HKEY_LOCAL_MACHINE

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Stores all computer specific configuration data. This subtree has five subkeys:
  • HARDWARE : ntdetect.com writes the subtree during the boot process. The hardware detected is divided into the following keys:
    • DESCRIPTION : system hardware database generated during boot.
    • DEVICEMAP : has subkeys enumerating all device drivers loaded.
    • RESOURCEMAP: tracks IRQ, DMA and other resource allocations for each driver.
  • SAM : Security Accounts Manager contains the user and group account database for a workstation, stand-alone server, member server or domain. It is often noted that this subtree can not be directly edited. It can be but one would be foolish using anything other than indirect editing tools such as User Manager or Resource Toolkit utilities. This subkey is actually a db view of the HKEY_LOCAL_MACHINE\SECURITY\SAM key. The max size is limited by the maximum size of the Registry. The Registry can not exceed 80% of the PagedPoolSize. If PagedPoolSize=128MB, max registry size is 128MB * .80 = 102MB. See Current Registry Size for tip on how to determine current registry size and maximum registry setting. See Q143475 on how to use strong encryption to the SAM.
  • SECURITY : contains policy information. It should not be directly edited. Use an indirect registry editor like the policy editor.
  • SOFTWARE : defines and maintains configuration data for all Win32 software installed on the PC including NT itself. There should be a subkey for each software vendor with a subkey for each installed title published by that vendor.
    • Classes Contains the information necessary to launch applications when opened from File Manager (file associations) or Explorer and for OLE COM. HKEY_CLASSES_ROOT is a db view of the Classes subtree.
      • Holds information about the ActiveX controls installed. When an ActiveX control installs itself, it creates entries so that ActiveX container applications can find and use the control. These controls register themselves by name and they also have a unique numer called a class ID (CLSID).
      • All the extensions and associations between applications and documents
      • Names of all the drivers
      • Strings used as pointers to the actual text they represent (for example, aufile actually represents AU Format Sound)
      • Class ID numbers (numbers used intead of names for accessing items)
      • DDE and OLE information
      • Icons used for applications and documents
      It controls all the data files. This key is maintained and manipulated the same way under NT and Win9x. Every file type is assigned a CLSID number. For example, the CLSID key for a .BMP extension lists the file type, the default app used for editing, running or printing the document, the default icons, and other info required to use the .BMP file type. Associations define what program runs when you double-click on a file name, what Context menu items appear when you right-click on the file. To change a file association, use the Explorer's Folder Options dialog or in NT, use the ASSOC cmd.
    • Microsoft : contains subkeys for all Microsoft software installed on NT-based computer including NT itself, Browser, Clipbook Server, Mail, Microsoft Office, ...
    • Secure : not used by NT OS. Used by applications such as Exchange Server to maintain configuration data restricted to administrator level.
    • Windows 3.1 Migration Status : the presense of this key indicates that the migration was complete (ie when NT Workstation installed in same directory as Win 3.x or WfWg 3.x).
  • SYSTEM : review the kernel section of Registry Construction Steps for a good overview of this subtree.

See Also

Featured Links