The Windows registry is basically a hierarchical database which contains information pertaining to operating system and application settings. The database for example stores things as fundamental as the settings relating to the local users defined on a system such as username, password, and various options as well as settings pertaining to applications such as where Microsoft Word loads templates from.

The registry is broken up into a number of subtree’s such as HKEY_CURRENT_USER and HKEY_CLASSES_ROOT which are also sometimes referred to as hives. A hive however is the name given to the actual file stored on the system which contains the registry data which when loaded becomes part of the registry and the term hive is often misunderstood.

Navigating down a registry subtree, data is organized in various keys and values. Keys are like folders and can in turn contain sub keys of their own or values. Data is stored in values and the type of data stored is determined by the value type – for example a piece of text would typically be stored in a value with the type of REG_SZ whereas a number may be stored in a value with the type REG_DWORD.

One of the main and most important subtree’s on a Windows machine is HKEY_LOCAL_MACHINE. This subtree contains most of the configuration data pertaining to both the operating system and installed applications. Understanding HKEY_LOCAL_MACHINE however and where the various pieces of data is actually stored can be confusing.

HKEY_LOCAL_MACHINE actually doesn’t exist anywhere – it’s actually a placeholder (or starting point) for many of the various registry hives (remember they’re the files) to get loaded at. A similar example to this is like when you double-click My Computer – computer doesn’t actually exist – it’s just a starting point to access your hard drive and various other things.

When the system boots it creates the HKEY_LOCAL_MACHINE subtree and then begins to load the various registry hives below it –

%SYSTEMROOT% \ SYSTEM32 \ CONFIG \ SOFTWARE is loaded as HKEY_LOCAL_MACHINE \ Software

%SYSTEMROOT% \ SYSTEM32 \ CONFIG \ SYSTEM is loaded as HKEY_LOCAL_MACHINE \ System

%SYSTEMROOT% \ SYSTEM32 \ CONFIG \ SAM is loaded as HKEY_LOCAL_MACHINE \ SAM

%SYSTEMROOT% \ SYSTEM32 \ CONFIG \ SECURITY is loaded as HKEY_LOCAL_MACHINE \ SECURITY

These loaded files are what actually contain the registry data. There are a number of other registry hive files which are used such as the file which becomes HKEY_CURRENT_USER but that is irrelevant to understanding HKEY_LOCAL_MACHINE.

Once these hive files are loaded, there are additional subtree’s created which in turn link to locations within HKEY_LOCAL_MACHINE for example HKEY_CLASSES_ROOT is created as part of a link to HKEY_LOCAL_MACHINE \ Classes and HKEY_CURRENT_CONFIG is created as a link to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet.

HKEY_LOCAL_MACHINE contains a lot of information and damage of corruption of this key can cause many problems. Editing the registry directly is unadvisable unless you understand exactly what you are doing and when doing so it is strongly recommended to backup the various registry hives beforehand. Many backup programs will backup these hive files as part of backing up what is known as ‘System State Data’.

Different users of a machine have different HKEY_CURRENT_USER subtree’s which are part of their profile however HKEY_LOCAL_MACHINE is a global or machine-wide subtree which is shared by all users who use the system. Because of this, applications generally should not store user specific data in this location and instead opt to use HKEY_CURRENT_USER where appropriate. Information an application should typically store in HKEY_LOCAL_MACHINE would be for example the license key or registration information whereas settings such as the toolbar layout should be stored per-user.

Additional Resources:

Windows 2000 Registry Reference

Windows 2003 Resource Kit Registry Reference

Inside The Registry by Mark Russinovich

Understanding The Windows 2003 Registry by Andrew Z. Tabona