The Windows 9x Registry

Notes on the Windows 9x Registry

This page contains a few notes on the Windows Registry. For information concerning HKCR and Windows Explorer, see here.

Allowing Long Filenames

Long Filename support is controlled under

   Hkey_Local_Machine\System\CurrentControlSet\Control\FileSystem

Win31FileSystem = 0		Long filenames are enabled
Win31FileSystem = 1		Long filenames are disabled Also known as "the Windows 3.1 File System"

Reference: Windows 95 Annoyances - Windows 95 Keeps Deleting My Applications

Programs Run When Booting

When Windows 9x (2000, XP, NT4 ...) starts, it runs the programs identified in

   C:\CONFIG.SYS
   C:\AUTOEXEC.BAT
   c:\windows\system.ini
   c:\windows\win.ini
   HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

as well as those in the directories pointed to by

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
      Common Startup=C:\WINNT\Profiles\All Users\Start Menu\Programs\StartUp (NT)
      Common Startup=C:\WINNT\All Users\Start Menu\Programs\StartUp          (NT)
   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
      Startup=C:\WINDOWS\Start Menu\Programs\StartUp                (95)
      Startup=C:\WINNT\Profiles\userid\Start Menu\Programs\StartUp  (NT)

(If you rename HKLM\..\Common Startup, NT 4 just creates another one.)

Review C:\BOOTLOG.TXT to see those programs loaded via Config.sys and Autoexec.bat followed by the Windows operating system files. Those run via the registry entries and StartUp are not listed.

Not all of the registry keys will contain values. For instance, on one of my fairly plain systems, only HKLM/../Run includes any programs (4). The rest of the keys are either empty or missing. Some of the registry keys may not exist on your system. HKCU/../RunOnce, HKLM/../RunOnceEx, and HKLM/../RunServices are missing and the HKCU/../Run and HKLM/../RunServices key are empty. In general, the 4 RunOnce keys are empty since they are only used if it is necessary to re-boot the system when installing new software.

BTW, simply renaming the StartUp directory won't hide it from the Windows boot process. For more information, see here.

This Microsoft knowledge base article explains the purpose of each Run... key and indicates when it is executed. However, notice that RunOnceEx is not listed.

A list of the Programs (.exe) started during the boot process is available via Start / Programs / Accessories / System Tools / System Information / Software Environment / Startup Programs (assuming that your system has msinfo loaded).

msconfig

If you run msconfig.exe, then many programs are moved to other registry locations. This runs msconfig.exe.

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    MSConfig=C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto

These programs are controlled via msconfig.exe.

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig
    startupfolder
      This is a list of files in your Start\Programs\Startup directory
    startupreg
      key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Run msconfig.exe to disable these programs.

XP

I don't know why, but my Windows XP Pro system is missing the following keys

  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

I suppose that a new method was introduced to run Services. Possibly, they are loaded via

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

The dll's located here are executed

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors

XP - Running a Virus in Windows Safe Mode

I recently had a parasite problem on my XP system where the parasite was still running when booting into Windows Safe mode!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  shell = Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  shell = Explorer.exe C:\WINDOWS\Any_Virus_You_Want.exe

What happens is that Explorer.exe is the program that displays the desktop (also known as the shell). Therefore, this key makes sense. However, Explorer can also take command line arguments (usually a directory path) that instruct the program to perform some action. In this case, the argument is a program and Explorer executes (runs/opens) it.

When Windows runs in Safe mode, the non-operating system drivers and programs specified in most other locations are not run. This hack gets around that problem and causes the virus to run.

Regedit Command Line Options

Most of the command line options are documented here (Win 3.1 /s /v), here (Dos Mode), and here on the Microsoft web site and in the Windows 95 Resource Kit (2.2M/2.9M). The basic syntax (from Windows 95 Registry/Registry Structure/Saving and Restoring the Registry) is

regedit [/L:system.dat] [/R:user.dat] file1.reg, file1a.reg...
regedit [/L:system.dat] [/R:user.dat] /e file3.reg [regkey]
regedit [/L:system.dat] [/R:user.dat] /c file2.reg

regedit /e c:\temp.txt "HKEY_CLASSES_ROOT\.txt": /e - Extract - Copy the indicated key, and all sub-keys, to the indicated text file. If the key is omitted, the entire registry is written. Ref
regedit c:\temp.txt: Import the registry info
regedit /c c:\temp.txt: This will create a new registry. The Ref say that this only works under a DOS boot.
Warning: Make appropriate backups (see below) before using.
regedit /r:c:\windows\user.dat /e c:\user.txt
regedit /l:c:\windows\system.dat /e c:\system.txt: This exports just user.dat or just system.dat Ref1, Ref2
regedit /r:c:\windows\user.dat /c c:\user.txt
regedit /l:c:\windows\system.dat /c c:\system.txt: This creates either a new user.dat or a new system.dat file and imports the indicated text file. Ref1, Ref2
regedit /?: When typed in MS DOS mode (i.e. Windows 95 is not running), this provides basic command line help.
regedit /v c:\temp.txt: Import the registry info and opens the GUI. Since /v seems to do nothing under Windows 95, it appears to be a Windows 3.1 option.
regedit /s c:\temp.txt: Silent mode - Import the registry info and don't show the dialog box that informs the user what has happened (requires 95 or NT). This is useful when executed from a bat file.

Backup the Registry

In order to make an exact backup of the registry,

Re-boot in MS DOS mode
Change to the windows directory where user.dat and system.dat exist

Backup the files with the following commands

      attrib -s -h -r *.dat
      copy user.dat user.sav
      copy system.dat system.sav
      attrib +s +h +r *.dat

In some cases, user.dat may be in another directory

Usually, I just make ASCII (text) backups by exporting the entire registry to a file. This can be done with either the GUI or from the command line.

Registry Scripts

Regini.exe (provided with the Windows NT Server Resource Kit) uses special script files to configure the registry. Ref

KiXtart 95, part of the Windows NT 4.0 Resource kit, allows you to use a Basic like language to read & modify the registry and to send key strokes to any open window. [1] [2] [3]

When importing .reg files, it is possible to delete keys. Simply edit the .reg file and place a minus sign in front of any key you want to delete. For instance

change  [HKEY_CLASSES_ROOT\jpegfile]
to     [-HKEY_CLASSES_ROOT\jpegfile]

Watch out - this could be very dangerous!

References

The Microsoft Windows 95 Resource Kit (2.2M to download / 2.9M uncompressed) contains a significant amount of information on the registry and on how to use regedit.
There are numerous technical articles at microsoft.com, including a description of each Run... key
The Windows Registry Guide contains lots of searchable information on the registry. However, be warned that there are at least 2 flashing advertisements per page and that most pages are too wide to view on a 640x480 monitor.
ZDNet provides RegEdit+ by Neil J. Rubenking. This utility is a RegEdit wrapper which keeps track of any changes you make, and provides a way to undo them. It also provides a Favorites list so that you can jump directly to a specific key. There is also an excellent write up explaining the various Delphi code techniques used to implement features.
Systems Internals provides Regmon v4.32 (a registry spy tool) that allows you to monitor what is happening.
The Windows 98 Registry - this web site does not provide a lot of information, but what is there is great, including links to utilities and a number of tips.
Serenity Macros provides numerous registry hacks and other information on customizing your system. Most of it is similar to what I provide on Windows Explorer. But some of it is new (to me anyway). For instance, to enable live scrolling in MS Word, create the following value

Author: Robert Clemenzi - clemenzi@cpcug.org