Files used to construct the registry

The registry is a memory construct. The files used to create that construct are:

SubTree (RAM construct) Hive (File)
HKEY_Local_Machine\SYSTEM %systemroot%\system32\config\SYSTEM
HKEY_Local_Machine\SAM %systemroot%\system32\config\SAM
HKEY_Local_Machine\SECURITY %systemroot%\system32\config\SECURITY
HKEY_Local_Machine\SOFTWARE %systemroot%\system32\config\SOFTWARE
HKEY_Local_Machine\HARDWARE dynamically constructed at boot by NTDETECT
HKEY_USERS\.DEFAULT %systemroot%\profiles\DefaultUser\ntuser.dat
HKEY_USERS\administratorsSID %systemroot%\profiles\Administrator\ntuser.dat
HKEY_USERS\FirstUsersSID %systemroot%\profiles\FirstUsersLogonID\ntuser.dat

The files on the disk are called the HIVES. The corresponding registry memory constructs are also often called hives but are best referred to as subtrees. The trees are HKEY_LOCAL_MACHINE and HKEY_USERS. The subtrees are constructed from the hive files (except for the HARDWARE subtree which is generated by during boot). After boot the hive files and matching subtrees are only logically insynch. When the SECURITY subtree was constructed by reading the SECURITY hive file, they were identical. Any change to a subtree is recorded in the subtree.log file. At any point the correct registry subtree can be constructed by reading the hive file and then applying the changes in the corresponding hive log file, for example, SECURITY and SECURITY.LOG files. The .ALT files are an additional copy of the .LOG file and is used to construct the subtree if the .LOG file is corrupt. The registry maintains a current mapping of which hive files were used to generate the subtree. This registry value is the definitive hive list. Its found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist.

For a detail description of the Registry Construction Steps

Leave a Comment

Your email address will not be published.

Scroll to Top