book

Managing The Windows 2000 Registry

Name: Managing The Windows 2000 Registry
Author: Paul Robichaux
ISBN: 9781565929432

by Paul Robichaux

August 2000

Intermediate to advanced

558 pages

16h 53m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Managing the Windows 2000 Registry
Preface
Keys and Values and Classes, Oh My!
Who’s This Book For?
How This Book Is Organized
Conventions Used in This Book
Comments and Questions
Acknowledgments
1. A Gentle Introduction to the Registry
A Brief History of the RegistryWindows 3.0The First Registry: Windows 3.1Windows NT 3.1, 3.5, and 3.51Windows 95 and 98Windows NT 4.0Windows 2000
What Does the Registry Do?
It Holds Lots of Important StuffHardware configuration dataDriver parameters and settingsDynamic dataUser profiles and user-specific settingsSystem and group policiesOLE, ActiveX, and COMApplication settings
Advantages Offered by the Registry
It Keeps Everything TidyIt Provides SecurityIt Allows Remote Management

Registry Zen
2. Registry Nuts and Bolts
How the Registry Is StructuredThe BasicsRoot keysSubkeysValuesHivesLinksRegistry road mapThe Big SixHKEY_LOCAL_MACHINEHKEY_USERSHKEY_CURRENT_USERHKEY_CLASSES_ROOTHKEY_PERFORMANCE_DATAHKEY_CURRENT_CONFIGHives and FilesAccess Controls and SecurityControl via Registry APIsRemote-access controlOS-level security controlsSystem Key Security (SYSKEY)Major DatatypesREG_DWORDREG_SZREG_MULTI_SZREG_EXPAND_SZREG_BINARYREG_LINKREG_QWORDMinor DatatypesREG_NONEREG_DWORD_BIG_ENDIANREG_FULL_RESOURCE_DESCRIPTORREG_RESOURCE_LIST
What Goes in the Registry
Major Subkeys of HKLMHARDWARESECURITYSOFTWARESOFTWARE\PoliciesSYSTEMSYSTEM\CurrentControlSetMajor Subkeys of HKCUAppEventsConsoleControl PanelEnvironmentIdentitiesKeyboard LayoutPrintersRemote AccessSoftwareSYSTEMOtherMajor Subkeys of HKCCWhat About the Other Root Keys?
Getting Data In and Out
3. In Case of Emergency
Don’t Panic!
Safety Strategies
Make BackupsBe Prudent
All About Emergency Repair Disks
What Is an ERD?What ERDs Can and Can’t DoHow to Make an ERDUsing Windows 2000 BackupUsing NT’s RDISK utilityHow to Repair Your Registry with an ERDUsing the Windows 2000 setup utilityUsing the Windows 2000 recovery consoleUsing RegEdt32Using NT ’s setup application
Backing Up the Registry
But What Needs Backing Up?The Old-Fashioned WayUsing Windows 2000 BackupUsing Windows NT BackupUsing REGBACKUsing RegEdt32Using Text FilesUsing RegEdt32Using REGDUMPUsing RegEdit
Restoring a Backed-up Registry
The Old-Fashioned WayUsing Windows 2000 BackupUsing REGRESTUsing RegEdt32 and RegEditLoading hivesReloading saved keysUsing RegEdit files
4. Using RegEdit
Know Your Limitations
Learning the RegEdit Interface
Don’t I Know You from Somewhere?Interface Trivia
“Just Browsing, Thanks”
Navigating with the KeyboardUsing the Context Menu
Connecting to Other Machines’ Registries
Searching for Keys and Values
Printing Registry Contents
Working with Keys and Values
A Word About the ClipboardModifying ValuesModifying a string valueModifying a DWORD valueModifying a binary valueAdding New Keys or ValuesDeleting Keys or ValuesRenaming Keys or ValuesWhat Were They Thinking, or, the Favorites Menu
Exporting and Importing Data
What’s in a .REG File?Exporting Registry DataImporting Registry DataCreating Your Own .REG FilesA concrete exampleSafely experimenting with .REG files
RegEdit Command-Line Options
Exporting DataImporting Data
5. Using RegEdt32
How RegEdt32 and RegEdit Differ
Learning the RegEdt32 Interface
Manipulating WindowsControlling What You SeeSetting Session Options
Browsing with RegEdt32
Navigating with the Keyboard
Remote Registry Editing
Connecting to Remote Computers
Searching for Keys
Saving and Loading Registry Keys
Saving KeysRestoring KeysLoading Saved Keys as HivesSaving as TextProviding an Improvised ClipboardA True Story
Printing Registry Contents
Editing Keys and Values
Viewing Values as Binary DataModifying ValuesModifying a string valueModifying a DWORD valueModifying a multiple-string valueModifying a binary valueModifying a value of a different typeAdding New Keys or ValuesAdding new keysAdding new valuesDeleting Keys and Values
Registry Security Fundamentals
Basic Registry PermissionsApplying ACLs
Securing Registry Keys in Windows 2000
Setting PermissionsAdding, removing, and changing ACE entriesSeeing and controlling permission inheritanceAuditing Registry ActivityAdding, removing, and changing auditing entriesSeeing and controlling audit control inheritanceChanging Key Ownership
Securing Registry Keys in Windows NT
Setting PermissionsAuditing Registry Key ActivityEnabling auditing on an NT machineTelling RegEdt32 what to auditReviewing the audit recordsChanging Key Ownership
6. Using the System Policy Editor
All About System PoliciesWhy Is This in a Windows 2000 Book?What’s a Policy?Categories contain one or more policiesPolicies are made of partsHow are policies defined?User versus machine policiesHow Are Policies Stored?How Are Policies Applied?The default policyApplying computer and user policiesApplying group policies
Introducing the System Policy Editor
Learning the System Policy Editor InterfaceControlling what you seeNavigating in the policy window
Managing Policies with POLEDIT
Attaching Policy TemplatesCreating PoliciesCreating a new policy fileCreating a new user policyCreating a new computer policyCreating a new group policyEditing PoliciesSetting user, group, and computer policy optionsRemoving user policiesPolicies and the clipboardSetting group policy prioritiesSaving and Loading PoliciesCreating Your Own Policy Templates
Distributing Policies
Applying Policies to One Machine at a TimeSetting policies on the local machineSetting policies on other computersApplying Policies to Many MachinesEnabling automatic policy updatesWindows NT policiesWindows 95/98 policiesWindows 2000 policiesSupporting multiple domain controllersPreventing Policy ProblemsMake sure the files are in the right placeIs automatic updating on?Implement policies in all domains or noneCheck group membership and namesVerify which policies are in effect
What’s in the Standard Policy Templates
WINNT.ADMCOMMON.ADMWINDOWS.ADM
Picking the Right Policies
Policies for AnybodyPolicies for a Lab NetworkPolicies for an “Ordinary” Office
7. Using Group Policies
What Are Group Policies?Elements of a Group PolicyUser Versus Machine PoliciesDefining Group Policy ObjectsThe local GPOPolicies and the Active DirectoryHow Are Policies Stored?The structure of the Group Policy TemplateHow Are Policies Applied?Applying computer and user policiesOrder of policy file application
Introducing the Group Policy Snap-in
Adding the Group Policy Snap-inLearning the Group Policy Snap-in InterfaceControlling what you seeNavigating the console treeViewing policy properties
Managing Policies
What Is an Administrative Template?Adding Administrative TemplatesEditing PoliciesCreating Your Own Administrative Templates
Distributing Policies
Understanding How Effective Policies Are CalculatedPolicy InheritanceManaging Dispersal Through Group Policy PoliciesSetting Single Computer Group PoliciesSetting Nonlocal Group Policies
What’s in the Standard Policy Templates?
8. Programming with the Registry
The Registry APIAPI Concepts and ConventionsInput and output parametersRegistry error codesWhy some calls have names ending in “Ex”“Happy families are all alike”New and exciting datatypesNew routines = new datatypesUser-specific keysAn extremely brief exampleOpening and Closing KeysOpening keysOpening a key while impersonating another userOpening the user’s class dataClosing keysCreating KeysGetting Information About KeysEnumerating Keys and ValuesEnumeration strategiesEnumerating keysEnumerating valuesGetting Registry DataGetting a single valueGetting multiple valuesAdding and Modifying ValuesDeleting Keys and ValuesDeleting a keyDeleting a valueUsing Registry Security InformationSetting an item’s security informationConnecting to Remote ComputersMoving Keys to and from HivesSaving keysLoading keysReplacing a loaded keyUnloading a keyGetting Notification When Something ChangesFlushing Registry Changes
The Shell Utility API Routines
Working with File AssociationsGetting a file association key from the RegistryGetting a pointer to the IQueryAssociations interfaceCopying and Deleting Keys and ValuesGetting Key and Value InformationQuerying keys and valuesGetting and setting valuesEnumerating Keys and ValuesWorking with User-Specific KeysCreating and removing keysOpening and closing keysGetting key and value informationReading valuesWriting and deleting valuesLeftovers
Programming with C/C++
Example: Watching a Key for ChangesHow the code worksPossible enhancementsExample: A Stack-Based Wrapper ClassHow the code worksPossible enhancementsExample: Loading a Control with a Set of Values
Programming with Perl
The Win32API::RegXXX FunctionsWhen to use themThe Win32::TieRegistry ModuleA few Perl-ismsThe code in detailOpening and closing keys and retrieving valuesCreating, adding, and modifying keys and valuesEnumerating keys and valuesDeleting keys and valuesSaving and loading keysMixing Win32API::Registry and Win32::TieRegistryExample: Walking the Registry
Programming with Visual Basic
Talking with the Outside World in VBDLL interfacesA few more subtletiesUsing the Registry with VBThe VBA functionsUsing WINREG.BASExample: A RegEdit CloneCreating the initial treeExpanding the treeDisplaying values
9. Administering the Registry
Setting Defaults for New User AccountsUnder Windows 2000Under Windows NT
Using Initialization File Mapping
How Does Mapping Work?Setting Up Your Own MappingsAdding the mapping keyMapping key tricksA mapping sample
Limiting Remote Registry Access
Turning Off Remote Access EntirelyLimiting Access to Authorized UsersCreating the restriction keySetting permissions on the restriction keyAllowing exceptions
Fixing Registry Security ACLs in Windows NT
Adding Registry ACLs to Group Policy Objects
Encrypting HKLM\SAM with SYSKEY
What SYSKEY DoesBefore You Enable SYSKEY on Windows NT“What I tell you three times is true”Upgrading domain controllersTurning On SYSKEY ProtectionChanging the Key Storage MethodRestoring a SYSKEY-Protected NT RegistryRestore SYSTEM and SAM hivesGet the right system componentsWhich ERD should I use?
Miscellaneous Good Stuff
Changing the Registry SizeAuditing Registry AccessMaking sense of the audit logTracking software installations or reinstallationsGuarding against Trojan horses
Using the Resource Kit Registry Utilities
The Windows 2000 Resource KitThe Windows NT Resource Kit
reg: The One-Size-Fits-All Registry Tool
Using the Windows 2000 Version of regQuerying keysAdding keys and valuesDeleting keys and valuesCopying keys and valuesSaving and restoring keysLoading and unloading hivesComparing keys and valuesExporting and importing Registry dataUsing the Windows NT Version of regQuerying keysAdding new keysUpdating existing keysRemoving a keyCopying keys and valuesSaving and restoring keysLoading and unloading hivesComparing Keys and Values with COMPREGSearching for Keys with regfind
Spying on the Registry with RegMon
Learning the RegMon InterfaceControlling what you seeSome other useful Edit menu commandsCapturing and FilteringTurning capture on and offUsing capture filtersSaving your captured dataLogging boot-to-boot activity
10. Registry Tweaks
User Interface TweaksAdd Your Own “Tip of the Day”Disable Window AnimationsSpeed Up the TaskbarEnable Tab for Filename CompletionRun a Different Screen Saver While Waiting for a LogonEnable X Window-Style “Auto Raise”Enable “Snap to Default Button”Suppress Error Messages During Boot and LogonSet NUMLOCK Key During StartupDisplay Version Number
Filesystem Tweaks
Change Low Disk Space Warning ThresholdUse Longer File ExtensionsTurn Off CD-ROM AutoRunSuppress “Last Access” Timestamp on NTFS Volumes
Security Tweaks
Clear the System Pagefile at ShutdownPrevent Caching of Logon CredentialsTurn Off “Save Password” Option in Dial-Up NetworkingPrevent Users from Changing Network Drive MappingsControl Who Can See Performance Monitor DataControl Which Drives Are Visible Throughout the SystemChange When the Password Expiration Warning AppearsAllow Members of the Printer Operators Group to Add PrintersSet the Number of Authentication Retries for Dial-Up ConnectionsKeep Users from Changing Video ResolutionsSet the Authentication Timeout for Dial-Up ConnectionsKeep Remote Users from Sharing a Mounted CD-ROM or FloppyKeep Users from Customizing “My Computer”
Performance Tweaks
Automatically Delete Cached User ProfilesEnable Automatic Reboot After a CrashRecord Evidence of a CrashEnabling Automatic Logon After BootPower Off at ShutdownForce Hung Tasks to End When Logging OffSet a Time Limit for Shutting Down TasksSpeed Up System ShutdownsAutomatically Try to Detect Slow Network ConnectionsDon’t Automatically Create 8.3 Names on NTFS VolumesDisable the Printer Browse ThreadForcibly Recover a Crashed PDCHiding Servers from Network Computers
Network Tweaks
Create a Shared Favorites Folder for All Network UsersAutomatically Use Dial-Up Networking to Log OnEnable the WINS Proxy AgentSet the Number of Rings for Answering Incoming Dial-Up Networking CallsTurn On Logging for Dial-Up NetworkingKeep a Dial-Up Networking Connection up After You Log OutSet the Dial-Up Networking Automatic Disconnect Timer
Printing Tweaks
Keep the Print Spool Service from Popping Up DialogsChange the Print Spool DirectoryStop Print Job Logging in Event Log
11. The Registry Documented
What’s Here and What’s Not
HKLM\HARDWARE
HARDWARE\DESCRIPTIONHARDWARE\DEVICEMAPHARDWARE\RESOURCEMAP
HKLM\SOFTWARE
SOFTWARE\Classes\CLSIDSOFTWARE\MicrosoftMicrosoft\ActiveSetupMicrosoft\CryptographyMicrosoft\ NtBackupMicrosoft\RASSOFTWARE\Microsoft\Windows NTCurrentVersion\ AeDebugMultimedia driver stuffCurrentVersion\Network CardsCurrentVersion\ ProfileListCurrentVersion\ ShutdownCurrentVersion\Winlogon
HKLM\SYSTEM
SYSTEM\CurrentControlSet\Hardware ProfilesSYSTEM\CurrentControlSet\ControlControl\BackupRestoreControl\BootVerificationProgramControl\ClassControl\CrashControlControl\EnumControl\FileSystemControl\HivelistControl\LSAControl\PrintControl\SecurePipeServersControl\Session ManagerControl\Session Manager\ Memory ManagementSYSTEM\CurrentControlSet\ServicesServices\BrowserServices\DHCPServerServices\EventLogServices\LanmanServerServices\NetBtServices\NetlogonServices\RasManServices\ReplicatorServices\Tcpip
HKU
HKU\.DEFAULTHKU\sid
HKCR
HKCR\extHKCR\ fileTypeHKCR\CLSID
HKCU
HKCU\ AppEventsHKCU\ConsoleHKCU\Control Panel ItemsHKCU\EnvironmentHKCU\PrintersHKCU\Software\MicrosoftMicrosoft\ NtBackupMicrosoft\ RAS AutodialMicrosoft\RAS MonitorMicrosoft\RAS PhonebookMicrosoft\Windows\CurrentVersionMicrosoft\Windows NT\CurrentVersionHKCU\Microsoft\Windows NT\CurrentVersion
HKCC
HKDD
A. User Configuration Group Policy Objects
Administrative TemplatesWindows ComponentsNetMeetingInternet ExplorerInternet Control PanelOffline PagesBrowser MenusToolbarsPersistance BehaviorAdministrator Approved ControlsWindows ExplorerCommon Open File DialogMicrosoft Management ConsoleRestricted/Permitted snap-insTask SchedulerWindows InstallerStart Menu & TaskbarDesktopActive DirectoryActive DesktopControl PanelAdd/Remove ProgramsDisplayPrintersRegional OptionsNetworkOffline FilesNetwork and Dial-up ConnectionsSystemLogon/LogoffGroup Policy
B. Computer Configuration Group Policy Objects
Windows SettingsSecurity SettingsRestricted GroupsSystem ServicesRegistryFile SystemAccount PoliciesPassword PoliciesAccount Lockout PolicyKerberos PolicyLocal PoliciesAudit PolicyUser Rights AssignmentSecurity OptionsEvent LogSettings for Event Logs
Administrative Templates
Windows ComponentsNetMeetingInternet ExplorerTask SchedulerWindows InstallerSystemLogonDisk QuotasDNS ClientGroup PolicyWindows File ProtectionNetworkOffline FilesNetwork & Dial-Up ConnectionsPrinters
Index
Colophon

Content preview from Managing The Windows 2000 Registry

Encrypting HKLM\SAM with SYSKEY

Like Unix, Windows 2000 and NT don’t directly store user or machine passwords. Instead, they take the passwords and passes them through a scheme called a one-way function , or OWF. The OWF takes a password in and generates a new block of data that is related to, but doesn’t contain, the password. The “OW” in OWF comes from the fact that it’s not feasible to take the output of the OWF and “go backwards” to derive the original password. The output of the OWF is called a password hash. NT stores the password hashes instead of the password, so you can’t steal the hash and use it directly in place of a password. Windows 2000 also stores hashed passwords for local user and computer accounts, as well as for backward compatibility with older Win9x and NT clients.

In the spring of 1997, an enterprising group of hackers from L0pht Heavy Industries (http://www.l0pht.com) publicized the fact that it was possible to get the password hashes from a SAM database (or by sniffing them over the network) and feed them to a password-cracking tool. These types of attacks have been known for many years in the Unix community, but their appearance in the Windows NT world generated a lot of headlines. In practical terms, the actual risk was significant. Even though only administrators have access to the SAM to get the OWF’ed passwords in the first place, the hashes could be recovered from backup tapes or ERDs, and they could be sniffed off the network.

Accordingly, Microsoft ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Microsoft® Windows® 2000 Security Handbook

Publisher Resources

ISBN: 1565929438Catalog Page Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Managing The Windows 2000 Registry

by Paul Robichaux

Encrypting HKLM\SAM with SYSKEY

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.