Misplaced Pages

#590409

57-574: The user passwords are stored in a hashed format in a registry hive either as an LM hash or as an NTLM hash . This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM and SYSTEM privileges are required to view it. In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. When SYSKEY

114-470: A System.alt hive because NTLDR on those versions of Windows can process the System.log file to bring up to date a System hive that has become inconsistent during a shutdown or crash. In addition, the %SystemRoot%\Repair folder contains a copy of the system's registry hives that were created after installation and the first successful startup of Windows. Each registry data file has an associated file with

171-545: A roaming profile , then this file will be copied to and from a server at logout and login respectively. A second user-specific registry file named UsrClass.dat contains COM registry entries and does not roam by default. Windows NT systems store the registry in a binary file format which can be exported, loaded and unloaded by the Registry Editor in these operating systems. The following system registry files are stored in %SystemRoot%\System32\config\ : The following file

228-541: A ".log" extension that acts as a transaction log that is used to ensure that any interrupted updates can be completed upon next startup. Internally, Registry files are split into 4  kB "bins" that contain collections of "cells". The registry files are stored in the %WINDIR% directory under the names USER.DAT and SYSTEM.DAT with the addition of CLASSES.DAT in Windows ME. Also, each user profile (if profiles are enabled) has its own USER.DAT file which

285-487: A "key". The terms are a holdout from the 16-bit registry in Windows 3, in which registry keys could not contain arbitrary name/data pairs, but rather contained only one unnamed value (which had to be a string). In this sense, the Windows 3 registry was like a single associative array, in which the keys (in the sense of both 'registry key' and 'associative array key') formed a hierarchy, and the registry values were all strings. When

342-407: A backup of the registry be performed before the change. When a program is removed from control panel, it may not be completely removed and, in case of errors or glitches caused by references to missing programs, the user might have to manually check inside directories such as program files. After this, the user might need to manually remove any reference to the uninstalled program in the registry. This

399-436: A hierarchical database system with multiple hierarchies over the same data. The hierarchical data model lost traction as Codd 's relational model became the de facto standard used by virtually all mainstream database management systems. A relational-database implementation of a hierarchical model was first discussed in published form in 1992 (see also nested set model ). Hierarchical data organization schemes resurfaced with

456-413: A hierarchical database, the whole tree needs to be traversed starting from the root node. This model is recognized as the first database model created by IBM in the 1960s. When the relational database model emerged, one criticism of hierarchical database models was their close dependence on application-specific implementation. This limitation, along with the relational model's ease of use, contributed to

513-413: A number of machines or individual users based on policies. When a policy first takes effect for a machine or for an individual user of a machine, the registry settings specified as part of the policy are applied to the machine or user settings. Windows will also look for updated policies and apply them periodically, typically every 90 minutes. Hierarchical database A hierarchical database model

570-486: A numeric constant) defining how to parse this data. The standard types are: The keys at the root level of the hierarchical database are generally named by their Windows API definitions, which all begin "HKEY". They are frequently abbreviated to a three- or four-letter short name starting with "HK" (e.g. HKCU and HKLM). Technically, they are predefined handles (with known constant values) to specific keys that are either maintained in memory, or stored in hive files stored in

627-421: A password clearing or account recovering utility for individuals who have lost or forgotten their Windows account passwords, as well as a possible use as a malicious software security bypassing utility. Essentially granting a user with enough ability, experience, and familiarity with both the cracking utility software and the security routines of the Windows NT kernel (as well as offline and immediate local access to

SECTION 10

#1732902446591

684-412: A syntax similar to Windows' path names, using backslashes to indicate levels of hierarchy. Keys must have a case insensitive name without backslashes. The hierarchy of registry keys can only be accessed from a known root key handle (which is anonymous but whose effective value is a constant numeric handle) that is mapped to the content of a registry key preloaded by the kernel from a stored "hive", or to

741-475: A user-specific path rather than from a read-only system location, the registry allows multiple users to share the same machine, and also allows programs to work for less privileged users. Backup and restoration is also simplified as the registry can be accessed over a network connection for remote management/support, including from scripts, using the standard set of APIs , as long as the Remote Registry service

798-535: A value (and its data), the values to be removed must have a minus sign ("-") after the equal sign ("="). For example, to remove only the "Value A" and "Value B" values (and their data) from the HKLM\SOFTWARE\Foobar key: To remove only the Default value of the key HKLM\SOFTWARE\Foobar (and its data): Lines beginning with a semicolon are considered comments: Windows group policies can change registry keys for

855-475: Is IMS. Another example of the use of hierarchical databases is Windows Registry in the Microsoft Windows operating systems. An organization could store employee information in a table that contains attributes/columns such as employee number, first name, last name, and department number. The organization provides each employee with computer hardware as needed, but computer equipment may only be used by

912-490: Is a data model in which the data are organized into a tree -like structure. The data are stored as records which are connected to one another through links . A record is a collection of fields, with each field containing only one value. The type of a record defines which fields the record contains. The hierarchical database model mandates that each child record has only one parent, whereas each parent record can have one or more child records. In order to retrieve data from

969-509: Is created each time the system boots and performs hardware detection. Individual settings for users on a system are stored in a hive (disk file) per user. During user login, the system loads the user hive under the HKEY_USERS key and sets the HKCU (HKEY_CURRENT_USER) symbolic reference to point to the current user. This allows applications to store/retrieve settings for the current user implicitly under

1026-468: Is done much more efficiently with a binary format, it may be read from or written to more quickly than a text INI file. Furthermore, strongly typed data can be stored in the registry, as opposed to the text information stored in .INI files. This is a benefit when editing keys manually using regedit.exe , the built-in Windows Registry Editor. Because user-based registry settings are loaded from

1083-434: Is enabled, the on-disk copy of the SAM file is partially encrypted, so that the password hash values for all local accounts stored in the SAM are encrypted with a key (usually also referred to as the "SYSKEY"). It can be enabled by running the syskey program. As of Windows 10 version 1709, syskey was removed due to a combination of insecure security and misuse by bad actors to lock users out of systems. In 2012, it

1140-448: Is located in the user's profile directory in %WINDIR%\Profiles\<Username>\ . The only registry file is called REG.DAT and it is stored in the %WINDIR% directory. To access the registry files, the device needs to be set in a special mode using either:  If any of the above methods worked, the device's registry files can be found in the following location: The registry contains important configuration information for

1197-493: Is not required to use an application. Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are specific to the local computer. The key located by HKLM is actually not stored on disk, but maintained in memory by the system kernel in order to map all the other subkeys. Applications cannot create any additional subkeys. On Windows NT, this key contains four subkeys, "SAM", "SECURITY", "SYSTEM", and "SOFTWARE", that are loaded at boot time within their respective files located in

SECTION 20

#1732902446591

1254-480: Is otherwise stored. (This dummy value has no relationship to the user's password - it is the same value used for all user accounts.) In Windows NT 3.51, NT 4.0 and 2000, an attack was devised to bypass the local authentication system. If the SAM file is deleted from the hard drive (e.g. mounting the Windows OS volume into an alternate operating system), the attacker could log in as any account with no password. This flaw

1311-552: Is running and firewall rules permit this. Because the registry is a database, it offers improved system integrity with features such as atomic updates . If two processes attempt to update the same registry value at the same time, one process's change will precede the other's and the overall consistency of the data will be maintained. Where changes are made to .INI files, such race conditions can result in inconsistent data that does not match either attempted update. Windows Vista and later operating systems provide transactional updates to

1368-503: Is stored in .REG files using the following syntax: The Default Value of a key can be edited by using "@" instead of "Value Name": String values do not require a <Value type> (see example), but backslashes ('\') need to be written as a double-backslash ('\\'), and quotes ('"') as backslash-quote ('\"'). For example, to add the values "Value A", "Value B", "Value C", "Value D", "Value E", "Value F", "Value G", "Value H", "Value I", "Value J", "Value K", "Value L", and "Value M" to

1425-417: Is stored in each user's profile folder: For Windows 2000, Server 2003 and Windows XP, the following additional user-specific file is used for file associations and COM information: For Windows Vista and later, the path was changed to: Windows 2000 keeps an alternate copy of the registry hives (.ALT) and attempts to switch to it when corruption is detected. Windows XP and Windows Server 2003 do not maintain

1482-412: Is usually done by using RegEdit.exe. Editing the registry is sometimes necessary when working around Windows-specific issues e.g. problems when logging onto a domain can be resolved by editing the registry. Windows Registry can be edited manually using programs such as RegEdit.exe, although these tools do not expose some of the registry's metadata such as the last modified date. The registry editor for

1539-445: The %SystemRoot%\System32\config\ folder. A fifth subkey, "HARDWARE", is volatile and is created dynamically, and as such is not stored in a file (it exposes a view of all the currently detected Plug-and-Play devices). On Windows Vista and above, a sixth and seventh subkey, "COMPONENTS" and "BCD", are mapped in memory by the kernel on-demand and loaded from %SystemRoot%\System32\config\COMPONENTS or from boot configuration data, \boot\BCD on

1596-486: The 3.1/95 series of operating systems is RegEdit.exe and for Windows NT it is RegEdt32.exe; the functionalities are merged in Windows XP. Optional and third-party tools similar to RegEdit.exe are available for many Windows CE versions. Registry Editor allows users to perform the following functions: .REG files (also known as Registration entries) are text-based human-readable files for exporting and importing portions of

1653-418: The 32-bit registry was created, so was the additional capability of creating multiple named values per key, and the meanings of the names were somewhat distorted. For compatibility with the previous behavior, each registry key may have a "default" value, whose name is the empty string. Each value can store arbitrary data with variable length and encoding, but which is associated with a symbolic type (defined as

1710-403: The HKCU key. Not all hives are loaded at any one time. At boot time, only a minimal set of hives are loaded, and after that, hives are loaded as the operating system initializes and as users log in or whenever a hive is explicitly loaded by an application. The registry is physically stored in several files, which are generally obfuscated from the user-mode APIs used to manipulate the data inside

1767-435: The HKLM\SOFTWARE\Foobar key: Data from .REG files can be added/merged with the registry by double-clicking these files or using the /s switch in the command line. REG files can also be used to remove registry data. To remove a key (and all subkeys, values and data), the key name must be preceded by a minus sign ("-"). For example, to remove the HKLM\SOFTWARE\Foobar key (and all subkeys, values and data), To remove

Security Account Manager - Misplaced Pages Continue

1824-549: The ReportsTo column is a foreign key referencing the EmpNo column. If the "child" data type were different, it would be in a different table, but there would still be a foreign key referencing the EmpNo column of the employees table. This simple model is commonly known as the adjacency list model and was introduced by Dr. Edgar F. Codd after initial criticisms surfaced that the relational model could not model hierarchical data. However,

1881-404: The SAM file from the Windows NT system installation directory structure (default: %SystemRoot%/system32/config/SAM ) and, depending on the particular software utility being used, removes the password hashes stored for user accounts in their entirety, or in some cases, modify the user account passwords directly from this environment. This software has both a highly pragmatic and beneficial use as

1938-455: The SAM file, and will not release that lock until the operating system has shut down or a " Blue Screen of Death " exception has been thrown. However, the in-memory copy of the contents of the SAM can be dumped using various techniques (including pwdump ), making the password hashes available for offline brute-force attack . LM hash is a compromised protocol and has been replaced by NTLM hash. Most versions of Windows can be configured to disable

1995-451: The SAM file. Windows Registry#Hives The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel , device drivers , services , Security Accounts Manager , and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance. In other words,

2052-590: The Win32 API, or by synonymous abbreviations (depending on applications): Like other files and services in Windows, all registry keys may be restricted by access control lists (ACLs), depending on user privileges, or on security tokens acquired by applications, or on system security policies enforced by the system (these restrictions may be predefined by the system itself, and configured by local system administrators or by domain administrators). Different users, programs, services or remote systems may only see some parts of

2109-634: The Windows Registry primarily stored configuration information for COM -based components. Windows 95 and Windows NT extended its use to rationalize and centralize the information in the profusion of INI files , which held the configurations for individual programs, and were stored at various locations. It is not a requirement for Windows applications to use the Windows Registry. For example, .NET Framework applications use XML files for configuration, while portable applications usually keep their configuration files with their executables . Prior to

2166-453: The Windows Registry, . INI files stored each program's settings as a text file or binary file , often located in a shared location that did not provide user-specific settings in a multi-user scenario. By contrast, the Windows Registry stores all application settings in one logical repository (but a number of discrete files) and in a standardized form. According to Microsoft , this offers several advantages over .INI files. Since file parsing

2223-424: The advent of XML in the late 1990s (see also XML database ). The hierarchical structure is used primarily today for storing geographic information and file systems. Currently, hierarchical databases are still widely used especially in applications that require very high performance and availability such as banking, health care, and telecommunications. One of the most widely used commercial hierarchical databases

2280-433: The children point to the parents. As shown, each employee may possess several pieces of computer equipment, but each individual piece of computer equipment may have only one employee owner. Consider the following structure: In this, the "child" is the same type as the "parent". The hierarchy stating EmpNo 10 is boss of 20, and 30 and 40 each report to 20 is represented by the "ReportsTo" column. In Relational database terms,

2337-486: The content of a subkey within another root key, or mapped to a registered service or DLL that provides access to its contained subkeys and values. E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows refers to the subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of the HKEY_LOCAL_MACHINE root key. There are seven predefined root keys, traditionally named according to their constant handles defined in

Security Account Manager - Misplaced Pages Continue

2394-453: The creation and storage of valid LM hashes when the user changes their password. Windows Vista and later versions of Windows disable LM hash by default. Note: enabling this setting does not immediately clear the LM hash values from the SAM, but rather enables an additional check during password change operations that will instead store a "dummy" value in the location in the SAM database where the LM hash

2451-492: The employee to which it is assigned. The organization could store the computer hardware information in a separate table that includes each part's serial number, type, and the employee that uses it. The tables might look like this: In this model, the employee data table represents the "parent" part of the hierarchy, while the computer table represents the "child" part of the hierarchy. In contrast to tree structures usually found in computer software algorithms, in this model

2508-427: The hierarchy or distinct hierarchies from the same root keys. Registry values are name/data pairs stored within keys. Registry values are referenced separately from registry keys. Each registry value stored in a registry key has a unique name whose letter case is not significant. The Windows API functions that query and manipulate registry values take value names separately from the key path or handle that identifies

2565-603: The local filesystem and loaded by the system kernel at boot time and then shared (with various access rights) between all processes running on the local system, or loaded and mapped in all processes started in a user session when the user logs on the system. The HKEY_LOCAL_MACHINE (local machine-specific configuration data) and HKEY_CURRENT_USER (user-specific configuration data) nodes have a similar structure to each other; user applications typically look up their settings by first checking for them in "HKEY_CURRENT_USER\Software\Vendor's name\Application's name\Version\Setting name", and if

2622-423: The operating system, for installed applications as well as individual settings for each user and application. A careless change to the operating system configuration in the registry could cause irreversible damage, so it is usually only installer programs which perform changes to the registry database during installation/configuration and removal. If a user wants to edit the registry manually, Microsoft recommends that

2679-464: The parent key. Registry values may contain backslashes in their names, but doing so makes them difficult to distinguish from their key paths when using some legacy Windows Registry API functions (whose usage is deprecated in Win32). The terminology is somewhat misleading, as each registry key is similar to an associative array , where standard terminology would refer to the name part of each registry value as

2736-482: The popularity of relational databases, despite their initially lower performance in comparison with the existing network and hierarchical models. The hierarchical structure was developed by IBM in the 1960s and used in early mainframe DBMS . Records' relationships form a treelike model. This structure is simple but inflexible because the relationship is confined to a one-to-many relationship. The IBM Information Management System (IMS) and RDM Mobile are examples of

2793-655: The registry by means of the Kernel Transaction Manager , extending the atomicity guarantees across multiple key or value changes with traditional commit–abort semantics. (Note however that NTFS provides such support for the file system as well, so the same guarantees could, in theory, be obtained with traditional configuration files.) The registry contains two basic elements: keys and values . Registry keys are container objects similar to folders. Registry values are non-container objects similar to files. Keys may contain values and subkeys. Keys are referenced with

2850-407: The registry or Windows Registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating systems. For example, when a program is installed, a new subkey containing settings such as a program's location, its version, and how to start the program, are all added to the Windows Registry. When introduced with Windows 3.1 ,

2907-545: The registry using an INI -based syntax. On Windows 2000 and later, they contain the string Windows Registry Editor Version 5.00 at the beginning, while on Windows 9x and NT 4.0 systems, they contain the string REGEDIT4 . Windows 2000 and later REG files are Unicode -based, while on Windows 9x and NT 4.0 systems, they are ANSI -based. Windows 9x format .REG files are compatible with Windows 2000 and later. The Registry Editor on Windows on these systems also supports exporting .REG files in Windows 9x/NT format. Data

SECTION 50

#1732902446591

2964-453: The registry. Depending upon the version of Windows, there will be different files and different locations for these files, but they are all on the local machine. The location for system registry files in Windows NT is %SystemRoot%\System32\config\ ; the user-specific HKEY_CURRENT_USER user registry hive is stored in Ntuser.dat inside the user profile. There is one of these per user; if a user has

3021-408: The setting is not found, look instead in the same location under the HKEY_LOCAL_MACHINE key. However, the converse may apply for administrator-enforced policy settings where HKLM may take precedence over HKCU. The Windows Logo Program has specific requirements for where different types of user data may be stored, and that the concept of least privilege be followed so that administrator-level access

3078-424: The system partition. Even though the registry presents itself as an integrated hierarchical database, branches of the registry are actually stored in a number of disk files called hives . (The word hive constitutes an in-joke .) Some hives are volatile and are not stored on disk at all. An example of this is the hive of the branch starting at HKLM\HARDWARE. This hive records information about system hardware and

3135-491: The target computer) the capability to entirely bypass or remove the Windows account passwords from a potential target computer. Only recently, Microsoft released a utility called LockSmith, which is part of Microsoft Diagnostics and Recovery Toolset (DaRT). DaRT is not freely available to end-users, however. In July 2021, it was revealed there was a vulnerability within Windows 10 and Windows 11 that allowed low privileged users to access sensitive Registry database files including

3192-500: Was corrected with Windows XP, which shows an error message and shuts down the computer. However, there exist software utilities, which, by the aforementioned methodology of using either an emulated virtual drive, or boot disk (usually Unix/Linux, or another copy of Windows like Windows Preinstallation Environment ) based environment to mount the local drive housing the active NTFS partition, and using programmed software routines and function calls from within assigned memory stacks to isolate

3249-438: Was demonstrated that every possible 8-character NTLM password hash permutation can be cracked in under 6 hours. In 2019, this time was reduced to roughly 2.5 hours by using more modern hardware. In the case of online attacks, it is not possible to simply copy the SAM file to another location. The SAM file cannot be moved or copied while Windows is running, since the Windows kernel obtains and keeps an exclusive filesystem lock on

#590409