Windows Registry Files and Where to Find Them

[Tony]

To locate your Windows Registry files you will need to know which Windows platform you have. There are currently only two Windows platforms that all versions of Windows are built on. They are both named after the earliest version of each platform.

Windows XP, 2000, 2003 and Vista are all newer versions of the Windows NT platform. They all use the NT Kernel32.dll, although the Kernel32.dll has been updated / modified for each Windows operating system.

Windows 95, 98, 98 SE, and ME use the Windows 95 Kernel32.dll and are all part of the Windows 95 platform. Here again, the Kernel32.dll has been updated / modified for each new operating system.

The Registry files cannot be read from a DOS prompt, or the Recovery Console, or even a text editor in Windows. These files are databases, and only RegEdit, Regedit32 and the Kernel32 can read them. To read them in Windows enter RegEdit in the Run window at the Start button.

Windows 95 platform
In Windows 95, 98, and 98 SE there are only two Registry files, System.dat and User.dat. In Windows ME there are three Registry files, Classes.dat, System.dat and User.dat. The Registry files are located in your Windows folder (C:\Windows). The User.dat file for users not currently logged on are in the Windows\ Profile\ <username> folder. They all have Hidden, System, and Read Only attributes. In order to see them you will need to enable the Windows Explorer to view the hidden files.

Microsoft learned that if the Registry Files get to large, Windows could not load them. So for Windows ME Microsoft cut System.dat into two files; Classes.dat and System.dat. This new file was added in order to allow the Registry to be greater than 11 megs. In Windows 98, Windows would report the inability to load a Registry file that is greater than 11 megs, in Windows 95 the limit is 8 megs.

The function of each file is different. System.dat stores all the information about software, hardware, security, default Windows settings, and how Windows will perform. User.dat stores all settings that each user selects; these settings will override settings stored in the System.dat file.

Classes.dat, used only on Windows ME, is the Registry Key
HKEY_LOCAL_MACHINE\Software\Classes. Which is the same Key previously stored on the earlier versions of Windows in the System.dat file.

Each file has a backup made by Windows. Windows 95 creates a backup, System.da0 (da zero) and User.da0, located in the Windows folder on each reboot that is not in Safe Mode. Windows 98,98 SE, and ME creates a backup once a day of the Registry files, using ScanregW.exe If you reboot every day. Scanregw only backups on a reboot, unless you manually start Scanregw and tell it to backup.

Scanregw backs up the Registry files to a cabinet file and stores them in the Windows\Sysbckup folder. It will store up to 5 different copies, RB000.cab to RB005.cab. And a corrupt Registry can go undetected for 5 days easily. This is why a good Registry backup tool is so important.

Windows also makes one backup copy of the Registry upon the installation of Windows and stores it in the root (C:\). It does not make a copy of the User.dat file. This copy of the Registry is named System.1st and if you have Windows ME you will also find Classes.1st there.

Windows NT platform
In Windows XP, 2000, and 2003 there are several Registry files. These files are named without a file extension and are stored in the Windows\System32\Config folder. These files are named Software, System, SAM, Security, Default, and UserDiff. There is one more Registry file and it does have a file extension, NTuser.dat. In Windows XP, 2000 and 2003. NTuser.dat is stored in the users folder under the Documents and Settings folder. Each user has their own NTuser.dat file. The NTuser.dat file stores all settings that each user selects; these settings will override settings stored in the System file.

The function of each file is different. Security stores information about security. The SAM file stores information about the Security Accounts Manager service. Neither of these two files, Security and SAM, are viewable in RegEdit, unless you reset the permissions. System stores all the information about hardware. Software stores information about your software and how Windows will perform and the default Windows settings. The Default file, stores all the default user settings, the NTuser.dat file overrides the default user settings. The UserDiff file stores information about the corresponding SubKeys in the HKEY_USERS Hive for each registered user.

Each of these Registry files has its own backup which is made during the Windows installation. They are never updated. They are located in the
Windows\System32\Config folder, and have a file extension of sav. These file are created at the end of the text base part of the Windows installation, before the graphic part begins. Installing these sav Registry files will reset Windows to the point of finishing the Windows installation. These files will only be updated if you perform a Windows repair by using the R option during a Windows reinstall.

There is also another set of Registry files save to Windows\Repair. These are same as the sav file. Except they will never be updated. If you use these files you will reboot back into Windows to the point, "Windows is Now Setting Up" during a Windows installation. Your software setting and user setting are all gone. There are no users yet in these files .

On Windows XP, Windows also creates a current backup of the Registry each time System Restore creates a restore point. These Registry files are located in the System Restore Information folder on the same drive as Windows is installed. However, the System Restore only seems to work if the Registry is not damaged or corrupted. It just seems like it never works when you really need it.

For security reasons, the Kernel32.dll protects these files from being copied or altered without the use of the Kernel32.dll. You cannot manually make backups, and you cannot change some of the Keys' information.

To make a backup of the Registry you will need to use either a third party backup tool or Windows Backup. If you use the Windows Backup tool you need to make a System State backup to backup the Registry.