Hives and Files

The Registry is divided into parts called hives, named by a Windows NT developer as an analogy for the cellular structure of a beehive. A hive is a discrete body of keys, subkeys, and values that is rooted at the top of the Registry hierarchy. A hive is backed by a single file and a .LOG file. These files are in the %SystemRoot%\system32\config directory.

The following table shows the standard hives for a computer running Windows NT.

Table 10.3 Standard Hive Files

Registry hive

Filenames

HKEY_LOCAL_MACHINE\SAM

SAM and SAM.LOG

HKEY_LOCAL_MACHINE\SECURITY

SECURITY and SECURITY.LOG

HKEY_LOCAL_MACHINE\SOFTWARE

SOFTWARE and SOFTWARE.LOG

HKEY_LOCAL_MACHINE\SYSTEM

SYSTEM and SYSTEM.ALT

HKEY_CURRENT_USER

USER### and USER###.LOG or
ADMIN### and ADMIN###.LOG

HKEY_USERS\.DEFAULT

DEFAULT and DEFAULT.LOG


By default, all hives are stored in the SystemRoot\SYSTEM32\CONFIG subdirectory, which also includes SYSTEM.ALT and the .LOG files that are backup hive files. The hive files for user profiles can be stored in other locations.

Atomicity and Hive Recovery in the Registry

The Registry ensures atomicity of individual actions. This means that any single change made to a value to set, delete, or save either works or does not work—even if the system goes down because of power failure, hardware failure, or software problems. For example, if an application sets values for two entries (A and B), and the system crashes while this change is being made, one of the following situations results:

Because of the atomicity of individual actions, you avoid the situation of getting a corrupted mix of old and new values for an entry. For example, you won't get a corrupted mix of old A and new A. In addition, the key containing entry A and entry B will have a size, time stamp, and other data that are consistent with what is actually there.

Flushing Data

In this version of Windows NT, data is only written to the Registry when a flush occurs, which happens after changed data ages past a few seconds, or when an application intentionally flushes the data to the hard disk.

The system performs the following flush process for all hives (except for the System hive):

  1. All changed data is written to the hive's .LOG file along with a map of where it is in the hive, and then a flush is performed on the .LOG file. It is now certain that all changed data is written in the .LOG file.
  2. The first sector of the hive file is marked to indicate that the file is in transition.
  3. The changed data is written to the hive file.
  4. The hive file is marked as completed.

Note If a system crash occurs between steps 2 and 4, when the hive is next loaded at startup (unless it's a Profile hive that is loaded at logon), the system sees the mark left in step 2, and proceeds to recover the hive using the changes contained in .LOG file. So, the .LOG files are not used if the hive is not in transition. If the hive is in transition, it cannot be loaded without the .LOG file.

A different flush process is used for the System hive because it is an important element during system startup and is used too early during startup to be recovered as described in the previous flush process.

The SYSTEM.ALT file contains a copy of the data contained in the SYSTEM file. During the flush process, changes are marked, written, and then marked as done, and then the same flush process is followed for the SYSTEM.ALT file. If there is a power failure, hardware failure, or software problems during any point in the process, either the SYSTEM or SYSTEM.ALT files will contain the correct information.

The SYSTEM.ALT file isn't that different from a .LOG file, except that at load time, rather than having to reapply the logged changes, the system just switches to SYSTEM.ALT. You don't need the SYSTEM.ALT file unless the System hive is in transition.

User Profile Hives

Each time a new user logs onto a computer, a new hive is created for that user. Because each user profile is a separate hive, each profile is also a separate file. Profile hives can be stored in other directories. The system administrator can copy a user profile as a file and view, repair, or copy entries using Registry Editor on another computer. For specific information about how to take advantage of this feature, see "Managing User Profiles Through the Registry" in Chapter 13, "Configuration Management and the Registry." For information about the hive for the default profile, see "HKEY_USERS" later in this chapter.

Registry Size Limits

The total amount of space that can be consumed by Registry data (the hives) is restricted by the Registry size limit, which is a kind of "global quota" for Registry space that prevents an application from filling the paged pool with Registry data. Registry size limits affect both the amount of paged pool the Registry can use and the amount of disk space.

You can view or set the value for RegistrySizeLimit under the following subkey:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

RegistrySizeLimit must have a type of REG_DWORD and a data length of 4 bytes, or it will be ignored. By default, the Registry size limit is 25 percent of the size of the paged pool, which is 32 MB; so the default RegistrySizeLimit is 8 MB (which is enough to support about 5000 user accounts). Setting the PagedPoolSize value under the CurrentControlSet\Control\Session Manager\Memory Management subkey also affects the Registry size limit. The system ensures that the value for RegistrySizeLimit will be at least 4 MB and no greater than about 80 percent of the size of PagedPoolSize.

The RegistrySizeLimit limitations are approximate. The PagedPoolSize can be set to a maximum of 128 MB, so RegistrySizeLimit can be no larger than about 102 MB, supporting about 80,000 users (although other limits prevent a Registry this large from being very useful). Also, RegistrySizeLimit sets a maximum, not an allocation (unlike some similar limits in the system). Setting a large value for RegistrySizeLimit will not cause the system to use that much space unless it is actually needed by the Registry. A large value also does not guarantee that the maximum space will actually be available for use by the Registry.

The space controlled by RegistrySizeLimit includes the hive space, as well as some of the Registry's run-time structures. Other Registry run-time structures are protected by their own size limits or other means.

To ensure that a user can always at least start the system and edit the Registry if the RegistrySizeLimit is set wrong, quota checking is not turned on until after the first successful loading of a hive (that is, the loading of a user profile). For more details about RegistrySizeLimit, see its entry in Chapter 14, "Registry Value Entries."