# Registry Structure: Hives, Keys, and Values The Registry is organized in a hierarchical, tree-like structure, conceptually similar to folders and files in the file system. * **Hives:** These are the top-level containers, analogous to the root directories of the Registry. Each hive represents a major section of configuration data. The main hives are: * **`HKEY_LOCAL_MACHINE` (HKLM):** Stores system-wide settings related to hardware, operating system configuration, and installed software that applies to all users. These settings are physically stored in several files (without extensions) located in the `C:\Windows\System32\config` directory, such as `SAM`, `SECURITY`, `SOFTWARE`, and `SYSTEM`. * **`HKEY_CURRENT_USER` (HKCU):** Contains settings specific to the **currently logged-in user**. This includes user preferences, application settings for that user, desktop configuration, environment variables, etc. This hive is physically stored in the user's profile directory, typically at `C:\Users\{username}\NTUSER.DAT`. * **`HKEY_USERS` (HKU):** Contains the `HKEY_CURRENT_USER` hive for the currently logged-on user, as well as hives for other user profiles loaded on the system (including default and system profiles identified by their SIDs). * **`HKEY_CLASSES_ROOT` (HKCR):** Primarily deals with file associations, COM object registrations, and UI-related information. It's largely a merged view derived from specific keys within HKLM\Software\Classes and HKCU\Software\Classes. * **`HKEY_CURRENT_CONFIG` (HKCC):** Holds information about the hardware profile currently being used by the system, generally derived from keys within HKLM. * **Keys / Subkeys:** Within each hive, information is organized into *Keys* and *Subkeys*. These function like folders and subfolders, providing a logical structure for related settings. For example, `HKCU\Software\Microsoft\Windows` contains numerous subkeys related to the Windows settings for the current user. * **Values:** These are the actual data entries stored within keys. Each value consists of three parts: 1. **Name:** An identifier for the specific setting (e.g., `EnablePrefetcher`). A key can have a "(Default)" value which may or may not contain data. 2. **Data Type:** Defines the format of the data being stored (see below). 3. **Data:** The actual configuration setting or information itself (e.g., `3`, `C:\Program Files\MyApp`, `0x00000001`). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://itzicehere.gitbook.io/redlotusguide/screensharing-general-knowledge/fourth-section-common-windows-artifacts-and-their-basic-analysis/windows-registry-introduction/registry-structure-hives-keys-and-values.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.