Windows Under the Hood
THANK YOU for supporting (Buy_me_a_coffeeee):
- Mike
- Garry
- Thouna Kh(youtube)
- Anie
[I do not own the above Image]
* INTRODUCTION
I am skipping the "What is Windows OS?" part. Windows is very easy to use and its user-interface is pretty much self-explanatory, and it's enough for a normal USER. A large part of Windows' power is kept hidden from normal users and it's actually a smart idea - hiding what they don't really need. Technicians, on the other hand, need to not only understand these hidden processes and programs, but also know how to use, configure, and fix them when needed.
topics covered:
- Registry
- boot process components
Note: This is a short blog briefly explaining the above topics
* REGISTRY
Think of Registry as a huge database which store almost everything your windows system needs to operate, including information on all the hardware, network information, user preference settings, file types, passwords, desktop color...virtually everything you might find in windows. Almost any form of configuration you do to a Windows system involves editing the Registry. Obviously the Registry is critically important and your system won't boot into Windows without it.
Every version of Windows stores the numerous Registry files (called hives) in the \%SystemRoot%\System32\config folder and each user account folder. Fortunately, you rarely have to access these files directly. Instead, you can use a set of relatively friendly applications to edit the Registry and it's usually enough for most but every competent tech should, however, understand the basic components of the Registry, know how to edit the Registry manually, and know the best way to locate a particular Registry setting.
* Accessing the Registry
Even though the Registry is important, you rarely access the Registry directly. Instead, when you use Windows’ Settings or Control Panel (or just about any other utility), you are editing the Registry. There are some situations where you might need to access the Registry directly.
Before you look in the Registry, let’s look at how you access the Registry directly by using the Registry Editor, so you can open the Registry on your machine and compare what you see to the examples in this article. The go-to command to open the Registry Editor is regedit. To open the Registry Editor, enter regedit in the Start | Search bar. This will also run from the command line.
* Registry Components
The Registry is organized in a tree structure similar to the folders on the file system. Once you open the Registry Editor in Windows, you will see five main subgroups, or root keys:
- HKEY_CLASSES_ROOT
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE
- HKEY_USERS
- HKEY_CURRENT_CONFIG
Try opening one of these root keys by clicking the plus sign to its left; note that more subkeys are listed underneath. A subkey also can have other subkeys, or values. Values define aspects of the subkey. Figure below shows an example of a subkey with some values. Notice that the Registry Editor shows only keys—root keys and subkeys—on the left and values on the right. Each of the root keys has a specific function, so let’s take a look at them individually.
HKEY_CLASSES_ROOT
Historically, the HKEY_CLASSES_ROOT root key defined the standard class objects used by Windows. A class object is a named group of functions that defines what you can do with the object it represents. Pretty much everything that has to do with files on the system is defined by a class object. The Registry, for example, uses two class objects to define the JPG image file. One object is located at HKEY_CLASSES_ROOT\.jpg and one at HKEY_CURRENT_USER\Software\Classes\.jpg that covers user-specific associations for JPG files.
This root key combines class objects from \Software\Classes under both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE to provide backward compatibility for older applications.
HKEY_CURRENT_USER and HKEY_USERS
Windows is designed to support more than one user on the same system, storing personalized information such as desktop colors, screensavers, and the contents of the desktop for every user that has an account on the system. HKEY_CURRENT_USER stores the current user settings, and HKEY_USERS stores all of the personalized information for each user. While you certainly can change items such as the screensaver here, the better way is to right-click on the desktop and select Personalize.
HKEY_LOCAL_MACHINE
The HKEY_LOCAL_MACHINE root key contains all the data for a system’s non-user-specific configurations. This encompasses every device and every program in your computer.
HKEY_CURRENT_CONFIG
If the values in HKEY_LOCAL_MACHINE have more than one option, such as two different monitors, this root key defines which one is currently being used. Because most people have only one type of monitor and similar equipment, this area is almost never touched.
* TALKIN' REGISTRY
When describing a Registry setting, we use a simple nomenclature. For example, I once moved my copy of World of Warcraft from my C: drive to my D: drive and had problems when the program started. I went online to www.blizzard.com (home of Blizzard Entertainment, the folks who make World of Warcraft) and contacted the support staff, who gave me instructions to access the Registry and make this change:
"Go to HKLM\SOFTWARE\Blizzard Entertainment\World of Warcraft and change the GamePath object and the InstallPath object to reflect the new drive letter of your new WoW location."
To do so, I opened the Registry Editor. Using this nomenclature, I was able to find the location of these Registry settings. Figure below shows this location. Compare this image to the path described in the instructions from Blizzard. Note that HKEY_LOCAL_MACHINE is abbreviated as HKLM.
To describe the location of a specific Registry value, like where the Blizzard tech told me to go, requires a little bit of repetition. To wit, in the previous example, World of Warcraft is a subkey to Blizzard Entertainment, which is in turn a subkey to the root key HKLM. The World of Warcraft subkey has four values. All keys have the (Default) value, so in this case the World of Warcraft subkey offers three functional values.
Values must have a defined type of data they store:
- String value: These are the most flexible type of value and are very common. You can put any form of data in these.
- Binary value: These values store nothing more than long strings of ones and zeros.
- DWORD value: These values are like Binary values but are limited to exactly 32 bits.
- QWORD value: These values are like Binary values but are limited to exactly 64 bits.
There are other types of values, but these four are used for most Registry
entries.
* Manual Registry Edits
There’s little motivation for you to go into the Registry and make manual edits unless you’ve done some research that tells you to do so. When you do find yourself using the Registry Editor to access the Registry, you risk breaking things in Windows: applications might not start, utilities might not work, or worst of all, your computer might not boot. To prevent these problems, always make a backup of the Registry before you change anything. Once the backup is in a safe place (I like to use a thumb drive, personally), reboot the system to see if the changes you made had the desired result. If it worked, great. If not, you’ll need to restore the old Registry settings using your backup. Let’s watch this in action.
One of the more common manual Registry edits is to delete autostarting programs. I want to prevent a program installed by my Logitech GamePanel keyboard and mouse from autostarting. The most common place for making this change is here:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Opening the Registry Editor and going to this subkey, you’ll see something like:
Before I delete these keys, I’m going to save a copy of my Registry. The Registry Editor’s Export feature enables you to save either the full Registry or only a single root key or subkey (with all subkeys and values under it). Select Run from the left pane and then click File | Export. Save the subkey as a Registration file with the extension .reg. Be sure to put that file somewhere you’ll remember. Should you need to restore that key, use the File | Import command, or just right-click on the icon as shown below and click Merge.
* The Boot Process
The Windows installation creates a number of specific files and folders that the OS needs to run. Some of these files and folders are directly on the root of the C: drive; others can be elsewhere. The best way to remember the locations of these files and folders and to know their importance to the OS is by looking at how they interact to boot the system.
Current Windows versions support both BIOS and UEFI boot processes. The very first thing that happens when you power on a system with Windows is that either the BIOS or the UEFI starts up. The difference between BIOS and UEFI systems is in what happens next.
- In a BIOS-based system, the BIOS uses its boot order to scan a hard drive for a master boot record (MBR). The MBR holds a small bit of file system boot code that scans the partition table for the system partition and then loads its boot sector. The boot sector in turn contains code that does nothing but point the boot process toward a file called bootmgr (pronounced boot manager, or “boot mugger” if you’re trying to make nerds laugh), the Windows Boot Manager. In short, the BIOS looks for the MBR, which finds the boot code to launch the OS.
- In a UEFI system, on the other hand, neither the MBR/GUID partition table (GPT) nor the file system boot code is run, and UEFI simply loads bootmgr directly.
When bootmgr starts, it reads data from a Boot Configuration Data (BCD) file that contains information about the various operating systems installed on the system as well as instructions for how to actually load (bootstrap) them. Once an operating system is selected (or immediately if only one is present), bootmgr loads a program called winload.exe, which readies your system to load the operating system kernel (called ntoskrnl.exe) itself rather like the way you clean up your house before Aunt Edna comes to visit. It does this by loading into memory the hardware abstraction layer, the system Registry, and the drivers for any boot devices before the operating system itself takes over.
NOTE: If you work with Windows long enough, you may encounter an error message saying that Windows cannot boot because bootmgr is missing. This message is generated when the boot sector code is unable to locate bootmgr, which can be caused by file system corruption, a botched installation, or viruses.
Once the operating system process takes over, it loads up all of the various processes and systems that comprise Windows, the Windows logo comes up, and you’re happily computing, completely oblivious to all of the complex electronic communication that just took place inside your computer.