| Registry Tip #64: Files used to construct the registry |
Hits: Failed to execute CGI : Win32 Error Code = 3
|
| SubTree (RAM construct) | Hive (File) |
| HKEY_Local_Machine\SYSTEM | %systemroot%\system32\config\SYSTEM |
| HKEY_Local_Machine\SAM | %systemroot%\system32\config\SAM |
| HKEY_Local_Machine\SECURITY | %systemroot%\system32\config\SECURITY |
| HKEY_Local_Machine\SOFTWARE | %systemroot%\system32\config\SOFTWARE |
| HKEY_Local_Machine\HARDWARE | dynamically constructed at boot by NTDETECT |
| HKEY_USERS\.DEFAULT | %systemroot%\profiles\DefaultUser\ntuser.dat |
| HKEY_USERS\administratorsSID | %systemroot%\profiles\Administrator\ntuser.dat |
| HKEY_USERS\FirstUsersSID | %systemroot%\profiles\FirstUsersLogonID\ntuser.dat |
The files on the disk are called the HIVES. The corresponding registry memory constructs are also often called hives but are best referred to as subtrees. The trees are HKEY_LOCAL_MACHINE and HKEY_USERS. The subtrees are constructed from the hive files (except for the HARDWARE subtree which is generated by ntdetect.com during boot). After boot the hive files and matching subtrees are only logically insynch. When the SECURITY subtree was constructed by reading the SECURITY hive file, they were identical. Any change to a subtree is recorded in the subtree.log file. At any point the correct registry subtree can be constructed by reading the hive file and then applying the changes in the corresponding hive log file, for example, SECURITY and SECURITY.LOG files. The .ALT files are an additional copy of the .LOG file and is used to construct the subtree if the .LOG file is corrupt. The registry maintains a current mapping of which hive files were used to generate the subtree. This registry value is the definitive hive list. Its found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist.
For a detail description of the Registry Construction Steps