THE WINDOWS NT 4.0 REGISTRY

Lance Jensen
Executive Software Technical Support
and
John Sankey

The Registry is NT's management information system, a unified database containing information about hardware, installed software, and the settings for their use, set up in a tree hierarchy. It is normally maintained by programs such as Control Panel and program installs. However, viewing it can often help to trace a problem, and editing it directly can be very useful in special cases.

Warning: Neither of the authors (nor Microsoft for that matter) accepts any responsibility whatsoever for changes you make directly to a registry. You can easily make a mistake while using the registry editors, and they will not warn you if you do. Editing the registry can disrupt your system to the point where your only option is to re-install Windows NT. Even if you know exactly what you are doing and are completely certain what the results will be, you should always back up your registry before making any changes, using NTBackup or the Windows NT Resource Kit programs regback.exe and regrest.exe.

The old registry editor regedit.exe has a complete search capability (the new one, regedt32.exe, only searches keys, not values) but regedit cannot be used to edit the new EXPAND_SZ or MULTI_SZ value types or to implement registry auditing. So, you have to use regedit to find values in the Registry, then switch to regedt32 to make these changes. Regedt32 also has a read-only switch (Menu, Options) which is a good safety feature to prevent changes from being made until you are ready for it - regedit doesn't. Hopefully, in NT5 the two teams will get their act together.

Each major set of keys is called a hive. Within each hive there are keys, which may have sub-keys, and sub-sub-keys, and so on. At the lowest level there is a value entry comprised of a name, a data type, and a value. Data types are BINARY (16 bits!), DWORD (4 bytes, displayed in binary, hexadecimal or decimal), SZ (text string), EXPAND_SZ (expandable text string that contains a variable such as %systemroot%), and MULTI_SZ (multiple line string; each "line" is separated by a null). Each hive is rooted at the top of the Registry hierarchy, and most are backed by a main file, a save file and a log file in the folder %systemroot%\system32\config. The main file has no extension, the others have the extensions .sav and .log. Exceptions are LOCAL_MACHINE\HARDWARE, which has no files, and CURRENT_USER, which stores its files in %systemroot%\Profiles\%username%.

The following facts concerning the registry are in the same format as you see them in the registry editors. Setup your browser on one side of the screen, and a registry editor the other, to keep track of things. Q numbers refer to Microsoft Knowledge Base Articles available at http://support.microsoft.com/support/. Much of the information is also available in descriptive format in the NT Focus eletters at http://www.execsoft.com/eletters/.

This information is as accurate as the authors can make it. If, despite our care, you find an error in this document, please email bf250@freenet.carleton.ca immediately.

LOCAL_MACHINE holds information about the local machine, hardware and installed software. It contains five hives:

• HARDWARE contains information about your hardware, including cards in expansion slots, connections through ports, and the related interrupts. Most of this data is determined and stored on boot-up, so it is not saved in any files. You almost never need to edit any data here, but it's a useful source of troubleshooting information.
  • DESCRIPTION System devices are listed in the Registry by names or codes. This is where those names and codes are defined. The source of this data depends on your computer. On an Alpha system, the data is copied from the ARC configuration database in the firmware. On an x86 system, the Hardware Recognizer NTDETECT.COM gathers the data during startup. On a non-x86 system the data is gathered by a version of NTDETECT.COM provided by the OEM.
    • System contains value entries defining the System and Video BIOS and the motherboard itself. It's a convenient place to check your BIOS version and revision date.
      • CentralProcessor lists the CPUs, each under its own number sub-key 0, 1, etc. Each sub-key has five value entries describing the CPU, including the vendor and clock speed. The first three value entries are also found under each of the number keys (0, 1, etc.) under System.
        • Component Information, BINARY. Contains version information.
        • Configuration Data, REG_FULL_RESOURCE_DESCRIPTOR. Contains data such as the I/O port addresses and the IRQ number. (If this data is not available, this value entry will not appear.)
        • Identifier, SZ. Contains the name of the device.
        • VendorIdentifier, SZ. Identifies the CPU manufacturer.
        • ~MHz: the approximate rated speed of the CPU.
        • FloatingPointProcessor lists the math co-processors in sub-keys, which have the same value entries as CentralProcessor, describing the co-processor.
    • MultifunctionAdapter, has three sub-keys which hold the data about the adapters in your system that are BIOS-controlled.
      • 0 holds the configuration data for the PCI bus, with subkeys for any BIOS-supported devices that are plugged into it.
      • 1 will hold the configuration data for the Plug and Play BIOS, but, since Plug and Play is not fully implemented in Windows NT 4.0, there are no sub-keys.
      • 2 holds the configuration data for the ISA bus, with subkeys for any BIOS-supported devices that are plugged into this bus.
        Under these number keys there are several more sub-keys for controllers. Which key you will find them under depends on which bus they are connected to. Each sub-key will have one or more sub-keys, depending on how many controllers you have. For example, you probably only have one keyboard controller, and thus only the 0 subkey under KeyboardController, but if you have two disk controllers, you will have 0 and 1 under DiskController. (Note: The numbers here do not refer to the type of bus.)
        • DiskController contains the data for your hard-disk and floppy-disk controllers. Under each number key it will have the sub-keys DiskPeripheral and/or FloppyDiskPeripheral, which will have number keys for each attached disk drive.
        • KeyboardController contains the data for your keyboard controller. Under the number key will be a sub-key KeyboardPeripheral, which contains a number key describing the keyboard itself.
        • ParallelController contains the data for your parallel port controller. It has a number key for each installed parallel port.
        • PointerController contains the data for your mouse port controller. It has a number key for each installed mouse port.
        • SerialController contains the data for your serial port controller. It has a number key for each installed serial port. Under each of these last three keys, if there is a device plugged in to a port, there will be a xxxPeripheral subkey, such as PointerPeripheral for a mouse or touchpad, which contains a number key describing the device.
  • DEVICEMAP Here we find several subkeys, each containing at least one value entry. The value entries contain either a string defining where in the Registry the driver data is stored, or a string containing a port name. The Registry location is LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services; usually the ControlSetnnn is the same control set that is mirrored in CurrentControlSet. The sub-keys under Services contain data on the drivers and on their associated hardware. You maintain this data from Control Panel, using the Devices, Network, Services and UPS icons.
    • One sub-key, Scsi, deserves more explanation. Here you will find a sub-key for each SCSI host device, in the order that the system discovers them. Under each SCSI host device will be a sub-key for each bus on that device. Under each bus will be subkeys for each SCSI device attached. If you are trouble-shooting an unfamiliar system, this can be useful in locating all SCSI devices on the system and exactly where they are.
  • OWNERMAP: If any devices are owned (controlled by another device), the device and its owner are recorded in value entries here.
  • RESOURCEMAP: Here you will find the connection settings and addresses for your system devices.
    • Hardware Abstraction Layer names in its sub-key the type of HAL in use on your system. There are many possible HALs, such as Compaq and PowerPC. On my system, this subkey is UP MPS 1.4-APIC platform
    • KeyboardPort\PointerPort, has a sub-key defining the keyboard controller chip. If you use a standard keyboard, the sub-key will be i8042prt.
    • LOADED PARALLEL DRIVER RESOURCES and
    • LOADED SERIAL DRIVER RESOURCES: contain data on the parallel and serial port drivers, in value entries within the subkeys Parport and Serial.
    • OtherDrivers holds the data on drivers that are not standard system operations drivers. For example, I have a subkey sndblst for my audio card.
    • PointerPort hold sub-keys containing data for pointers such as a mouse or touchpad.
    • ScsiAdapter holds sub-keys for any SCSI adapters installed, with their settings.
    • System Resources contains memory settings, including Virtual and Reserved memory, in its subkeys PhysicalMemory and Reserved.
    • VIDEO contains your video driver information. The subkey depends on your video driver. For example, my system has stlth3d. But there are two other sub-keys. VgaSave describes the VGA driver which is used when the installed video card fails, or when you boot to VGA mode. VgaStart notes which of the video drivers is currently in use.
• SAM is the Security Accounts Manager, containing user account names and passwords and security settings. As in SECURITY, most of the information is encrypted and stored in binary format. You should never need to change anything here, as it is maintained on Workstations via User Manager, or on Servers by User Manager For Domains. Files: Sam, Sam.sav and Sam.log. It contains only one sub-key, SAM, which is mapped to the sub-key SAM under SECURITY. Thus any change made to one sub-key also changes the other.
  • Domains. It has two sub-keys, Account and Builtin, and they each have three sub-keys, Aliases, Groups and Users. Each of these has a code-number sub-key for each member (if any), plus Names, which contains as sub-keys the actual names of the members (such as Administrators or Users). Account\Users\Names will contain the names of user accounts, as maintained in the User Manager program. Builtin\Aliases\Names will contain the built-in groups Administrators, Backup Operators, Guests, Power Users, Replicator and Users.
  • RXACT, which stands for Registry Transaction. It's usually empty.
• SECURITY This contains the security information for the local machine, including all group names, all user names and passwords, what rights each user has and what groups each user belongs to. It is maintained via User Manager. The information is encrypted and is stored in binary format, so you can't edit it with REGEDT32 or REGEDIT. About the only thing you can do is view the user and group names. Files: Security, Security.sav and Security.log
• SOFTWARE contains data for all of the 32-bit software installed on your system. Each software package may appear as a sub-key of SOFTWARE, but there will also be sub-keys which are manufacturers (such as Microsoft or Executive Software) with software packages listed as sub-keys below the company sub-key. The data under the software sub-keys includes configuration settings, file associations and OLE information. This data can include build number, registration information, paths to executable and data files, and anything else the manufacturer wants. If permission for Everyone on this key, and on the subkey for each manufacturer, is restricted to QueryValue, Enumerate Subkeys, Notify and Read Control, only administrators will be able to install software with InstallShield. The entire subtree must not be locked using this setting because that will prevent applications from running that use the registry to store state information.
  • Classes In this sub-key, OLE (Object Linking and Embedding) and DDE (Dynamic Data Exchange) classes are defined. It contains a sub-key for each class, such as .exe (executable) and .gif (graphic image). Each sub-key has a value entry whose value is the program used to open this type of file; this program is what you are asked to specify when you see the Open With dialogue box.
    • [ext]_auto_file: each extension in the "open with" dialog has an entry here
    • [filetype]\EditFlags: set to 00000000 to save, otherwise filetype is played/displayed directly. Setting this to 0 is how you reverse clearing the "prompt for this type of file" box.
    • [type]\Shell\edit\Default: the executable used to edit the file type. These are all most easily set from within NT Explorer.
    • Clients: This section defines clients such as your internet e-mail package, and other applications such as Microsoft Outlook. Sub-keys and data vary greatly depending on the application
    • CLSID: a list of all program identity numbers
      • DefaultIcon: {path}.ico,0 is the desktop icon used for each program. Any desired icon can be set here for any program, in particular of My Computer (CLSID {20D04FE0-3AEA-1069-A2D8-08002B30309D}), Network Neighbourhood {208D2C60-3AEA-1069-A2D7-08002B30309D} and the Recycle bin {645FF040-5081-101B-9F08-00AA002F954E}.
    • Description: where Windows NT stores the names and versions of your software. It is useful for information, but should never be changed manually.
    • Http\Shell\Open\Command\Default: the command to start the default Internet Browser
    • Lnkfile\IsShortcut: Delete this value to remove the arrows marking shortcuts if you don't like them. (A right-click will still tell you which is which.)
    • Paint.Picture\DefaultIcon: By default this is the name of a bitmap viewer. Replace it with %1 and a thumbnail of each graphic file will appear as its icon in NT Explorer. Handy if you have a lot of bitmaps, and set View in Explorer to large icons.
    • Unknown\Shell: one entry for each item in the right-click menu
  • Program Groups Descriptions of any program groups, as maintained with Program Manager, are stored here.
  • Secure: apparently a storage location for keys that require more than the usual amount of security.
  • Microsoft
    • Internet Explorer\Main
      • URLTemplates: when you type in a URL, this is where IE gets the suggestions it puts in that blue type-ahead. Add your own specials as desired, in the order desired (match the syntax and type of those already there).
    • Multimedia: Control Panel settings
    • Ntbackup
      • BackupEngine\Backupfilesinuse: set to 0 to prevent open files from being backed up, which can produce errors with update-in-place apps. (Q159218)
      • UserInterface\Skipopenfiles: used if Backupfilesinuse is 1. Set to 0 to wait until the open file can be backed up, 1 to skip files that are open/unreadable, 2 to wait for open files to close for Waittime seconds)
      • Waittime: the time used by Skipopenfiles=2
    • RAS Autodial
      • Addresses: network address for which RAS is to autodial
      • Control\DisabledAddresses: network addresses for which autodial is not desired
    • Windows\CurrentVersion
      • Explorer\Tips
        • Next: the message number to be shown next Explorer start
        • Show: 01000000 to display a different message each time Explorer is opened, 0 otherwise
        • [n]: text of each message
      • Policies\System
        • DisableRegistryTools: 1 if the user is not permitted to use the registry editors
        • Explorer\LinkResolveIgnoreLinkInfo: set to 1 to disable link tracking of shortcuts
      • Run: each program listed here will be run each time any user logs on. Since such programs run at System privilege, Everyone permission on this key and the three following should be restricted to Read to prevent unauthorized additions (Q126713). If everyone has problems with NT Explorer start-up errors, check for a null ("") program entry here or in Windows NT\Current Version (regedt32 required - regedit can't see this kind of entry).
      • RunOnce: each program listed here will be run the next logon then removed from the list.
      • RunServices: a way of starting a service (TSR in DOS language).
      • RunServicesOnce: a way of running a service once.
      • SharedDlls: has a value under the name of each DLL in the system that is used by more than one program. Entering the name of a non-NT DLL here with value 1 will stop NT uninstall from offering to delete it.
      • Telephony: Control Panel entries
      • Uninstall: contains a key for each program that can be uninstalled by NT. In any secure installation, Everyone access to this key should be removed (NOT set to NoAccess! - Everyone includes Administrators). If a botched install leaves an inoperative entry in the uninstall list, delete it here.
    • Windows NT\CurrentVersion
      • AeDebug: delete this to stop Dr.Watson from generating its huge dump files
      • Fonts: installed fonts (Control Panel)
      • Hotfix: records which hotfixes have been applied
      • InternetSettings: Control Panel settings
      • Perflib: the permissions on this key determine who can see data such as the list of running processes.
      • ProductId: 50036-xxx-yyyyyyy-71345 where xxx-yyyyyyy is the CD-ROM key
      • ProfileList: lists each valid SID on the local machine and matching profile locations. By default when a user logs on for the first time at a machine a directory %systemroot%\profiles\%username% is created. If the directory already exists, an alternate directory <username>.nnn will be created, starting with 000. This mapping is stored here.
      • RegisteredOrganization: your company name
      • Run, Run Once: some installs put programs here (they should be put under Windows\Current Version)
      • Unimodem: modem data (Control Panel)
      • Windows
        • ErrorMode: 1 to display only application errors, 2 to suppress all error dialogs (noone but developers should use this or NoPopUpsOnBoot)
        • NoPopUpsOnBoot: 1 to suppress boot error popups
      • Winlogon
        • AllocateCDRoms: if 1, the drive will be secured for a user (C2 security), if 0 default administrative sharing is allowed
        • AllocateFloppies: does the same for floppy drives
        • AutoAdminLogon: 1 to force automatic logon using the username and password set below. Users must be restricted to read-only access to the Winlogon key to enforce this.
        • AutoRestartShell: should be 1 so if your shell (default Explorer) crashes it will automatically restart.
        • CachedLogonsCount: this basically enables roaming profiles; set to 0 to disable them (Q172931)
        • DefaultDomainName, DefaultPassword, DefaultUserName: for autologon
        • DeleteRoamingCache: by default, profiles are cached locally to machines, however this can be disabled by setting this to 1
        • DontDisplayLastUserName Value: To prevent display of a user name in the Logon dialog box, give this the value 1 (C2 security)
        • IgnoreShiftOveride: by default any user can prevent programs in start folders from running by holding down the Shift key during logon. Set this to 1 to prevent this.
        • KeepRasConnections: keep RAS connections open when the user logs off
        • LegalNoticeCaption, LegalNoticeText: if present require each user to 'accept' (click OK) the text
        • LogonPrompt: the place for custom logon instructions
        • PasswordExpiryWarning: the number of days prior to password expiring that a warning message is displayed
        • PowerdownAfterShutdown: if you have an ATX power supply, setting this to 1 will power down the computer on shutdown. (Without an ATX, it makes it always reboot.)
        • Shell: explorer.exe by default, can be changed to progman.exe for nostalgia
        • Show: the timeout for options displayed at logon e.g. profile choice
        • ShutdownWithoutLogon: set to 0 to remove the shutdown button from the logon screen
        • TaskMan: set to TaskMan.exe to enable the old Ctrl-Esc activation of Task Manager
        • Welcome: the place for a custom welcome message
      • Policies\Ratings\Key: password for the IE content advisor (encrypted). Delete value then set a new password with Internet Options - Content if you forget it
  • [Software Packages name]: The data stored for each software package varies widely. For example, Executive Software's entry can tell you that Diskeeper is installed at D:\ExecSoft\Diskeeper (from Diskeeper), that it is version 3.0 build 172 (from CurrentVersion) , it was upgraded from version 2.0 (from 2.0) , and that it is set to run at the lowest priority (from UserSettings). Much of the data may not be understandable, but at the minimum you can find where the files are. When an Uninstall fails, this is where you find the information to manually uninstall a package.
• SYSTEM This is the most useful as well as the most dangerous hive, because it contains the startup data that cannot be calculated during startup. This data is stored in ControlSet sub-trees. One of these, CurrentControlSet, is actually a link to one of the others (ControlSet001, ControlSet002, etc.) which contains the data set currently in use. This data is normally modified via utilities in Control Panel. Files: system, system.sav and system.log. There is also system.alt, which is a backup of the system hive, and makes it possible to undo changes that had unexpected side-effects.
  • CurrentControlSet contains the parameters for the system's services and devices currently in use. When the system starts, the numbered set used (usually ControlSet001) is copied into Clone, and CurrentControlSet is linked to that numbered set. The copy in Clone also replaces the LastKnownGood configuration, once the startup is declared good (generally meaning there were no Severe or Critical errors, and a successful logon was done). This lets you revert your Registry to the way it was prior to the changes by invoking the Last Known Good menu on reboot if you accidentally botch registry changes. Note that this will only work of you have not fully rebooted since the changes. If you have, then your changes to the Registry will have already been saved. A way to be sure every time is to back up your Registry prior to making any changes, so that you always have a good copy of the Registry to fall back on.
    • Control contains parameters necessary for the system to start. There are several sections here that you should leave alone, as changes can prevent the system from starting or running or can make it impossible for anyone to log in. Let Control Panel and the system maintain these whenever possible.
      • CurrentUser, SZ. This is for holding the username of you, the user who is currently logged on.
      • RegistrySizeLimit: The default is 25% of the paged pool (see PagedPoolQuota), minimum 4MB, maximum 80% of the paged pool (which has a maximum size of 128MB). The RegistrySizeLimit is a maximum, not an allocation, so setting a high value will not reserve the space nor does it guarantee the space will be available. This is best configured using the System Control Panel applet Performance tab (Q124594).
      • ServiceGroupOrder: determines the order in which services are started at startup (Q102987)
      • SystemStartOptions: If the firmware passes system arguments to the system, they are listed here. You will not need to change anything here.
      • Update\UpdateMode: set to 0 to make NT Explorer refresh the screen automatically after each change
      • WaitToKillServiceTimeout: default 20,000 ms. Sets how long the service control manager will wait for each service to complete the shut-down request. If you have a long wait to complete shutdown, this is usually the reason; it can be reduced significantly on non-networked systems.
      • BootVerificationProgram: ImagePath, defaults to blank. This value entry contains the path and filename of the program which the service controller uses to verify the Last Known Good configuration. If you change this from the default, you must also go to LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon and set the value entry ReportBootOK (SZ) to 0. These sub-keys should be left at the default unless you are certain you know what you are doing. For one thing, you'll probably have to write the program it calls.
      • Class: You'll find a dozen or more sub-keys under Class, each with a cryptic name. Don't worry about them, because you should not modify them. These sub-keys define devices such as keyboard, mouse, modem, etc., and are modified from Control Panel.
      • ComputerName: This has two sub-keys, ActiveComputerName and ComputerName (yes, the name is identical). The value entry ComputerName, SZ, will be in the first sub-key, and may be in the second. This is the network name of the computer. You can change it in Network\Identification in Control Panel.
      • CrashControl: Workstation default=0, Server default=1 for most
        • AutoReboot: if 1 the system will automatically reboot when it crashes.
        • CrashDumpEnabled: if 1 a dump file will be written when when the system crashes if you have a pagefile on your system partition which is larger than your total RAM.
        • DumpFile: default %SystemRoot%\Memory.log. This is the path and file name of the crash dump file.
        • LogEvent: if 1 an entry will be written to the System log when the system crashes.
        • Overwrite: if 1 the dump file will be overwritten when the system crashes; a value of 0 means the crash dump data will be added to the existing dump file.
        • SendAlert: if 1 and LogEvent is 1 and Overwrite is 0, then when the dump file is full, the logged-on user will receive an administrative alert. An acknowledgement must be received from the user before the system will proceed.
      • FileSystem
        • NtfsDisable8dot3NameCreation: default 0. If set to 1, long file names can not be used on your NTFS partitions. If Windows NT is taking a long time to process directories, it may be due to having a large number of long file names. If so, setting this value to 1 may speed up the directory processing. On the other hand, you will not be able to use long file names, and you will not be able to use MS-DOS shortcuts that have long file names.
        • NtfsDisableLastAccessUpdate: default 0. Whenever Windows NT accesses a file or folder, even if it's just to display the name in a list of folder contents, the Last Accessed Date is updated. If you normally deal with large numbers of files and folders, this could slow you down. To disable this feature, set this value to 1.
        • Win31FileSystem: default 0. Controls whether the FAT will allow creation, enumeration, opening, or querying of long file names, and whether extended time stamp information (CreationTime and LastAccessTime) is stored and reported. Set it to 1 to revert to basic Win3x (and Windows NT 3.5) semantics. Changing this value does not change any disk structures, it simply changes how the system behaves.
        • Win95TruncatedExtensions: when set to 0, this makes all file extensions look like 3-character extensions. NT will then consider .LIS, .LIST, .LISTS, .LISTED, .LISTING, and so on to be identical, and any action done on *.LIS will be performed on all of these files. To disable this feature, set this value to 1.
      • GraphicsDrivers contains sub-keys for any graphics drivers installed on the system. Within these sub-keys you may find value entries for controlling the drivers.
      • GroupOrderList: This contains a series of value entries which, along with the Tag value under the specific Services subkeys lay out the order in which services within a group will be loaded on startup. See ServiceGroupOrder below. They should be maintained only by the system.
      • IDConfigDB identifies the current system configuration. It has one sub-key Hardware, which has sub-keys 0001, 0002, etc. These are entries in your Last Known Good menu. Each has several value entries, including FriendlyName, SZ, (the name as it appears in the configuration menu) and PreferenceOrder, which is the sequence these appear in the menu.
      • Keyboard Layout: KeyboardLayout, SZ. This key contains the name of the .DLL file which the system loads to map your keyboard. You will probably never need to change this. It contains two sub-keys.
        • DosKeybCodes: This contains a set of value entries, each of which is an MS-DOS style layout name. The system uses it to convert Windows NT layout names. Each value entry is the code. For example, US is 00000409. Note that these are text strings, so the value type is SZ.
        • Substitutes: If a particular user prefers a keyboard layout which is different from the default, the code for the layout is recorded here. When that user logs in, the system loads the corresponding .DLL file. As under DosKeybCodes, each value entry is the code. The type is SZ, Default is blank.
      • Keyboard Layouts: Under this key we have a sub-key for each layout name, (as listed in Keyboard Layout\DosKeybCodes). Each sub-key contains the name of the .DLL file, an ID number and descriptive text
      • Lsa: (Local Security Authority)
        • CrashOnAuditFail: If this exists, it is set to 2 by the operating system just before the system crashes due to a full audit log, so that only the administrator can logon - this allows saving of the logs. If set to 1, the system stops immediately on audit full.
        • Notification Packages: if this contains PASSFILT, users may enter only strong passwords. (User Manager is not restricted by this value.)
        • RestrictAnonymous: 1 to block null session attacks
      • MediaProperties: the properties of your system's multimedia devices.
      • MediaResources: descriptions of your multimedia devices and their drivers.
      • NetworkProvider contains one subkey, Order, which contains one value entry, ProviderOrder, SZ. The default, when only a single network is installed on the system, is LanmanWorkstation. If there are other network providers available, they will be listed, separated by commas. The order in which they are listed is the order in which they will be accessed. Each entry also appears as a sub-key under LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. This list is maintained from Control Panel\Network.
      • Nls (National Language Support). This key contains subkeys that define information for languages and code pages. It has two subkeys: Code Page contains value entries for all code pages that Windows NT supports; Language contains value entries for all languages that Windows NT supports. When an application runs, it looks in these value entries to find the file name of the code page or language it needs. If the code page or language is not installed on the system, there will be no file name in the value entry.
      • Print: data pertinent to your printers. There will be sub-keys for DLLs and drivers that are neccesary for the printers and print spoolers, and possibly sub-keys installed by OEMs.
        • Environments: hardware system descriptions for Windows 4.0, Alpha_AXP, PowerPC, R4000, x86, each of which contains
          • Directory value is the driver directory. In Windows NT X86 this value is W32X86
          • Drivers: For each printer that you have configured on this system, there will be one or more sub-keys. They will contain value entries for data that applies to the printer, such as the names of the configuration files and driver DLLs. The files will reside under the driver directory.
          • Print Processors: value Driver, the name of the print DLL.
        • Monitors
          • Local Port: Driver, SZ. Contains the name of the local monitor DLL.
          • Permissions: the permissions on this determine who can add printers
          • PJL Language Monitor: PJL stands for Printer Job Language. This sub-key contains the value entries Driver, whose value is the PJL DLL file name, and EOJTimeout, whose value is the number of milliseconds to End-of-Job timeout.
          • Provider Network Port contains the value entry Driver, whose value is the name of the DLL for the print monitor. It also has a sub-key Options which contains several value entries defining connection, buffers, timers, etc.
        • Printers: several useful value entries, most only used by servers
          • DefaultSpoolDirectory, SZ. This is the path to the default print spooler directory, used by all of the printers.
          • SpoolDirectory, SZ. If you want a particular printer to use a different spooler directory, add this with value the path to your alternate print spooler directory. Note that if you misspell the path, or the directory does not exist, the default print spooler will still be used.
          • JobPrintsWhilstSpooling, 0=disabled, 1=enabled. See below
          • FastPrintWaitTimeout, Default 24,000ms. This is the time the port thread will wait for data. If it times out, then the print job will be paused, and the next print job will start. NOTE: If JobPrintsWhilstSpooling is enabled, the port thread must synchronize with the spooling application.
          • FastPrintSlowDownThreshold: Default FastPrintWaitTimeout divided by FastPrintThrottleTimeout. If JobPrintsWhilstSpooling is enabled, your printer may pause if no data is received for a specified period. FastPrintSlowDownThreshold is used to prevent this pause.
          • FastPrintThrottleTimeout, Default: 2,000ms. When the FastPrintSlowDownThreshold is reached, the print spooler cuts the speed at which it sends data, so that there will not be a long enough period between data packets to allow the printer to pause.
          • NetPrinterDecayPeriod, Default: 3,600,000ms (1 hour). There is a list of printers available to the browser. This value specifies how long a network printer will be kept on that list.
          • PortThreadPriority: Sets the priority of the threads that carry data to the printer, , default 0 (Normal), but can be set to 1 (High) or 0xFFFFFFFF (Low).
          • SchedulerThreadPriority: Sets the order that threads get access to the printer (High threads go first, then Normal, then Low).
          • SpoolerPriority: Sets the priority of the spooler as an application.
          • A subkey for each installed printer on the local machine. Their values are all set through Control Panel Printers.
        • Providers
          • EventLog, , default 1. When a print job completes, an entry is made in the event log. Set this to 0 to disable the logging, then go into Control Panel\Services and stop and start the spooler.
          • NetPopup, default 1. When a print job completes a notification pops up. Set this to 0 to disable the notification.
          • LanMan Print Services
            • Name, SZ, whose value is the name of the DLL file for the service.
            • DisplayName, SZ, whose value is the name which is displayed to identify the service.
            • Monitors
              • LanMan Print Services Port has a value entry Driver, SZ, whose value is the name of the printer driver DLL.
            • LanmanServer\Shares: contains all the file sharing information: If you wish to copy shared files to another host, this information has to be copied to the new host machine's registry.
            • Servers, has one sub-key for each server in the network; the sub-key name is the server name.
            • Forms: which has a BINARY value entry for each defined print form.
            • Printers: a sub-key for each installed network printer
            • PrinterDriverData: value entries defining the printer and its driver. They are all set through Control Panel Printers.
      • PriorityControl has one value entry, Win32PrioritySeparation, default 2, which controls the relative priority between foreground and background applications. This should be controlled through Control Panel\System\Performance. On Windows NT Workstation, a value of 0 means foreground and background threads get the same amount of processor time; 1 and 2 give more time to foreground threads. On a Windows NT Server, the processor time that threads get is fixed. The Win32PrioritySeparation value instead determines the priority boost given to foreground processes, with 2 being the highest boost.
      • SecurePipeServers has one sub-key, winreg. It is used primarily to define who may have access to the Registry itself. In Windows NT 4.0, by default, only members of the Administrators group can access the Registry. You can alter the default in several ways: 1) To change the default, go to winreg and add the value entry Description (SZ) and set the value to Registry Server. Highlight winreg, then select Security on the menu bar, then Permissions. Enter the users and groups you want to add, with the type of access you want them to have. 2) To allow access to certain Users or Groups, add a sub-key AllowedPaths under winreg, leaving Class blank. Then add the value Machine, MULTI_SZ. Enter the following string values:
        • System\CurrentControlSet\Control\ProductOptions
        • System\CurrentControlSet\Control\Print\Printers
        • System\CurrentControlSet\Services\Eventlog
        • Software\Microsoft\Windows NT\CurrentVersion
        • System\CurrentControlSet\Services\Replicator

        If you want to allow access only to certain parts of the Registry, add the value name Users, MULTI_SZ, and enter the locations. You also use this key for allowing users to monitor server performance. First, in USERS, select the SID of the local server user. Then select Control Panel\International\Locale and note the basic language ID (the value for English is 409). Subtract 400 to get the number to use below. If your system partition is NTFS format, make sure you have read access to these server files: %windir%\system32\PERFCnnn.DAT, %windir%\system32\PERFHnnn.DAT. Now highlight winreg and select Security on the menu bar, then Permissions. Enter the user ID and set type of access to READ (or a higher permission). Then do the same for LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib, but this time check the "Replace permissions on all sub-keys" box.

      • SecurityProviders contains data regarding system security. It has one sub-key SCHANNEL, which includes the sub-keys CertificationAuthorities, Ciphers, Hashes, KeyExchangeAlgorithms and Protocols. Any of these that are in use on your system will contain further sub-keys. For example, under CertificationAuthorities you will find a sub-key for each authority you use, such as AT&T Certificate Services. Each of these sub-keys will have three value entries:
        • CACert, BINARY, containing a certification code.
        • Enabled, value 0x1 if the authority is enabled.
        • Type, (I have never found a definition for this value entry).
      • ServiceGroupOrder contains sub-keys which each have three value entries which define the order in which groups of services are loaded on startup. See GroupOrderList above. If Start is 0, the system will load the driver, but not initialize it till the kernel has started. If Type is 0x1, the driver will be started as part of loading the kernel. The List, MULTI_SZ, value indicates the sequence to load the drivers. The default order is: SCSI miniport, port, Primary disk, SCSI class, SCSI CDROM, class filter, boot file system, Base, Keyboard Port, Pointer Port, Keyboard Class, Pointer Class, Video, file system, Event log, Streams Drivers, NDIS, TDI, NetBIOSGroup, NetDDEGroup, extended base, network.
      • ServiceProvider: contains two sub-keys. Order defines the sequence in which existing providers will be used, and lists any providers to be excluded. ServiceTypes contains sub-keys defining the types of service providers available, such as Microsoft Internet Information Server. Value entries under these last sub-keys contain data defining the provider, such as the TCP port.
      • Services: each service contains:
        • ErrorControl: if the driver can't be loaded or started, 0x00 to ignore the problem and display no error, 0x01 to produce a warning but let bootup continue, 0x02 to switch to last known good config and continue with it, 0x03 to record the current startup as a failure and run diagnostic if it is the last known good config.
        • Start: 0x00 to kernel load this driver as it is needed to use the boot volume device, 0x01 to load by the I/O subsystem, 0x02 toAutoload (always load and run), 0x03 if the service must be manually started by the user, 0x04 if the service is disabled and should not be started
        • Type: 0x01 kernel-mode device driver, 0x02 kernel-mode device driver that implements the file system, 0x04 information used by the Network Adapter, 0x10 a Win32 service that should be run as a stand-alone process, 0x20 a Win32 service that can share address space with other services of the same type
        • Browser\Parameters
          • IsDomainMaster: sets the machine to be the preferred master browser on a network
          • MaintainServerList: No for the computer to be a non-browser, Yes for the computer to be a master or backup browser, Auto to be a master, backup or potential depending on the number of browser currently in action
        • Cdrom
          • Autorun: 0x1 to enable, 0x0 to disable autorun of CD's for all users
        • EventLog: contains a subkey for each system log with value File set to the log location. RestrictGuestAccess under each can be set to 1 to prevent Guest and Anonymous users from accessing log files. (Restrict access to the EventLog key itself otherwise anyone can delete this restriction.)
        • ftpsvc\Parameters
          • MsdosDirOutput: 0 to force FTP service to use Unix (Netscape) naming rather than NT (IE) naming
        • Hidden: if 1 hides the machine from network browsers (you can still connect to it)
        • LanmanServer\Parameters
          • AutoShareWks: if present with a value zero disables the creation of default administrators shares
          • OptionalNames: alternative (extra) NetBIOS names for the machines (useful for migration)
          • Users: the maximum number of users that can be logged in at one time (max 10 for Workstation)
          • Value: the description of the machine that is displayed in Network Neighborhood
        • NdisWanx\Parameters\Tcpip (where x is the profile number)
          • MTU: By default, NT uses a Maximum Transmission Unit (packet size) over the path to a remote host of 576. Throughput will be reduced if the data is sent over routes that cannot handle data of this size and the packets get fragmented. It will also be reduced if the MTU is smaller than the route can handle. If your Internet throughput is substantially lower than it should be (based on your modem speed), try setting this parameter.
        • Netlogon\Parameters: PDC/BDC Synchronization
          • ChangeLogSize: Default size for the Change Log. By default 64KB with a maximum of 4MB
          • Pulse: the gap in seconds between replication from the PDC to the BDC's. The lowest value is 60, and the max is 3600 (1 hour). The default is 300 (5 minutes). You may want to increase this time if the BDC's are over a slow WAN link.
          • PulseConcurrency: The number of BDC's that the PDC sends pulses to concurrently. By default this is 10.
          • PulseMaximum: The PDC performs a check that the BDC's are still there every so often. This is in seconds, minimum 60, maximum 86,400.
          • Randomize: The number of seconds a BDC waits after an announcement before answering. 1 by default.
          • ReplicationGovernor: This is a percentage of the 128K blocks that are sent. If you had a slow link you may not want the PDC sending 128K blocks so you could change this to 25, meaning only 32K would be sent at a time so they are sent more frequently
          • Update: Setting this to Yes will cause everything to be replicated even if there is no change. This needs to be set on the import server.
        • Parallel\Start: this should be 2 for most systems; if it is 0 you may get "System could not find the file" when trying to use a parallel port
        • Parport and ParVdm: services needed for parallel printing
        • Pnpisa: if you use the (unsupported) PlugandPlay driver (pnpisa.inf on your NT CD), it will put a lot of entries here. If you replace a non-pnp card by a pnp one, delete the subkey for the card here so NT will ask you next boot about installing it.
        • RasMan
          • Parameters
            • DisableSavePassword: prevents users from saving account passwords
            • Logging: if 1, each dial-up session will be appended to the file %systemroot%/system32/RAS/device.log (useful for debugging scripts)
            • NumberOfRings: the number of rings the RAS Server waits before answering the phone (1-20).
          • PPP\COMPCP
            • ForceStrongEncryption: 1 to force 128-bit encryption (NT 4.0 SP3 or later), 0 to use 40-bit
        • RemoteAccess\Parameters
          • AuthenticateRetries: 0-10 default 2
          • AuthenticateTime: after this time has elapsed it will count as a logon failure. 20 to 600 seconds
        • Replicator\Parameters
          • GuardTime: Sets the amount of time the export folder must have had no changes before files are replicated, default 5 minutes.
          • Interval: How often an export server looks for changes in the replicator folders, default 2 minutes
          • Pulse: Number of times the import computer repeats the change notice after the initial announcement, default twice.
        • Schedule\UseOldParsing: 1 to use NT 3.x AT parsing
        • Tcpip\Parameters: The auto-tuning of NT results in close to optimum throughput under most conditions, so these should not appear unless there is an unusual TCP/IP route in your vicinity. Many others used by servers and routers are described in Q120642
          • DefaultTTL: the number of seconds+hops allowed to reach another system on the network. NT 4 defaults to 128, which is usually adequate - increase it if known-good remote sites frequently cannot be reached.
          • EnablePMTUBHDetect:Some routers do not return ICMP Destination Unreachable messages when they fragment an IP datagram with the Don't Fragment bit set. TCP depends on these messages to perform Path MTU Discovery. With this option set to 1, TCP will try sending segments without the Don't Fragment bit set if several transmissions of a segment go unacknowledged. Setting this option increases the maximum number of retransmissions performed for a given segment, and therefore may decrease overall throughput.
          • EnablePMTUDiscovery: if 1 tells NT to determine and use the maximum MTU of all connections that are not on the local subnet to minimize fragmentation slowdown.
          • NameServer: entries for all DNS servers
          • TcpRecvSegmentSize: the largest segment of TCP data that the Winsock is prepared to receive on a particular connection. If this is too low, it will increase segment overhead, too high will lead to large packets that will tend to fragment in transit where other networks may have small MTU's.
          • TcpWindowSize: determines how much data the receiving computer is prepared to receive. A high value will result in greater data loss if the packet is lost or damaged in transit, a low value will increase packet overhead.
      • Sermouse\Parameters\OverrideHardwareBitstring: set to 1 to force NT to use COM1 for your mouse, 2 for COM2 (Q102990)
      • Session Manager: contains global variables. Note that you may have another sub-key called SessionManager (no space between the words). Leave this one alone and just work in the one with the space.
        • ProtectionMode Value A value of 1 here sets security on base system objects to C2 level. (Appendix D of the Windows NT Resource Kit Version 4.0 Update Guide details the impact of this setting.)
        • AppPatches: This contains sub-keys containing value entries which document patches that have been applied to various applications.
        • DOS Devices: These are links that Windows NT creates at startup. You shouldn't change these.
        • Environment: Paths to various subsystems such as OS2. The value entry Path refers to Windows NT logon, and Windir points to the Windows NT folder. If you get either of these wrong, you may have to re-install Windows NT. However, if the type of Path is not EXPAND_SZ, %SystemRoot% will not be expanded when you use it in a command - deletion and recreation of this value with expand type seems to be the only way to fix this problem.
        • Executive: These value entries are for advanced system tuning such as creating additional process threads. (A thread is an agent of a process, which runs program code. A process can have several threads, so several sections of program code can be executing concurrently.) Unless you have a thorough understanding of Windows NT, leave these alone.
        • FileRenameOperations: System files that are locked cannot be changed while Windows NT is running. However, there are ways to copy, move or rename them. When this is done, the change is not completed till the system is rebooted. The value entries at this location are used to complete the change when you reboot. There is nothing here that you will ever need to change manually.
        • GlobalFlag. If you have applications that can run under both OS2 and MS_DOS, they will run under OS2 if GlobalFlag is set to the default 0x21100000 or under MS-DOS if you change the value to 0x20100000. Many applications written for OS/2 run faster under a Virtual DOS Machine (VDM) because NT allocates more resources to a VDM than to the OS/2 subsystem.
        • KnownDLLs: Dynamic Link Libraries (DLLs) are essentially subroutines that applications use during execution. The DLLs listed here are loaded into memory during startup, and stay there. It's not worth the danger of removing any of them.
        • MemoryManagement: This is the most likely area to need tuning. Most of the value entries are maintained from Control Panel System Virtual Memory, but there are a couple you may tweak manually.
          • ClearPageFileAtShutdown: When this is set to a Value Type of and a value of 1, all data in the paging file will be cleared upon system shutdown (C2 security).
          • DisablePagingExecutive: When set to zero (default), this allows Windows NT to page the kernel pools to the paging file; set it to one, and the kernel pool will stay in memory. If you have a huge amount of unused memory, or if your paging disk is unusually slow, this might be of value. It also may slow your system to a crawl, so if you are going to try changing this, pick a time when your system can be out of production for a while.
          • IoPageLockLimit: This value is the maximum bytes of memory that can be locked for I/O operations. A value of 0 defaults to 512KB. If your system is fairly I/O intensive, you may benefit from raising this value which can increase the effective rate at which data is read from or written to the hard disks. I recommend you do not set this value beyond the number of MB of RAM times 128. That is, if you have 16 MB RAM, do not set IoPageLockLimit over 2048; for 32 MB RAM, do not exceed 4096, and so on. First, benchmark your common tasks. See how long it takes to load and save large files, how long it takes to search a database or run a common program; just do your normal tasks, timing them to record how fast they are. Then run the same benchmark after any change to ensure you pick the best value for your system.
          • LargeSystemCache: 0 tells the system to favor the processes working set, non-zero means to favor the system-cache working set. For most systems, your applications will run faster if this value is set to zero; if it is non-zero, your paging file may be over-active. (If you have a noisy hard drive, check to see if LargeSystemCache is non-zero). Servers may benefit from setting it to one.
          • PagedPoolQuota, PagedPoolSize: Also Min, Max, and others, and all of these for NonPagedPool. Pool is all of the system memory, Paged means it can be paged, or written, to the disk, NonPaged means it can't be written to the disk. The values in the Registry are normally zero, which tells Windows NT to calculate default values based on the amount of RAM on your computer. You should leave these alone because changing these values can cause Windows NT to miscalculate other resource allocations, and incorrect values can cause Windows NT to malfunction and possibly even cause file system corruption. A professional who knows what side-effects will occur may benefit from reducing the pool allocations (setting values larger than the defaults will have no effect), but I'm sure that very few people outside Microsoft know enough to safely tinker with this (Q126402). The error "Not enough server storage is available to process this command" usually results from adding a system component and not re-applying the current service pack after, but setting PagedPoolSize to non-zero can also do it.
          • PagingFiles: Data about existing paging files (location and sizes) is stored here. You should use Control Panel\System\Performance to adjust your paging files, but this value can be handy if you get in trouble. For example, if your paging file is smaller than your physical memory or your system partition does not have enough free space to record a crash dump file, then if you get a bug check (the blue screen crash), your system may go into a continuous series of reboots (Q174630).
          • SecondLevelDataCache: This is the amount of L2 cache Windows NT will use. It defaults to 0, which is the correct value for 256KB of L2 cache. If it is set to 0, but you have more than 256KB cache, you should change it e.g. to 512 for 512KB of cache. This will give you a significant performance increase if you have more than 32 MB RAM.
          • SystemPages: Here you specify the number of page table entries available. The default is almost always sufficient, but if you install a PCI card with a very large amount of on-board memory (like a very sophisticated video card), and you cannot access all of the card's memory, this is probably where the solution will be. Contact the card's manufacturer for the correct value to enter.
          • RegistrySizeLimit: default 8MB, 25% of PagedPoolSize (PagedPoolSize is located at CurrentControlSet\Control\SessionManager\MemoryManagement). This is the amount of memory that can be used for Registry data. It can range from 4 MB up to 80 percent of PagedPoolSize. The value is entered as the number of bytes, not the number of MB. If you increase PagedPoolSize, this value will also increase. A value of 0xFFFFFFFF sets RegistrySizeLimit to 80% of PagedPoolSize.
        • SubSystems: These are paths for starting various subsystems. Delete the OS2 entry (files OS2SS.EXE, OS2DLL.DLL, OS2.EXE, OS2SRV.EXE) and Posix (Unix) entry (files PSXSS.EXE, PSXDLL.DLL, POSIX.EXE) from Optional if you know that you will never run OS2 or Unix-type apps, to reduce overhead a bit.
      • Setup contains information used by Windows NT Setup. It has three value entries whose x86-based computer defaults are
        • keyboard, SZ, default STANDARD
        • pointer, SZ, default msser
        • video, SZ, default VGA
      • TimeZoneInformation has eight value entries, maintained through Control Panel Date and Time.
      • Update
        • UpdateMode: if your Windows NT system was installed over an earlier version of Windows, this will have a value 0x1
        • UpdateMode: By default, when you add a new folder in Explorer, you have to refresh Explorer either by restarting it or pressing F5 in order for the new folder to show up in all the places it's supposed to. If this value is 0, Explorer will automatically update immediately on creation of a new folder. (This will slow down operations on large directories.)
      • WebPost, through its sub-key Providers, lists codes for available Internet Service Providers (ISPs).
      • WOW: Window On Windows, the 16-bit Windows subsystem)
        • DefaultSeparateVDM: (Virtual Dos Machine) default no, set to yes to make all 16bit apps start in a separate memory space. This prevents one 16bit application from compromising the whole 16bit subsystem.
    • Enum: Apparently just a Windows 95 leftover. If you load a Windows 95 application, it may create this key, even though Windows NT does not use it.
    • Hardware Profiles contains five entries, 001 through 004 and Current, which correspond to ControlSets. These contain data defining hardware that is run by drivers listed in Services. These are also maintained entirely from Control Panel.
    • Services contains data on drivers and on their associated hardware, maintained from Control Panel, using the Devices, Network, Services and UPS icons. I have never come across a need to make changes manually, except deleting keys while manually uninstalling an application when Add/Remove Programs fails. Each Services subkey is the actual name of a service, which is defined under LOCAL_MACHINE\SOFTWARE. Each Services sub-key can have any or all of these values and sub-keys:
      • Group, default: null. The name of the group this service belongs to, if any.
      • DependOnGroup, default: null. If any group is listed, then at least one service from each listed group must be loaded before this service may be loaded.
      • DependOnService, default: null. If any service is listed, then that service must be loaded before this service may be loaded.
      • Tag: This is used to determine the order in its group in which this service will be loaded, but it's not the sequence (1 does not mean it's the first to load). A value entry in CurrentControlSet\Control\GroupOrderList, whose value name is the name of the group, will list the tags. The sequence in which the tags are listed is the sequence in which the services will be loaded.
      • ImagePath: This is the path and filename for this driver or service (if this is an adapter, ImagePath is ignored). If this is a driver, the default is %systemroot%\system32\drivers\(key).SYS; if this is a service, the default is %systemroot%\system32\(key).EXE. In these examples,(key) is the name of this sub-key.
      • ObjectName: If the value entry Type (listed below) is 0x1 or 0x2, this is the Windows NT driver object name which I/O Manager will use to load the device driver. If Type is 0x20, this is the name of the account this service will log on to when it runs.
      • Start, default 0x0. This is the starting value for this service, that is, when the service is to be loaded on startup. There are five possible values: 0x0 (Boot) = loaded by the Kernel loader at boot. 0x1 (System) = loaded by the I/O subsystem at Kernel initialization. 0x2 (Auto load) = loaded by the Service Control Manager automatically for all startups. 0x3 (Load on demand) = loaded by the Service Control Manager, but not started till the user starts it. 0x4 (Disabled) = loaded by the Service Control Manager, but never started. If the value of Type (below) is 0x20, then Start must be 0x2, 0x3 or 0x4. If this is an adapter, Start is ignored.
      • Type, default 0x0. This is the type of service. Among the possible values, Microsoft lists: 0x1 - a Kernel device driver, 0x2 - a file system driver, which is also a Kernel device driver, 0x4 - a set of arguments for an adapter, 0x10 - aWin32 program that can be started by the Service Controller and that obeys the service control protocol (this type of Win32 service runs in a process by itself), 0x20 - a Win32 service that can share a process with other Win32 services. Other values are possible. They are all used in determining the sequence in which drivers are loaded. When you boot up, the Boot Loader locates drivers with Start=0x0 and Type=0x1, then loads these drivers using the CurrentControlSet\Control\GroupOrderList value.
      • Linkage: Contains value entries whose data is used for binding network components. There may be a sub-key Disabled; if the binding is disabled, the value entries will appear here. There are three value entries, which are multi-string values, each with the same number of components. The first components in each value form a set, the second components form a second set, and so on.
        • Bind: the names of Windows NT objects which the service creates.
        • Export: the names that are used to access the objects.
        • Route: the binding protocol paths which the binding represents.
        • Parameters: contains value entries for configuring the service.
        • Security: security information relating to the service. It is in binary format, and must not be changed, or the service may become unusable. Each Services sub-key whose name is the names of a service will have the value:
          • ErrorControl, default 0x0. This defines what the system is to do if the driver for this service fails to load or initialize on startup. There are four possible values: 0x0 (Ignore) - Proceed with the startup without displaying any warning; 0x1 (Normal) - Proceed with the startup, but display a warning; 0x2 (Severe) -- Switch to the LastKnownGood control set and proceed with the startup; 0x3 (Critical) -- If the LastKnownGood control set is not being used, switch to LastKnownGood and fail. If the LastKnownGood control set is being used, run a bug-check routine and fail.
      • Disk: If the Windows NT Disk Administrator program has not been run, then you won't find this key. Information generated by Disk Administrator is stored here. Don't change anything; Disk Administrator will just overwrite it anyway.
    • Setup This key lists the system partition, the setup status, and other information about the setup process for the system. Again, it's not something you should modify.
    • Select contains the value entries Current, Default, Failed and LastKnownGood. Their values are the corresponding numbered sets. For example, you will probably see Current and Default as 0x1. This means ControlSet001 is the default set and is the set currently in use. 0x2 refers to ControlSet002, and so on. If you have never had a failed boot, Failed will be 0. While you can manually set LastKnownGood to any existing Control Set, this is not recommended because if you make a mistake in this setting, you won't be able to select an alternate boot. If your default boot then fails, you'll have to do an emergency repair and may have to re-install Windows NT. It's best to let Windows NT handle this default.

CURRENT_CONFIG points to LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current.

CLASSES_ROOT points to LOCAL_MACHINE\SOFTWARE\Classes.

USERS contains the user profiles of all users currently loaded on the system, and of the default user. File names: default, default.sav and default.log This is almost entirely Control Panel data. Basically, these define how Windows NT looks and runs when you are logged in. Each user has a separate tree of entries, so each of the following has to be set for each existing user. Each new user will pick up the default entry to start with.

• AppEvents: actions to result from application program events e.g. sounds (Control Panel)
  • EventLabels: subkeys which are Windows events such as minimizing or maximizing windows. These are the events which you can assign commands to in the Control Panel Sounds window. Each sub-key has a REG_SZ value entry whose value is the label of that event. For example, the sub-key MailBeep has the label "New Mail Notification".
  • Schemes: contains two sub-keys, Apps and Names. Under Apps will be the sub-key .Default, plus sub-keys for specific applications such as Explorer and Office97. Under .Default will be a series of sub-keys corresponding to those under EventLabels. These sub-keys do not have value entries; instead, they have further sub-keys for each sound scheme that has been defined in Control Panel Sounds, plus .current. It is under these sub-keys that you find a REG_SZ value entry whose value is the name of the sound file associated with the event. The other Apps sub-keys for specific applications hold sub-keys for application-specific events, and have the same structure as the sub-keys under Apps\.Default. Schemes\Names has the same sub-keys as you find under any Schemes\Apps.Default sub-key. They contain the actual names of the various Sounds schemes.
• Console: an emulation of MS-DOS functionality, allowing you to run MS-DOS programs and issue DOS level commands. It can be quite useful in troubleshooting a system. The sub-keys of Console define the console screen, font, layout, colors, etc. The values are controlled through Control Panel Console. Instructions on what you can change and how to do it can be found in Help by clicking the Index tab and typing "command prompt windows". Then click Display and select the subject you want.
• Control Panel: mostly best set from Control Panel
  • Desktop
    • Coolswitch: 1 to enable Alt-Tab, 0 to disable
    • CoolSwitchColumns, CoolSwitchRows: format the Alt-Tab display
    • NoStartBanner: 01 00 00 00 to omit the animated "Click here to begin" on the taskbar
    • ScreenSaveTimeOut: the time until SCRNSAVE.EXE starts, default 900 seconds (15 minutes).
    • SCRNSAVE.EXE: When you start Windows NT, a Begin Logon dialog box is displayed prompting you to press CTRL+ALT+DEL to log on. If you do not press a key for ScreenSaveTimeOut seconds, this screensaver starts. default Logon.scr
    • AutoEndTasks: default 0. If you have apps that have to be manually shut down on logoff, set this to 1 to do it automatically.
    • WaitToKillAppTimeout: default 20,000 milliseconds. If you log on and off frequently, reduce this. The minimum safe value will depend on your system speed and how many tasks are spawned by your most prolific app, so do it step by step and watch for app problems on relogin.
    • Wallpaper: The Default User value is the bitmap displayed by the Winlogon program before login. (Default) gives you %systemroot%winnt256.bmp; deleting the key gives a plain deep blue screen. The value can be set to the path and filename of a personal bitmap file which, presumably, you will design to fit around the BeginLogon and LogonInformation windows that Winlogon insists on putting on top of it, or move it off center using
    • WallpaperOriginX, WallpaperOriginY: the origin of the top left corner of Wallpaper on the screen.
    • WindowMetrics
      • Shell Icon Size: the size of large icons on the desktop (default 16)
      • Shell Icon BPP: bits/pixel of icons, 4 for 16 colours, 8 for 256, 16 for 65536, 24 for 16 miillion and 32 for true colour. If your icons redraw frequently, it will happen less with a lower IconBPP.
      • Shell Small Icon Size: the size of small icons on the desktop (default 16)
• Environment: the equivalents to the DOS Set commands (Control Panel Environment). You should have at least the definitions for Temp and Tmp, associating them with the Temp folder.
• International: contains individual settings for things like time format that are normally selected en bloc by ControlPanel Country
  • iTime: 0 for 12-hour time, 1 for 24-hour
  • TimeFormat: default HH:mm, can be changed to HHmm.
• Keyboard\InitialKeyboardIndicators: 2 to enable NumLock on Logon, 0 to have it off
• Keyboard Layout: There are two subkeys here, Preload and Substitutes, whose value entries contain codes for the keyboard layouts defined for the current user. The keyboard codes are defined in subkeys under LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts. This is maintained through Control Panel Keyboard.
• Network: If you are connected to a network, you will have this sub-key. The sub-keys of Network specify the shared directories and devices to which File Manager will connect your system when you log on. Each key will have some or all of the value entries ConnectionType, ProviderName, ProviderType, RemotePath and UserName.
• Printers: sub-keys Connections, DevModes2 and Settings store the data you enter in Control Panel Printers.
• Software\Microsoft
  • Command Processor
    • CompletionChar: set to the value (e.g. 9 for Tab) of a character to automatically complete file names on the command line
  • Notepad: set fWrap to 1 to default Notepad to wrap text
  • Windows\CurrentVersion
    • Policies\Explorer
      • AltColor: the colour used to display compressed directories/files. The colour value is in hex, the 2nd 2-digit number is for Red, the 3rd for Green, the 4th for blue.
      • NoCommonGroups: if 0 prevents common groups from being displayed on the Start Menu
      • NoDrives: The lower 26 bits of the 32-bit word correspond to drive letters A through Z. Drives are visible when set to 0 and hidden when set to 1 e.g. a bitmask of 00000000000000000000000100 hides drive C: in Windows Explorer, under the My Computer icon, and in the File Open\Save dialog boxes of 32bit Windows applications. File Manager and the Windows NT command prompt are not affected by this setting.
      • NoNetHood: 1 to hide the Network Neighbourhood icon
      • NoTrayContextMenu: 1 to disable the display of the context menu (right-click Start)
      • NoViewContextMenu: disable the right mouse button menu
      • RunMRU: contains the Run history of the user
    • Run: The place to start programs at each logon of an individual user (cf.Q170086). If a single user has problems with NT Explorer start-up errors, check for a null program entry here or the matching area in Windows NT\Current Version.
  • Protected Storage System Provider\<SID>: the permission on this key determines who can access the user's profile
  • Windows NT\CurrentVersion\Windows\Device: the default printer for the user
  • System: these are normally set with the Policy Editor on servers, but Workstation doesn't have one. By default any user can change these keys back to what they want, so access to the key has to be limited if they are used.
    • DisableTaskManager: 1 to prevent this user from accessing Task Manager. (To stop all users, change the permission on taskmgr.exe)
    • MinAnimate: 1 for default window expansion animation, 0 to stop it
    • NoDispAppearancePage: 1 prevents users from changing their colours or colour scheme
    • NoDispBackgroundPage: 1 prevents users from changing their desktop background
    • NoDispCPL: 1 disables display of the ControlPanel applet
    • NoDispScrSavPage: 1 prevents users from changing the screen saver
    • NoDispSettingsPage: 1 prevents users from changing Plus settings
  • Winlogon\RunLogonScriptSync: 0 allows the shell start before the logon script finishes, 1 to wait until logon script completion
• UNICODE Program Groups: The sub-keys here contain data regarding program groups such as you see on clicking the Start button. The data is all in binary format, so there is nothing worth viewing.

CURRENT_USER - Points to the USERS entry of the user who is currently active. File names: ntuser.dat and ntuser.dat.log

  .