Search notes:

Registry hive

A registry hive stores a tree of registry keys and values.

Hive formats

There are two hive formats:

Data storage files

Most hives are stored under %SYSTEMROOT%\system32\config.
Mount point in registry tree Location Format
HKEY_CLASSES_ROOT Virtual hive n/a(?)
HKEY_LOCAL_MACHINE\HARDWARE Volatile data in memory n/a(?)
HKEY_LOCAL_MACHINE\SAM %SystemRoot%\system32\config\SAM standard
HKEY_LOCAL_MACHINE\SECURITY %SystemRoot%\system32\config\SECURITY standard
HKEY_LOCAL_MACHINE\SOFTWARE %SystemRoot%\system32\config\SOFTWARE
HKEY_LOCAL_MACHINE\System %SystemRoot%\System32\config\SYSTEM
HKEY_USERS\user-sid %USERPROFIE%\NTUSER.DAT
HKEY_CURRENT_USER standard
HKEY_USERS\.DEFAULT %SystemRoot%\System32\config\DEFAULT standard
Compare with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
Unclear is the role of %SystemRoot%\system32\config\COMPONENTS which seems to be a registry hive that belongs under HKEY_LOCAL_MACHINE.
HKEY_CLASSES_ROOT is a virtual hive(?) that merges the values of HKEY_CURRENT_USER\Software\Classes and HKEY_LOCAL_MACHINE\Software\Classes.

HKEY_PERFORMANCE_DATA

The special hive HKEY_PERFORMANCE_DATA is not stored in a physical hive and not displayed in regedit.exe.
Although it's possible to read HKEY_PERFORMANCE_DATA with WinAPI-Registry functions, Microsoft recommends to use Performance Data Helper (PDH) functions to query collected counter data.

Showing a hive in regedit.exe

A registry hive is a regular file in the filesystem and can be shown in regedit.exe by using File -> Load Hive.

See also

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
The method OpenBaseKey of the .NET class Microsoft.Win32.RegistryKey.
The Microsoft.Win32.Registry class provides top level Microsoft.Win32.RegistryKey objects for the hives' top level keys.

Index