Registry Fun (Working With Hive Files)

Sometimes it is necessary to export/import data from or into the registry for some sort of additional processing. To this end, often regedit is used to create .REG files, which store a human-readable text interpretation of the registry content. .REG files can be edited easily with any capable text editor (even Notepad), and thus are a common way of making a collection of settings available to others. By the way, importing a .REG file's data silently is done with the following command:

regedit /s "path to .reg file"

 Interestingly, the .REG format is an internal format of the registry editor Regedit.exe, only. There is no API for creating or manipulating .REG files. Since no API is available, programmatically working with .REG files is a tedious business. I wonder how many different parsers have been created by countless programmers over the years, reinventing the wheel time and again.

From Text to Binary

Sometimes text-based .REG files just will not do, for example when the permissions on the keys must not be lost. Internally, Windows does not use the .REG format, but stores registry data as binary hive files that can be memory-mapped without any further interpretation. One could say that the binary registry hive format is a dump of the corresponding areas of the system's memory. Loading hive files is very fast, since no parsing is involved. Typically, the extension .DAT is used for registry hive files.

How to Create .DAT files?

If you want to store existing registry content in .DAT format, you have several options. If you are a programmer, you can use the API functions RegSaveKey and RegSaveKeyEx. The latter allows to specify whether to compress the resulting file (which you should). GUI folks open regedit.exe, select the key in question, right-click on it and select "Export". Choose as type "Registry Hive Files (*.*)" and type in any file name. Command line addicts use reg.exe, a powerful but sometimes a little unwieldy registry manipulation tool:

reg save "reg path" "file path" /y [/c] Example: reg save HKLM\Software "C:\data\software.dat" /y [/c]

Please note that in order to get a compressed file, on Vista and Server 2008 the hotfix KB973817 must be installed and the additional switch /c be used. All operations that directly or indirectly call the RegSaveKex(Ex) API functions require the privilege SE_BACKUP_NAME.

What to do with .DAT files?

There is not much you can do with registry hive files except import them back into the registry. Though import is not the correct word - "mount" describes the process better. Hives can be mounted into the registry namespace just as file system volumes can be mounted to any empty directory. But the similarity ends here. Hives can only be mounted directly below the logical root hives HKEY_LOCAL_MACHINE (HKLM) or HKEY_USERS (HKU). The name of the key they are mounted to can be chosen freely. To better understand the concept, open Regedit.exe and navigate to HKEY_USERS. Directly below you will see several strangely named keys (whose names are security IDs, SIDs, of the user accounts they belong to) like the following:

.DEFAULT S-1-5-18 S-1-5-19 S-1-5-20 S-1-5-21-2025118679-1377921522-3515844152-1000 S-1-5-21-2025118679-1377921522-3515844152-1000_Classes

Each of these keys represents the root of a hive. If you want to know which hive file is mounted where in the registry namespace, check out the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist which contains a list of the mappings. The following is an example from my Windows 7 machine:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist] "\\REGISTRY\\MACHINE\\HARDWARE"="" "\\REGISTRY\\MACHINE\\SYSTEM"="\\Device\\HarddiskVolume3\\Windows\\System32\\config\\SYSTEM" "\\REGISTRY\\MACHINE\\SOFTWARE"="\\Device\\HarddiskVolume3\\Windows\\System32\\config\\SOFTWARE" "\\REGISTRY\\USER\\.DEFAULT"="\\Device\\HarddiskVolume3\\Windows\\System32\\config\\DEFAULT" "\\REGISTRY\\MACHINE\\SECURITY"="\\Device\\HarddiskVolume3\\Windows\\System32\\config\\SECURITY" "\\REGISTRY\\MACHINE\\SAM"="\\Device\\HarddiskVolume3\\Windows\\System32\\config\\SAM" "\\REGISTRY\\USER\\S-1-5-20"="\\Device\\HarddiskVolume3\\Windows\\ServiceProfiles\\NetworkService\\NTUSER.DAT" "\\REGISTRY\\USER\\S-1-5-19"="\\Device\\HarddiskVolume3\\Windows\\ServiceProfiles\\LocalService\\NTUSER.DAT" "\\Registry\\User\\S-1-5-21-2025118679-1377921522-3515844152-1000"="\\Device\\HarddiskVolume3\\Users\\hklein\\NTUSER.DAT" "\\Registry\\User\\S-1-5-21-2025118679-1377921522-3515844152-1000_Classes"="\\Device\\HarddiskVolume3\\Users\\hklein\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat" "\\REGISTRY\\MACHINE\\BCD00000000"="\\Device\\HarddiskVolume3\\Boot\\BCD"

You may have noticed that there is no entry for HKU\S-1-5-18. There is an interesting reason for that: although the local SYSTEM account does have a profile (located in %systemroot%\system32\config\systemprofile), its registry hive is not mounted. Instead, HKU\S-1-5-18 is a link to HKU\.Default, the hive storing settings of the logon desktop shown when logging on. So the hive HKU\.Default stores configuration information both for the SYSTEM profile and the logon desktop!

Mounting Hives

In the Windows registry terminology the mounting of hives is called "loading". The API function is named accordingly RegLoadKey. Similar to its complement used for unloading a loaded hive RegUnloadKey it requires special privileges, in this case both SE_RESTORE_NAME and SE_BACKUP_NAME. While RegLoadKey loads a hive file to a (non-existent) new key directly below HKLM or HKU, RegRestoreKey replaces the entire contents of an existing key with what is stored in the hive file. On the command line nearly all capabilities of the registry API are accessible through reg.exe.

Loading a hive to a new key:

reg load {HKLM|HKU}\Subkey "file path"


Unloading a hive (only then the hive file can be deleted):

reg unload {HKLM|HKU}\Subkey


Loading a hive to an existing key, overwriting its contents:

reg restore {HKLM|HKU}\Subkey "file path"


You might wonder about the difference between unloading and saving a hive. It is as follows: RegUnloadKey simply unmounts a mounted hive. RegSaveKey leaves the registry as it is, but stores the contents of a given key in a new hive file.