What is a registry? In the era when Dos and Win3.x operating systems were still used, most applications used ini files (initialization files) to save some configuration information, such as setting paths and environment variables. System.ini and win.ini control the characteristics and access methods of all windows and applications, and run well in the environment of a few users and a few applications. With the increase of the number and complexity of applications, it is necessary to provide the. Ini file. In this way, in a constantly changing environment, everyone will change after the application is installed in the system. Ini file. However, almost no one will delete it. Ini files, so the two files, system.ini and win.ini, will get bigger and bigger. Every time you add content, the system performance will get slower and slower. Every time you apply the upgrade, a similar problem will occur: after the upgrade, more parameter items will be added but the old parameter settings will never be deleted. There is another obvious problem. The maximum size of. The ini file is 64KB. In order to solve this problem, software vendors began to support their own. Ini file, and then point to a specific ini file, so many. The ini file affects the normal access level setting of the system.
In the windows operating system sequence, the two files, system.ini and win.ini, contain all the control functions and application information of the operating system. System.ini manages computer hardware, and win.ini manages desktops and applications. All drivers, fonts, settings and parameters will be saved in. Any new program will be recorded in. Ini file. These records will be referenced in the program code. Because of the file size limit of win. INI and system.ini, programmers add assistance. Ini file to control more applications. For example, Microsoft Word has a Word.ini file, which contains options, settings, default parameters and other information related to the normal operation of Word. In system.ini and win.ini, just point out the path and file name of word.ini.
In order to solve related problems, Microsoft officially launched WIN95 at 1995, replacing WIN3. X operating system. To some extent, the appearance of WIN95 is an epoch-making product, because Windows95 uses the "registry" for the first time to configure and manage many plug-and-play or necessary hardware, as well as software programs that are temporarily called or permanently resident. This makes Windows95 a real 32-bit operating system with five basic functions of a microcomputer operating system. This also makes the registry appear in everyone's sight for the first time.
The registry was originally designed as a data file related to the reference file of the application, and finally expanded to include all the functions of the 32-bit operating system and the application. The registry is a set of files that control the appearance of the operating system and how to respond to external events. These "events" range from direct access to hardware devices to interfaces, how to respond to specific users to how applications run. Because of its purpose and nature, the registry becomes very complicated. It is specially designed for 32-bit applications, and the file size is limited to about 40MB. The powerful registry database is used to manage the system hardware facilities, software configuration and other information in a unified and centralized way, which is convenient for management and enhances the stability of the system.
Therefore, the registry is the core "database" for hardware devices and client applications in operating systems above Windows95 to run normally and save settings. It can also be said to be a very large tree-like hierarchical database system. It records the software installed by the user on the machine and the relevant information of each program; It includes the hardware configuration of the computer, including automatically configured plug-and-play devices, descriptions of various existing devices, status attributes and various status information and data.
Well, after talking about the registry and its development, let's care about its function. One of the benefits of the registry is to add or remove program functions, which is part of the control panel function in the start menu. When you install the software, you will make a record in the registry, so it will appear as part of a special list in adding or removing programs. The registry is stored in several files on the hard disk, but the only way to access and modify them is to use the registry editor program. To access it, click the Start button, and then click Run. Type regedit in the dialog box that appears, and then press Enter. This will go to the Registry Editor and you will see the Registry now.
The organization of the registry is more like files on disk. If you have ever used folder view in a Windows browser, you will be familiar with it. However, in the registry, these folders are called registry keys. To open a key, just click the small plus sign (+) next to it. Then you will see that each key contains more keys, called subkeys or values. Values refer to the individual settings of various keys, so they can be customized. They are arranged on the left side of the registry window by name, and also describe the data types and the data itself. It doesn't matter which data type is used, because it is obvious to the data itself, otherwise it will be explained when editing. These thousands of keys are arranged logically, and the first sight of the registry may make you feel at a loss. To make things clear, we must first know that there are five root keys and the basic structure of the registry.
What needs to be mentioned here is that with the use of time and the influence of a lot of garbage generated by the system, the registry will become larger and larger, which is not a good phenomenon, because the larger the registry, the slower your computer will run. So when many novice friends ask why your computer is getting slower and slower, it is often because there is too much useless garbage in your registry, which leads to your system running slower and slower. Therefore, they often "slim down" the registry. Of course, many third-party software, such as super rabbit, WINDOWS optimizer and other system finishing software, have the function of cleaning up registry garbage. It is suggested that novice friends must go next, often optimize their registry and system, and study some configurations inside, which will be very helpful for the safety and operation of computers.
Let's explain one by one according to Figure 2:
In windowsNT/2000/XP, if you open it with the editor that comes with windows, you can only see five, and there is also a hidden root key: HKEY _ Performance _ Data.
* HKEY _ class _ root
Records the format and related information of all data files in windows operating system, mainly records the file name suffixes of different files and corresponding applications, and its sub-items are divided into two categories: one is the extension of registered files, and these sub-items are all preceded by a "."; And that other is information about various file type.
*HKEY current user
This root key contains the user profile information of the currently logged-in user, which ensures that different users use their modified settings when logging in to the computer, such as their own defined wallpaper, their own inbox and their own security access rights.
* HKEY _ local _ machine
This root key contains the configuration halo of the current computer, including the installed hardware and software settings. This information is for all users to use when logging into the system. This is the largest and most important root key in the registry!
* HKEY _ user
The root key of HKEY user includes the information of the default user (default subkey) and the information of all previously logged-in users.
*HKEY current configuration
This root key is actually the same data under HKDY _ local _ machine/config/0001branch.
*HKEY_DYN_DATA root key
This key saves the system configuration and current performance information created every time the system is started. This root key exists only in windows9X.
*HKEY performance data
Although there is no HKEY_DYN_DAT key in windowsNT/2000/XP registry, there is a key named "HKEY _ Performance _ Data" hidden. All dynamic information in the system is stored in this subitem, and these items cannot be seen by the registry editor attached to the system. Only special programs can be used to view this key, such as performance monitor.
Let's talk about the modification of the registry. As a reminder, if you are not sure, remember to back up the registry before modifying it. To modify the registry, in addition to using Microsoft's own editor-regedit.exe, it can also be modified by third-party software or written. Manually register the registry file. Have you ever tried to write your own registry file? Without any modification? Write back the registry file directly-. Register in the registry? Hehe, this skill doesn't need everyone to know, you just need to know the above two. Of course, if you are a computer fan, we are in favor of in-depth study.
Now let's see. Registration documents.
The standard format of. The reg file is as follows:
Registry 4
[Path] (note case)
Key Name = Key Value (used for string key values)
Key name = hexadecimal: key value (for binary key value)
Key name =DWORD: key value (for DWORD key value)
The contents in brackets are my own comments. I don't need those brackets when writing files. Everything else listed above must be included. Note that quotation marks cannot be entered in Chinese, but must be entered in English, or you will make mistakes.
So, how to write a. reg file? We need a text editor, just use windows Notepad. Click the right mouse button, select a new text document, and then enter the contents of the above specifications in the generated text file. Finally, choose Save As and enter the file name you want+. Register to save. For example, if you want to generate test.reg, enter test.reg and save it. You can see that a test.reg with an icon has been generated. Double-click to run this test.reg file and modify the registry accordingly. You will be prompted with information such as "Import Registry" and confirm. Ok, we can write the registration form manually. Don't worry, let's look at a standard example, which is derived from the registry. You can learn slowly and write by yourself. Reg file after imitation.
Registry 4
[HKEY _ Current User \ Software \ Microsoft \ Windows \ Current Version \ Policy \ Explorer]
" NoRun"=dword:00000000
" NoRecentDocsMenu"=hex:0 1,00,00,00
" NoFavoritesMenu " = dword:00000000
"user" ="sundrink "
As you can see, dword is 16, hex is binary, and strings can be assigned directly. Just copy and save the above contents into a text document, and then save it as. The reg file you want to run. Hehe, it's not very difficult. Be patient. Of course, if you want to imitate, you should write. Register your own files, just use a notepad.
Say a few more words, why do you want to hand-write the registration form? Because sometimes we encounter a machine that locks regedit, what should we do to unlock it? Hehe, if you can write the registry file by hand, it will be very simple ... Let's use your imagination! It won't take long.
The above manual modification method is only for those computer enthusiasts. Generally, it is best for novice friends to modify it honestly with the method provided by the third-party software, which is convenient and can be seen clearly. However, it is recommended that you make a backup before modifying it. Ok, so much for the modification of the registry. There are many similar tutorials on the Internet, such as improving network speed and optimizing performance. You can often use Google search and self-study. In fact, many things in the computer are explored by themselves. Only by diligently exploring yourself can you really improve your computer level. Without further ado, let's continue.
Now let's discuss the security of the registry. From the development trend of computer viruses, there are more and more viruses such as worms and trojans. Unlike ordinary file viruses that infect executable files, such programs usually do not infect normal system files, but install themselves as part of the system. Relatively speaking, this kind of virus is more concealed and not easy to be found by users. But no matter what kind of virus program infects the system, it will leave some clues. Here we summarize the possible changes of various viruses in order to find them faster.
First, change the relevant configuration files of the system. This situation is mainly aimed at the 95/98 system.
The virus may change autoexec.bat, and the virus can be automatically activated when the system starts by adding a statement to execute the virus program file. * change the drive: \windows\win.ini or system.ini file. Viruses usually add the file name of the virus itself after "run=" in win.ini, or change "shell=" in the system.ini file.
Second, change the registry key value.
At present, as long as a new worm/Trojan virus generally has the action of modifying the system registry. They are usually modified in the following places:
HKLM \ Software \ Microsoft \ Windows \ Current version \ Run once \
Description: A program that is automatically executed when the system is started.
HKLM \ Software \ Microsoft \ Windows \ Current version \ Running service \
Description: System service program that is automatically executed when the system is started.
HKLM \ Software \ Microsoft \ Windows \ Current Version \ Running \
Description: A program that is automatically executed when the system is started. This is where the virus is most likely to be modified/added. Such as Win32. Swen.B virus will increase: hklm \ software \ Microsoft \ windows \ currentversion \ run \ ucfzjza = "cxsgrhcl.exe autorun".
HKEY _ class _ ROOT \ exefile \ shell \ open \ command
Description: This key value can make the virus run when the user runs any EXE program, and so on ... \txtfile\ ... or ... \ comfort file \ ... can also be modified to realize the function of virus running automatically.
In addition, some key values can be used to achieve special functions:
Some viruses prevent users from viewing and modifying the registry by modifying the following key values:
HKCU \ Software \ Microsoft \ Windows \ Current Version \ Policy \
System \DisableRegistryTools=
In order to prevent users from using. Reg file, the following key values will also be modified to display a memory access error window.
For example, Win32. The Swen.B virus will change the default value to:
HKCR \ regfile \ shell \ open \ command \ (default) ="cxsgrhcl.exeshowerror "
Through the above modifications, the main purpose of the virus program is to automatically execute when the system is started or the program is running, thus achieving the purpose of automatic activation.
After summarizing all kinds of trojans and viruses that may change, let's talk about defense. Of course, before we talk about it, we should continue to emphasize the backup of the registry. To tell the truth, it is far from enough to rely on the existing methods for increasingly powerful Trojans and viruses. Backing up a "completely clean" registry is the most important thing. There are many backup methods, which are everywhere on the Internet, so I won't elaborate here, just Google it.
Security risk: In Windows2000/XP system, the default Messenger service is started, and malicious personnel can send information to the target computer through the "netsend" command. The target computer will receive harassment information from others from time to time, which will seriously affect its normal use.
Solution: First open the Registry Editor. For system services, we can manage them through the option under "HKEY _ Local _ Machine System Current Control Settings Service" in the registration form, where each sub-item is the corresponding "service" in the system. For example, the sub-item corresponding to the "Messenger" service is "Messenger". We just need to find the START key value under Messenger and change it to 4. In this way, the service will be disabled and users will no longer be harassed by "letters".
Security risk: If a hacker connects to our computer and the computer has enabled the RemoteRegistry service, the hacker can remotely set the services in the registry, so the remote registry service needs special protection.
Solution: We can set the startup mode of the RemoteRegistry service to disabled. However, after hackers invade our computers, they can still change the service from "disabled" to "automatically started" through simple operations. So it is necessary for us to delete this service.
Find the RemoteRegistry key under "HKEY _ Local _ Machine System Current Control Settings Service" in the registry, and right-click and select "Delete" (figure 1). After deleting the key, the service cannot start.
Be sure to export and save this information before deleting it. When you want to use this service, just import the saved registry file.
Security risks: As we all know, in Windows2000/XP/2003, some "* * * enjoyment" is turned on by default. They are IPC$, C$, d$, e$ and admin$. Many hackers and viruses like to invade the operating system in this default way.
Solution: In order to prevent IPC$ attack, the RestrictAnonymous item of "HKEY _ Local _ Machine System Current Control Settings Control" in the registry should be set to "1", so that the connection of IPC$ can be prohibited.
For the default * * * enjoyment of c$, d$ and admin$, you need to find "HKEY _ Local _ Machine System Current Control Settings Service sLanmanserverParameters" in the registry. If the system is Windows2000Server or Windows2003, the key value "AutoShareServer" (type "REG_DWORD" and value "0") should be added to this item. If the system is Windows2000PRO, the key value "AutoShareWks" (type "REG_DWORD", value "0") should be added to this item.
Security risks: When the Windows system runs incorrectly, there is a DR.WATSON program inside the system, which will automatically save the private information of system calls. The private information will be saved in the files of user.dmp and drwtsn32.log, and the attacker can learn the private information of the system by cracking this program. So we must stop the program from leaking information.
Solution: Find "HKEY _ LOAR _ Machine Software Microsoft Windows Current Version Error" and set the automatic key value to 0. Now Dr. Watson won't record the error information when the system is running. Click "documents and settings → all users → documents → drwatson" to find the files user.dmp and drwtsn32.log and delete them. The purpose of deleting these two files is to delete the private information previously saved by Dr. Watson.
Tip: If the running of the DR.WATSON program is prohibited, the "drwatson" folder and the files user.dmp and drwtsn32.log will not be found.
Security risks: Many Trojans and viruses hide malicious ActiveX controls in web pages and run programs in the system privately, thus achieving the purpose of destroying the local system. In order to ensure system security, we should prevent ActiveX controls from running programs without permission.
Solution: ActiveX controls run programs by calling the Windowsscriptinghost component, so we can delete the wshom.ocx file in the "system32" directory first, so ActiveX controls can't call Windowsscriptinghost. Then, find "HKEY _ local _ machine software class CLSID" in the registry and delete the item. Through the above operations, ActiveX controls can no longer call script programs privately.
Security risks: The page exchange file of Windows2000 is also the target of hacker attacks like the above-mentioned DR.WATSON program, because the page file may reveal some information originally in memory and later transferred to the hard disk. After all, it is not easy for hackers to check the information in memory, but the information in hard disk is easy to obtain.
Solution: Find "HKEY _ Local _ Machine System Current Control Settings Control Session Management" and set the value of the ClearPageFileAtShutdown item under it to 1 (Figure 2).
In this way, after each restart, the system will delete the page file, thus effectively preventing information leakage.
Security risks: When surfing the Windows system, the password information will often be automatically recorded by the system, and the system will automatically fill in the password when visiting again in the future. This will easily lead to the disclosure of your private information.
Solution: Find the network sub-item in the branch of "HKEY _ Local _ Machine Software CrosoftWindowsCurentVersionPolicies" (if not, you can add it yourself), create a new two-byte value named disablepasswordcaching under this sub-item and set the value to 1. After restarting the computer, the operating system will not be smart enough to record the password.
Security risk: Today's virus is very smart, unlike before, it is only loaded through the RUN value of the registry or the items in MSCONFIG. Some advanced viruses will be loaded through system services. So, can we let the virus or Trojan horse have no corresponding authority to start the service?
Solution: Run the "regedt32" command to enable the permission assignment function of the Registry Editor. Find the branch "HKEY _ Local _ Machine System Current Control Settings Service" in the registry, then click "Security → Permission" in the menu bar, click "Add" in the pop-up service permission setting window, import everyone's account, select everyone's account, set the account's "Read" permission to "Allow" and set its "Full Control". Now no Trojan horse or virus can start the system service by itself. Of course, this method is only effective for viruses and trojans without administrator authority.
Security risk: Many viruses are loaded by the RUN value in the registry and start with the startup of the operating system. We can remove the modification authority of viruses and trojans to this key value according to the method introduced in "Virus-free startup service".
Solution: Run the "regedt32" command to start the Registry Editor. Find the branch of "HKEY _ Current _ Machine Software CroofWindowsCurrentVersionRun" in the registry, set the "Read" permission of all people to the branch to "Allow", and deselect the "Full Control" permission. In this way, viruses and trojans cannot start themselves through this key value.
Viruses and Trojans are constantly "developing", and we must constantly learn new protection knowledge to resist the invasion of viruses and Trojans. Instead of being killed after being infected by a virus or a Trojan horse, it is better to make a good defense in advance and build a solid wall to resist. We should cultivate the good habit of surfing the Internet safely, try not to contact unsafe websites and download unsafe software and videos, start 360 and antivirus software, back up a safe registry file, patch frequently and learn more, and "nip in the bud" is what we should pursue.
Let's take a look first. These are the most basic.