to 0, which is the correct value for 256KB of L2 cache. If it
is set to 0, but you have more than 256KB cache, you should change it e.g.
to 512 for 512KB of cache. This will give you a significant performance increase
if you have more than 32 MB RAM.
-
SystemPages: Here you specify the number of page table entries available.
The default is almost always sufficient, but if you install a PCI card with
a very large amount of on-board memory (like a very sophisticated video card),
and you cannot access all of the card's memory, this is probably where the
solution will be. Contact the card's manufacturer for the correct value to
enter.
-
RegistrySizeLimit: default 8MB, 25% of PagedPoolSize (PagedPoolSize is located
at CurrentControlSet\Control\SessionManager\MemoryManagement). This is the
amount of memory that can be used for Registry data. It can range from 4
MB up to 80 percent of PagedPoolSize. The value is entered as the number
of bytes, not the number of MB. If you increase PagedPoolSize, this value
will also increase. A value of 0xFFFFFFFF sets RegistrySizeLimit to 80% of
PagedPoolSize.
-
SubSystems: These are paths for starting various subsystems. Delete the OS2
entry (files OS2SS.EXE, OS2DLL.DLL, OS2.EXE, OS2SRV.EXE) and Posix (Unix)
entry (files PSXSS.EXE, PSXDLL.DLL, POSIX.EXE) from Optional if you know
that you will never run OS2 or Unix-type apps, to reduce overhead a bit.
-
Setup contains information used by Windows NT Setup. It has three value entries
whose x86-based computer defaults are
-
keyboard, SZ, default STANDARD
-
pointer, SZ, default msser
-
video, SZ, default VGA
-
TimeZoneInformation has eight value entries, maintained through Control Panel
Date and Time.
-
Update
-
UpdateMode: if your Windows NT system was installed over an earlier version
of Windows, this will have a value 0x1
-
UpdateMode: By default, when you add a new folder in Explorer, you have to
refresh Explorer either by restarting it or pressing F5 in order for the
new folder to show up in all the places it's supposed to. If this value is
0, Explorer will automatically update immediately on creation of a new folder.
(This will slow down operations on large directories.)
-
WebPost, through its sub-key Providers, lists codes for available Internet
Service Providers (ISPs).
-
WOW: Window On Windows, the 16-bit Windows subsystem)
-
DefaultSeparateVDM: (Virtual Dos Machine) default no, set to yes to make
all 16bit apps start in a separate memory space. This prevents one 16bit
application from compromising the whole 16bit subsystem.
-
Enum: Apparently just a Windows 95 leftover. If you load a Windows 95
application, it may create this key, even though Windows NT does not use
it.
-
Hardware Profiles contains five entries, 001 through 004 and Current, which
correspond to ControlSets. These contain data defining hardware that is run
by drivers listed in Services. These are also maintained entirely from Control
Panel.
-
Services contains data on drivers and on their associated hardware, maintained
from Control Panel, using the Devices, Network, Services and UPS icons. I
have never come across a need to make changes manually, except deleting keys
while manually uninstalling an application when Add/Remove Programs fails.
Each Services subkey is the actual name of a service, which is defined under
LOCAL_MACHINE\SOFTWARE. Each Services sub-key can have any or all of these
values and sub-keys:
-
Group, default: null. The name of the group this service belongs to, if any.
-
DependOnGroup, default: null. If any group is listed, then at least one service
from each listed group must be loaded before this service may be loaded.
-
DependOnService, default: null. If any service is listed, then that service
must be loaded before this service may be loaded.
-
Tag: This is used to determine the order in its group in which this service
will be loaded, but it's not the sequence (1 does not mean it's the first
to load). A value entry in CurrentControlSet\Control\GroupOrderList, whose
value name is the name of the group, will list the tags. The sequence in
which the tags are listed is the sequence in which the services will be loaded.
-
ImagePath: This is the path and filename for this driver or service (if this
is an adapter, ImagePath is ignored). If this is a driver, the default is
%systemroot%\system32\drivers\(key).SYS; if this is a service, the default
is %systemroot%\system32\(key).EXE. In these examples,(key) is the name of
this sub-key.
-
ObjectName: If the value entry Type (listed below) is 0x1 or 0x2, this is
the Windows NT driver object name which I/O Manager will use to load the
device driver. If Type is 0x20, this is the name of the account this service
will log on to when it runs.
-
Start, default 0x0. This is the starting value for this service, that is,
when the service is to be loaded on startup. There are five possible values:
0x0 (Boot) = loaded by the Kernel loader at boot. 0x1 (System) = loaded by
the I/O subsystem at Kernel initialization. 0x2 (Auto load) = loaded by the
Service Control Manager automatically for all startups. 0x3 (Load on demand)
= loaded by the Service Control Manager, but not started till the user starts
it. 0x4 (Disabled) = loaded by the Service Control Manager, but never started.
If the value of Type (below) is 0x20, then Start must be 0x2, 0x3 or 0x4.
If this is an adapter, Start is ignored.
-
Type, default 0x0. This is the type of service. Among the possible values,
Microsoft lists: 0x1 - a Kernel device driver, 0x2 - a file system driver,
which is also a Kernel device driver, 0x4 - a set of arguments for an adapter,
0x10 - aWin32 program that can be started by the Service Controller and that
obeys the service control protocol (this type of Win32 service runs in a
process by itself), 0x20 - a Win32 service that can share a process with
other Win32 services. Other values are possible. They are all used in determining
the sequence in which drivers are loaded. When you boot up, the Boot Loader
locates drivers with Start=0x0 and Type=0x1, then loads these drivers using
the CurrentControlSet\Control\GroupOrderList value.
-
Linkage: Contains value entries whose data is used for binding network
components. There may be a sub-key Disabled; if the binding is disabled,
the value entries will appear here. There are three value entries, which
are multi-string values, each with the same number of components. The first
components in each value form a set, the second components form a second
set, and so on.
-
Bind: the names of Windows NT objects which the service creates.
-
Export: the names that are used to access the objects.
-
Route: the binding protocol paths which the binding represents.
-
Parameters: contains value entries for configuring the service.
-
Security: security information relating to the service. It is in binary format,
and must not be changed, or the service may become unusable. Each Services
sub-key whose name is the names of a service will have the value:
-
ErrorControl, default 0x0. This defines what the system is to do if the driver
for this service fails to load or initialize on startup. There are four possible
values: 0x0 (Ignore) - Proceed with the startup without displaying any warning;
0x1 (Normal) - Proceed with the startup, but display a warning; 0x2 (Severe)
-- Switch to the LastKnownGood control set and proceed with the startup;
0x3 (Critical) -- If the LastKnownGood control set is not being used, switch
to LastKnownGood and fail. If the LastKnownGood control set is being used,
run a bug-check routine and fail.
-
Disk: If the Windows NT Disk Administrator program has not been run, then
you won't find this key. Information generated by Disk Administrator is stored
here. Don't change anything; Disk Administrator will just overwrite it anyway.
-
Setup This key lists the system partition, the setup status, and other
information about the setup process for the system. Again, it's not something
you should modify.
-
Select contains the value entries Current, Default, Failed and LastKnownGood.
Their values are the corresponding numbered sets. For example, you will probably
see Current and Default as 0x1. This means ControlSet001 is the default set
and is the set currently in use. 0x2 refers to ControlSet002, and so on.
If you have never had a failed boot, Failed will be 0. While you can manually
set LastKnownGood to any existing Control Set, this is not recommended because
if you make a mistake in this setting, you won't be able to select an alternate
boot. If your default boot then fails, you'll have to do an emergency repair
and may have to re-install Windows NT. It's best to let Windows NT handle
this default.
CURRENT_CONFIG points to LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current.
CLASSES_ROOT points to LOCAL_MACHINE\SOFTWARE\Classes.
USERS contains the user profiles of all users currently loaded on the system,
and of the default user. File names: default, default.sav and default.log
This is almost entirely Control Panel data. Basically, these define how Windows
NT looks and runs when you are logged in. Each user has a separate tree of
entries, so each of the following has to be set for each existing user. Each
new user will pick up the default entry to start with.
-
AppEvents: actions to result from application program events e.g. sounds
(Control Panel)
-
EventLabels: subkeys which are Windows events such as minimizing or maximizing
windows. These are the events which you can assign commands to in the Control
Panel Sounds window. Each sub-key has a REG_SZ value entry whose value is
the label of that event. For example, the sub-key MailBeep has the label
"New Mail Notification".
-
Schemes: contains two sub-keys, Apps and Names. Under Apps will be the sub-key
.Default, plus sub-keys for specific applications such as Explorer and Office97.
Under .Default will be a series of sub-keys corresponding to those under
EventLabels. These sub-keys do not have value entries; instead, they have
further sub-keys for each sound scheme that has been defined in Control Panel
Sounds, plus .current. It is under these sub-keys that you find a REG_SZ
value entry whose value is the name of the sound file associated with the
event. The other Apps sub-keys for specific applications hold sub-keys for
application-specific events, and have the same structure as the sub-keys
under Apps\.Default. Schemes\Names has the same sub-keys as you find under
any Schemes\Apps.Default sub-key. They contain the actual names of the various
Sounds schemes.
-
Console: an emulation of MS-DOS functionality, allowing you to run MS-DOS
programs and issue DOS level commands. It can be quite useful in troubleshooting
a system. The sub-keys of Console define the console screen, font, layout,
colors, etc. The values are controlled through Control Panel Console.
Instructions on what you can change and how to do it can be found in Help
by clicking the Index tab and typing "command prompt windows". Then click
Display and select the subject you want.
-
Control Panel: mostly best set from Control Panel
-
Desktop
-
Coolswitch: 1 to enable Alt-Tab, 0 to disable
-
CoolSwitchColumns, CoolSwitchRows: format the Alt-Tab display
-
NoStartBanner: 01 00 00 00 to omit the animated "Click here to begin" on
the taskbar
-
ScreenSaveTimeOut: the time until SCRNSAVE.EXE starts, default 900 seconds
(15 minutes).
-
SCRNSAVE.EXE: When you start Windows NT, a Begin Logon dialog box is displayed
prompting you to press CTRL+ALT+DEL to log on. If you do not press a key
for ScreenSaveTimeOut seconds, this screensaver starts. default Logon.scr
-
AutoEndTasks: default 0. If you have apps that have to be manually shut down
on logoff, set this to 1 to do it automatically.
-
WaitToKillAppTimeout: default 20,000 milliseconds. If you log on and off
frequently, reduce this. The minimum safe value will depend on your system
speed and how many tasks are spawned by your most prolific app, so do it
step by step and watch for app problems on relogin.
-
Wallpaper: The Default User value is the bitmap displayed by the Winlogon
program before login. (Default) gives you %systemroot%winnt256.bmp; deleting
the key gives a plain deep blue screen. The value can be set to the path
and filename of a personal bitmap file which, presumably, you will design
to fit around the BeginLogon and LogonInformation windows that Winlogon insists
on putting on top of it, or move it off center using
-
WallpaperOriginX, WallpaperOriginY: the origin of the top left corner of
Wallpaper on the screen.
-
WindowMetrics
-
Shell Icon Size: the size of large icons on the desktop (default 16)
-
Shell Icon BPP: bits/pixel of icons, 4 for 16 colours, 8 for 256, 16 for
65536, 24 for 16 miillion and 32 for true colour. If your icons redraw
frequently, it will happen less with a lower IconBPP.
-
Shell Small Icon Size: the size of small icons on the desktop (default 16)
-
Environment: the equivalents to the DOS Set commands (Control Panel Environment).
You should have at least the definitions for Temp and Tmp, associating them
with the Temp folder.
-
International: contains individual settings for things like time format that
are normally selected en bloc by ControlPanel Country
-
iTime: 0 for 12-hour time, 1 for 24-hour
-
TimeFormat: default HH:mm, can be changed to HHmm.
-
Keyboard\InitialKeyboardIndicators: 2 to enable NumLock on Logon, 0 to have
it off
-
Keyboard Layout: There are two subkeys here, Preload and Substitutes, whose
value entries contain codes for the keyboard layouts defined for the current
user. The keyboard codes are defined in subkeys under
LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts. This is
maintained through Control Panel Keyboard.
-
Network: If you are connected to a network, you will have this sub-key. The
sub-keys of Network specify the shared directories and devices to which File
Manager will connect your system when you log on. Each key will have some
or all of the value entries ConnectionType, ProviderName, ProviderType,
RemotePath and UserName.
-
Printers: sub-keys Connections, DevModes2 and Settings store the data you
enter in Control Panel Printers.
-
Software\Microsoft
-
Command Processor
-
CompletionChar: set to the value (e.g. 9 for Tab) of a character to automatically
complete file names on the command line
-
Notepad: set fWrap to 1 to default Notepad to wrap text
-
Windows\CurrentVersion
-
Policies\Explorer
-
AltColor: the colour used to display compressed directories/files. The colour
value is in hex, the 2nd 2-digit number is for Red, the 3rd for Green, the
4th for blue.
-
NoCommonGroups: if 0 prevents common groups from being displayed on the Start
Menu
-
NoDrives: The lower 26 bits of the 32-bit word correspond to drive letters
A through Z. Drives are visible when set to 0 and hidden when set to 1 e.g.
a bitmask of 00000000000000000000000100 hides drive C: in Windows Explorer,
under the My Computer icon, and in the File Open\Save dialog boxes of 32bit
Windows applications. File Manager and the Windows NT command prompt are
not affected by this setting.
-
NoNetHood: 1 to hide the Network Neighbourhood icon
-
NoTrayContextMenu: 1 to disable the display of the context menu (right-click
Start)
-
NoViewContextMenu: disable the right mouse button menu
-
RunMRU: contains the Run history of the user
-
Run: The place to start programs at each logon of an individual user
(cf.Q170086). If a single user has problems with NT Explorer start-up errors,
check for a null program entry here or the matching area in Windows NT\Current
Version.
-
Protected Storage System Provider\<SID>: the permission on this key
determines who can access the user's profile
-
Windows NT\CurrentVersion\Windows\Device: the default printer for the user
-
System: these are normally set with the Policy Editor on servers, but Workstation
doesn't have one. By default any user can change these keys back to what
they want, so access to the key has to be limited if they are used.
-
DisableTaskManager: 1 to prevent this user from accessing Task Manager. (To
stop all users, change the permission on taskmgr.exe)
-
MinAnimate: 1 for default window expansion animation, 0 to stop it
-
NoDispAppearancePage: 1 prevents users from changing their colours or colour
scheme
-
NoDispBackgroundPage: 1 prevents users from changing their desktop background
-
NoDispCPL: 1 disables display of the ControlPanel applet
-
NoDispScrSavPage: 1 prevents users from changing the screen saver
-
NoDispSettingsPage: 1 prevents users from changing Plus settings
-
Winlogon\RunLogonScriptSync: 0 allows the shell start before the logon script
finishes, 1 to wait until logon script completion
-
UNICODE Program Groups: The sub-keys here contain data regarding program
groups such as you see on clicking the Start button. The data is all in binary
format, so there is nothing worth viewing.
CURRENT_USER - Points to the USERS entry of the user who is currently active.
File names: ntuser.dat and ntuser.dat.log
Questions: