Hives and Files

The Registry is divided into parts called hives. A hive is a discrete body of keys, subkeys, and values rooted at the top of the Registry hierarchy. Hives are distinguished from other groups of keys in that they are permanent components of the Registry; they are not created dynamically when the system starts and deleted when it stops. Thus, HKEY_LOCAL_MACHINE\Hardware, which is built dynamically by the Hardware Recognizer when Windows NT starts, is not a hive.

Data in the hives is supported by files in the Systemroot\System32\Config and Systemroot\Profiles\Username subdirectories. Figure 23.7 shows the relationship between the hives and their supporting files.

Figure 23.7 Hives and files in the Windows NT Registry

Each hive in the Windows NT Registry is associated with a set of standard files. Table 23.3 lists the standard hives for a computer running Windows NT.

Table 23.3 Standard Hive Files

Registry hive

Filenames

HKEY_LOCAL_MACHINE\SAM

Sam, Sam.log, Sam.sav

HKEY_LOCAL_MACHINE\Security

Security, Security.log, Security.sav

HKEY_LOCAL_MACHINE\Software

Software, Software.log, Software.sav

HKEY_LOCAL_MACHINE\System

System, System.alt, System.log, System.sav

HKEY_CURRENT_CONFIG

System, System.alt, System.log, System.sav

HKEY_USERS\.DEFAULT

Default, Default.log, Default.sav

(Not associated with a hive)

Userdiff, Userdiff.log

HKEY_CURRENT_USER

Ntuser.dat, Ntuser.dat.log


By default, the supporting files for all hives except HKEY_CURRENT_USER are in Systemroot\System32\Config.

The HKEY_CURRENT_USER support files are stored in all subdirectories of Systemroot\Profiles, except for the All Users subdirectory. The Ntuser.dat files store user profiles; the Ntuser.dat.log files track changes to Ntuser.dat.

The Ntuser and Userdiff files are new to Windows NT 4.0:

Four types of files are associated with hives. Table 23.4 describes each file type by its filename extension.

Table 23.4 File Types and Filename Extensions

File type

Description

No filename extension

Contains a copy of the hive.

.alt

Contains a backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file.

.log

Contains a transaction log of changes to the keys and value entries in the hive.

.sav

Contains copies of the hive files as they looked at the end of the text mode stage in Setup. There are .sav files for Software, SAM, Security, System, and .Default.

A new feature of Windows NT 4.0 backs up the contents of the hives during setup. Setup has two stages: text mode and graphics mode. The hive is copied to a .sav file after the text-mode stage of setup to protect it from errors that might occur if the graphics-mode stage of setup fails. If setup fails during the graphics-mode stage, only the graphics-mode stage is repeated when the computer is restarted; the .sav file is used to rebuild the hives.


The next section discusses features that, along with the supporting files, help to preserve the integrity of the Windows NT Registry.

Atomicity and Hive Recovery in the Registry

The Registry ensures atomicity of individual actions. This means that any change made to a value (to set, delete, or save) either works or does not work: The result will not be a corrupted combination of the old and new configuration even if the system stops unexpectedly because of power failure, hardware failure, or software problems. For example, if an application sets a value for an entry and the system shuts down while this change is being made, when the system restarts, the entry will have either the old value or the new value, but not a meaningless combination of both values. In addition, the size and time data for the key containing the affected entry will be accurate whether the value was changed or not changed.

Flushing Data

In Windows NT, data is written to the Registry only when a flush occurs, which happens after changed data ages past a few seconds, or when an application intentionally flushes the data to the hard disk.

The system performs the following flush process for all hives (except for the System hive):

1. All changed data is written to the hive's .log file along with a map of where it is in the hive, and then a flush is performed on the .log file. All changed data has now been written in the .log file.

2. The first sector of the hive file is marked to indicate that the file is in transition.

3. The changed data is written to the hive file.

4. The hive file is marked as completed.

Note

If the system shuts down between steps 2 and 4, when the hive is next loaded at startup (unless it's a profile hive that is loaded at logon), the system sees the mark left in step 2, and proceeds to recover the hive using the changes contained in the .log file. That is, the .log files are not used if the hive is not in transition. If the hive is in transition, it cannot be loaded without the .log file.

A different flush process is used for the System hive because it is an important element during system startup and is used too early during startup to be recovered as described in the previous flush process.

The System.alt file contains a copy of the data contained in the System file. During the flush process, changes are marked, written, and then marked as done. Then the same flush process is followed for the System.alt file. If there is a power failure, hardware failure, or software problems at any point during the process, either the System or System.alt file contains the correct information.

The System.alt file is similar to a .log file except that at load time, rather than having to reapply the logged changes, the system just switches to System.alt. The System.alt file is not needed unless the System hive is in transition.

User Profile Hives

Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile. The system administrator can copy a user profile file to a different directory and view, repair, or copy entries to another computer by using Registry Editor. For specific information on this feature, see "Managing User Profiles Through the Registry" in Chapter 25, "Configuration Management and the Registry." For information about the hive for the default profile, see "HKEY_USERS" later in this chapter.

Registry Size Limit

Registry data is stored in the paged pool, an area of physical memory used for system data that can be written to disk when not in use. The RegistrySizeLimit value establishes the maximum amount of paged pool space (and disk paging file space) that can be consumed by Registry data from all applications. It is designed to prevent the Registry from consuming space needed by processes.

The RegistrySizeLimit value establishes a maximum size for the Registry. It does not allocate space in the paged pool, nor does it assure that the space will be available if needed.

By default, RegistrySizeLimit is set to 25 percent of the size of the paged pool. When the paged pool size changes, either because it is adjusted by Windows NT or because an administrator changes it, the value of RegistrySizeLimit changes, too. (Typically, the paged pool is set at 32 MB, so the RegistrySizeLimit value is 8 MB.)

The system ensures that the minimum value for RegistrySizeLimit is 4 MB, and the maximum is approximately 80 percent of the PagedPoolSize value. Thus, the paged pool is limited to a maximum size of 128 MB, and the RegistrySizeLimit value cannot exceed 102 MB (80 percent of 128 MB).

To view or change the value of RegistrySizeLimit, edit the entry under the following subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control

RegistrySizeLimit must have a type of REG_DWORD and a data length of 4 bytes, or it will be ignored. The RegistrySizeLimit value is approximate.

To view or change the size of the paged pool, use the PagedPoolSize value entry under the following subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management

The space controlled by RegistrySizeLimit includes the hive space, as well as some of the Registry's run-time structures. Other Registry run-time structures are protected by their own size limits or by other means.

To ensure that a user can always start the system and edit the Registry, the Registry is not subject to the value set in RegistrySizeLimit until after the first successful loading of a hive (that is, the loading of a user profile). For more details about RegistrySizeLimit, see Regentry.hlp, the Registry Help file on the Windows NT Workstation Resource Kit CD.