Windows Registry Explorer

CompTIA A+ Core 2 - Interactive Registry Training Tool

Windows Registry Structure

The Windows Registry is a hierarchical database that stores low-level settings for the operating system and applications. Understanding its structure is essential for A+ certification and real-world troubleshooting.

The Five Root Keys (Hives)

HKEY_LOCAL_MACHINE (HKLM)

Purpose: System-wide hardware and software settings

Scope: Affects all users

Common Uses: Hardware configuration, installed software, services, drivers

HKEY_CURRENT_USER (HKCU)

Purpose: Settings for the currently logged-in user

Scope: Current user only

Common Uses: User preferences, desktop settings, application configurations

HKEY_CLASSES_ROOT (HKCR)

Purpose: File associations and COM object registrations

Scope: All users

Common Uses: File extensions, default programs, OLE information

HKEY_USERS (HKU)

Purpose: Settings for all user profiles

Scope: All users (including default)

Common Uses: User-specific settings, SIDs, default user profile

HKEY_CURRENT_CONFIG (HKCC)

Purpose: Hardware profile information

Scope: Current hardware configuration

Common Uses: Display settings, printer configuration

Registry Value Types

REG_SZ (String Value)

Fixed-length text string. Most common type for simple text data.

Example: "C:\Program Files\Application"

REG_DWORD (32-bit Number)

32-bit number (0 to 4,294,967,295). Often used for boolean values (0 or 1) and counters.

Example: 0x00000001 (hexadecimal) or 1 (decimal)

REG_BINARY (Binary Data)

Raw binary data. Used for complex data structures.

Example: FF 2E 00 A1 C4 89

REG_MULTI_SZ (Multi-String)

Multiple text strings separated by null characters.

Example: "String1\0String2\0String3\0"

REG_EXPAND_SZ (Expandable String)

String that contains environment variable references.

Example: "%SystemRoot%\system32"

REG_QWORD (64-bit Number)

64-bit number for large values.

Example: 0x00000000FFFFFFFF

Critical Registry Locations

Common Registry Paths (A+ Exam Focus)

  • Startup Programs: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • User Startup: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Installed Software: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • System Services: HKLM\SYSTEM\CurrentControlSet\Services
  • User Environment: HKCU\Environment
  • File Associations: HKCR\.*extension*

Registry Safety Rules

  • ALWAYS backup before editing - Use File > Export in regedit
  • Incorrect changes can prevent Windows from booting
  • Only modify keys you fully understand
  • Double-check paths and values before saving
  • Test changes in a virtual machine when possible
  • Know how to access Safe Mode and System Restore

Virtual Registry Browser

Explore a simulated Windows Registry environment. Click on keys to learn their purpose and view typical values.

Select a registry key to view details

Click on any key in the tree to explore its purpose, common values, and use cases.

Startup Program Audit

Analyze startup entries from common registry locations. In real troubleshooting, malware often hides in startup keys.

Startup Registry Locations

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - All users, every boot
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - All users, one time only
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Current user, every boot
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - Current user, one time only

Simulated Startup Entries

Value Name Location Command/Path Status
SecurityHealth HKLM\...\Run %windir%\system32\SecurityHealthSystray.exe SAFE - Windows Defender
OneDriveSetup HKCU\...\Run C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup SAFE - Microsoft OneDrive
AdobeAAMUpdater HKLM\...\Run "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" SAFE - Adobe Updater
SystemCheck HKCU\...\Run C:\Users\Public\syscheck.exe SUSPICIOUS - Unusual location
Windows_Update HKLM\...\Run %temp%\winupd.exe -silent MALWARE - Windows Update doesn't run from Temp
Realtek HD Audio HKLM\...\Run "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s SAFE - Audio driver
Discord HKCU\...\Run C:\Users\User\AppData\Local\Discord\Update.exe --processStart Discord.exe CHECK - Verify if user installed
ChromeUpdate HKLM\...\RunOnce C:\Program Files\Google\Chrome\Application\chrome.exe --update REVIEW - Chrome updates via services, not RunOnce

Red Flags to Watch For

  • Random characters: Values like "a8dj2k9d" or similar gibberish names
  • Temp folder execution: Programs running from %TEMP%, AppData\Temp, or C:\Temp
  • Misspelled system names: "svchost.exe" vs "scvhost.exe"
  • Hidden file extensions: "document.pdf.exe" masquerading as PDF
  • User profile public folders: C:\Users\Public is often used by malware
  • Multiple parameters with encoded data: Long base64 strings or obfuscation

Audit Actions

Registry Edit Simulator

Practice creating and modifying registry values in a safe, simulated environment. This helps prepare you for real-world registry editing without the risk.

Important: This is a simulation!

No actual registry changes are made. This is for learning purposes only. In production environments, always backup before making changes.

Create/Modify Registry Value

Simulation Log

[SIMULATOR] Ready to simulate registry operations...
[INFO] All operations are simulated - no actual registry changes will be made

Common Registry Tasks

Registry Backup Best Practices

  • Before editing: File > Export in regedit, save entire branch
  • Naming convention: Use descriptive names with dates (e.g., "HKLM_Software_Backup_2024-01-15.reg")
  • System Restore Point: Create before major changes
  • Test in VM: When possible, test changes in a virtual machine first
  • Document changes: Keep notes on what you changed and why

Registry Tools & Commands

Regedit - Registry Editor GUI

regedit - Launch Registry Editor
  • Search: Edit > Find (Ctrl+F) - Search keys, values, and data
  • Export: File > Export - Backup registry branches
  • Import: File > Import - Restore from .reg files
  • Permissions: Right-click key > Permissions - Manage access control
  • New Value: Edit > New - Create string, DWORD, binary, etc.
  • Favorites: Add frequently accessed keys for quick access

REG Command - Command Line Registry Tool

REG QUERY "HKLM\Software\Microsoft\Windows\CurrentVersion" /s
Query and display registry values (recursive with /s)
REG ADD "HKCU\Software\MyApp" /v SettingName /t REG_SZ /d "Value" /f
Add or modify a registry value (/f = force overwrite)
REG DELETE "HKCU\Software\MyApp" /v SettingName /f
Delete a specific registry value
REG EXPORT "HKLM\Software\MyApp" C:\backup.reg
Export registry key to file
REG IMPORT C:\backup.reg
Import registry values from file
REG COMPARE "HKLM\Software\MyApp" "HKCU\Software\MyApp"
Compare two registry keys

REG Command Parameters

/v ValueName

Specifies the value name to operate on

/t DataType

REG_SZ, REG_DWORD, REG_BINARY, etc.

/d Data

The data to assign to the registry value

/f

Force overwrite without prompting

/s

Query all subkeys and values recursively

/e

Export only specified keys (not the entire hive)

PowerShell Registry Commands

Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion"
Read registry values using PowerShell
Set-ItemProperty -Path "HKCU:\Software\MyApp" -Name "Setting" -Value "Data"
Modify registry value with PowerShell
New-Item -Path "HKCU:\Software\MyNewKey"
Create new registry key
Remove-ItemProperty -Path "HKCU:\Software\MyApp" -Name "Setting"
Delete registry value

Remote Registry Access

For troubleshooting remote computers:

  • Enable Remote Registry service: services.msc > Remote Registry > Start
  • Connect in regedit: File > Connect Network Registry
  • Requirements: Admin credentials, network connectivity, firewall rules
  • PowerShell: Use -ComputerName parameter with Invoke-Command

A+ Exam Tips - Registry Commands

  • Know the difference between REG ADD /f (force) and prompting behavior
  • Understand /s flag for recursive queries
  • Export before import/delete operations
  • Registry paths in CMD use backslashes, PowerShell uses colon notation (HKLM:\)
  • .REG files are text-based and can be edited in Notepad
  • Regedit requires admin rights for HKLM changes

Registry Knowledge Quiz

Test your understanding of Windows Registry concepts for the CompTIA A+ Core 2 exam.

Course Home