October 29, 2010 (updated 8 years ago), Chemtable Software
Types of Registry Data
As we said before, the registry stores a great amount of information, including profiles of all users, information on installed applications and types of documents that can be created by each program, information on folder properties and application shortcuts, installed hardware and ports that are used.
Because the Windows registry is a complex relational database, all information that can be stored in the resulting information containers of this database (values), must be strictly classified. Values are classified by a data type, which represents the specific kind of data that the value can store. Overall, there are 11 types of data.
A key and subkey can contain 0, 1 or more values and a default value. In addition to values, each key can contain subkeys, which may contain further keys. Each value has its name, type and data.
Three components of a registry value are always arranged in a particular order: name, type of data, value data (for example: [RegistrySizeLimit] [REG_DWORD] [0x8000000]).
The table below contains a list of data types defined and used by Windows today.
The maximal length of a value name:
• 16 383 characters in Windows Server 2003, Windows XP and Windows Vista
• 260 ANSI characters or 16 383 Unicode characters in Windows 2000
• 255 characters in Windows 95, Windows 98 and Windows Millennium Edition
Values of a large size (more than 2048 bytes) are stored in an external file, and the name of that file is added to the registry. It allows using the registry more efficiently.
The maximal size of a value:
• All available memory in Windows NT 4.0/Windows 2000/Windows XP/Windows Server 2003/Windows Vista
• 16 300 bytes in Windows 95, Windows 98 and Windows Millennium Edition
|REG_QWORD||Numeric||64-bit numeric value|
|REG_EXPAND_SZ||String||Text and variables|
|REG_FULL_RESOURCE_DESCRIPTOR||String||Device resource ID|
|REG_LINK||String||Path to file|
|REG_MULTI_SZ||Multi-string||Array of strings|
|REG_RESOURCE_LIST||String||List of device resources|
|REG_RESOURCE_REQUIREMENTS_LIST||String||Device resource ID|
The information below describes the purpose of each data type.
Binary data in any form. Most information about hardware devices is stored as binary data and displayed in the hexadecimal format in the registry editor.
Data represented as an integer (4 bytes, 32 bits). Many service and device driver parameters have this type and are displayed in a binary, hexadecimal or decimal format. DWORD equivalents are DWORD_LITTLE_ENDIAN (least significant byte is at the lowest address) and REG_DWORD_BIG_ENDIAN (least significant byte is at the highest address).
An expandable data string. This string is a text containing a variable that can be replaced on a call from an application.
A multi-string value which is a list of text strings in a format convenient for human perception. Strings are separated by spaces, commas, or other symbols.
A text string in a format which is convenient for human perception. Usually this data type is assigned to values that represent descriptions of components. This data type has a fixed length.
A symbolic link in Unicode.
A series of nested arrays. It stores a resource list that is used by a hardware device. The system writes detected data to the \HardwareDescription tree. In the editor, this data is displayed as a binary value in a hexadecimal format.
A series of nested arrays. It stores a resource list used by a device driver or a hardware device controlled by that driver. The system writes detected data to the \ResourceMap tree. In the editor, this data is displayed as a binary value in a hexadecimal format.
A series of nested arrays. It is used to store a list of hardware drivers which can be used by a particular device driver or a hardware device controlled by that driver. The system writes part of the list to the \ResourceMap tree. Data is defined by the system. In the editor, data is displayed as a binary parameter in a hexadecimal format.
This data type is represented as a 64-bit integer and was introduced in Windows 2000. This data is displayed in the registry editor as a binary value.
No data is stored in a key. This data type is written to the registry by the system or an application. In the editor, it is displayed as a binary value in a hexadecimal format.