Mapped drives (incl net use) missing from elevated processes eg UAC cmd run as administrator

Mapped drives created in Windows Explorer Tools -> Map network drive OR via command prompt (cmd.exe) net use command will not be visible in programs that “run as administrator” ie with elevated privileges.

Eg if you do Start Orb -> type “cmd” without the quotes into the search box -> right click on cmd and select “run as administrator”

…then you will get an command prompt running with elevated privileges.

(There other other ways to get an elevated cmd prompt if you dont want to be bothered by UAC.)

If you do net use in that command prompt to show mapped netowrk drives, you wont see the same as you see in un-elevated or in windows explorer.

The key tidbit going on here is that an administrtor accoutn has 2 access tokens, a filtered and regular. Regular is priviledged / elevated. Filtered has the privs filered out, if you will.

And mapped drives are associated with only 1 particular access token; 1 or the other, not both.

A key to understanding this mechanism is

This article is so important, i quote it below so that if it ever goes away it’ll still be here. And i quote it with its user comments, cuz they are also key, in this case. Good, hi quality comments.

One of the places this technet article is referecned is

Microsoft KB

That was a technet article. Microsoft’s offical KB on it is here, but IMHO not as informative (and contains a bug)

One of the places this KB article is referecned is

Unfortunately the suggestion in this KB article is wrong, i think. It suggests to do net use without a drive letter:

To work around this issue, use the net use command together with a UNC name to access the network location. For example, at a command prompt, type the following command, and then press Enter:


I just tried this and it did not make the \\COMPUTERNAME\SHARENAME appear in the other net use listing.

Now it’s possible that even tho it did not appear in the net use listing, it did log me in in both prived and non-prived. I did not test this, cuz i was already logged in in both prived and non-prived and so it requires logging out to test and i cant do that right now for other reasons.

Quote of technet article

NOTE: the comments have important info, eg, some, but not all, ppl see the logon script that maps drives running at elevated privs, so that they see mapped drives elevated but not un-elevated; all hinges on what access token is in use when the logon script runs

Some Programs Cannot Access Network Locations When UAC Is Enabled

47 out of 70 rated this helpful Rate this topic

Updated: November 16, 2009

Applies To: Windows Server 2008 R2


After you turn on User Account Control (UAC) in Windows Vista or Windows 7, programs may not be able to access some network locations. This problem may also occur when you use the command prompt to access a network location.


This problem occurs because UAC treats members of the Administrators group as standard users. Therefore, network shares that are mapped by logon scripts are shared with the standard user access token instead of with the full administrator access token.

When a member of the Administrators group logs on to a computer running Windows Vista or Windows 7 that has UAC enabled, the user runs as a standard user. Standard users are members of the Users group. If you are a member of the Administrators group and you want to perform a task that requires a full administrator access token, UAC prompts you for approval. For example, if you try to edit security policies on the computer, you are prompted. If you approve the action in the User Account Control dialog box, you can then complete the administrative task by using the full administrator access token.

When an administrator logs on to a computer running Windows Vista or Windows 7, the Local Security Authority (LSA) creates two access tokens. If LSA is notified that the user is a member of the Administrators group, LSA creates the second logon that has the administrator rights removed (filtered). This filtered access token is used to start the user’s desktop. Applications can use the full administrator access token if the administrator user provides approval in a User Account Control dialog box.

If a user is logged on to a computer running Windows Vista or Windows 7 and if UAC is enabled, a program that uses the user’s filtered access token and a program that uses the user’s full administrator access token can run at the same time. Because LSA created the access tokens during two separate logon sessions, the access tokens contain separate logon IDs.

When network shares are mapped, they are linked to the current logon session for the current process access token. This means that if a user uses the command prompt (cmd.exe) together with the filtered access token to map a network share, the network share is not mapped for processes that run with the full administrator access token.


This section contains steps that modify the registry. Incorrectly editing the registry may severely damage your system or make your system unsafe. Before making changes to the registry, you should back up any data on the computer. For more information about how to back up and restore the registry, see article 322756 in the Microsoft Knowledge Base (

To work around this problem, configure the EnableLinkedConnections registry value. This value enables Windows Vista and Windows 7 to share network connections between the filtered access token and the full administrator access token for a member of the Administrators group. After you configure this registry value, LSA checks whether there is another access token that is associated with the current user session if a network resource is mapped to an access token. If LSA determines that there is a linked access token, it adds the network share to the linked location.

To configure the EnableLinkedConnections registry value

  1. Click Start, type regedit in the Start programs and files box, and then press ENTER.
  2. Locate and then right-click the registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
  3. Point to New, and then click DWORD Value.
  4. Type EnableLinkedConnections, and then press ENTER.
  5. Right-click EnableLinkedConnections, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor, and then restart the computer.


Community Additions


Doesn’t work properly with Windows 8.x

On Windows 8 and Windows 8.1, ‘EnableLinkedConnections’ does enable mapped drives to appear for local Administrators however drives mapped to a subfolder of a share do not then map correctly. So if you try to map a drive to \\server\share\subfolder the mapped drive appears but is incorrectly mapped to \\server\share instead.

Does This Open A Security Vulnerability?

There are articles all over the internet that quote this registry hack. Most (,,,, and notably also state that using it opens a security hole.
Microsoft does not discuss (in the article above) whether this creates a security vulnerability or what it might be. I spent all morning trying to find this original article to find out what the security risk might be. I’m disappointed that it is not discussed.
So here are some questions:
• If there is a risk, what is it?
• If there is no risk, why isn’t it the default?
• Where did all those other sites get the idea that it is potentially dangerous?


Article seems correct to me.

I am seeing results consistent with the article and different than the two previous comments. I am a domain admin and when I log in, the drives mapped in the login script are available in Explorer and at a command prompt without elevated privileges. When I run a command prompt as administrator, the drives are not available. In the elevated command window, the drives are listed by net use, but show a status of unavailable.

Windows 7, 64bit and 32bit

Thank you, this solved my problem.

Some additonal information: I had a problem on my Windows 7 64bit system where mapped drives would not show when using the Win32Api function: GetLogicalDrives().

By adding the registry key, I was glad to see that my mapped drives were shown again.

However, on a my 32bit system, which does not have this registry key, mapped drives do get shown when using the Win32Api GetLogicalDrives() function…


Problem description is misstated.

This problem description in this article needs to be updated. Some of the statements in it are the exact opposite of the truth about how UAC works.

Drives mapped by logon scripts are only available to processes the are launched using UAC elevation or Run As Administrator. However, this article incorrectly states the reverse — that they are only accessible to processes started by the filtered logon token. To verify this, create a simple logon script to map a drive. Make sure that this drive has not been manually mapped already. Then logon to the computer with UAC turned on using and administrator account. Open Windows Explorer and there will be no mapped drive shown there because the drive is not accessible to the filtered token which is what Windows Explorer and non-elevated processes use to run. Open a command prompt and try to change the directory to the mapped drive. Again, it is not accessible. However, if you open a command prompt using Run As Administrator, you will see that you are able to change the directory to the mapped drive.

Likewise, if you launch a program that requires UAC elevation or run a program as administrator, you will also see that drives mapped by logon scripts are available to those programs,but not to programs that do not run elevated.
Please also note that drives that are mapped manually using Windows Explorer or net use in an unelevated command prompt are not available to processes that use the elevated token (elevated through UAC or using Run As Administrator). To test, manually map a drive through Windows Explorer and launch a program that prompts for UAC elevation or use Run As Administrator. Using the program, try to open a file on the mapped drive. You will notice that the mapped drive is not available. However, if you open an elevated command prompt and then use the net use command to map a drive, it will then be available to the elevated program.


Logon scripts and UAC

The text is incorrect imho. Windows 7 behaves like this: the logon script runs at the elevated account and mappings are made using this. After logon explorer starts with the standard account. Missing the registry key – the standard account does not see the mappings. Running an elevated cmd prompt reveals the mappings.

Important to note: the same behaviour is observed for accounts that are member of the Power Users group. No special permissions are given to the group but a logon script runs as Power Users, after logon the standard account does not see the mappings. There seems to be no way to elevate to a Power User. Hard to explain to your users. Ouch.
Best use the EnableLinkedConnections registry key to avoid this.


How do I search for a task in task scheduler (use autoruns)

Background on Windows Task Scheduler

If you’re already familiar with task scheduler skip to the answer

Windows (7, 8*) has many tasks that are scheduled to run at various times. Programs you install often create new tasks of their own to run at various times. These tasks can be set up to run at various times of day, or on various triggers, like system start, or user logon, or the start of a program (most likely a related program to run in a coordinated fashion).

You start task scheduler by

Windows 7:
clicking on the start orb (or hitting Ctrl-ESC) and typing “task” in the search box and clicking on “Task Scheduler”
Windows 8*:
Going to the tile screen (or hitting Ctrl-ESC) and just typing “task”. It’s in the “Settings” group; click on “Task Scheduler”.

How to search–You Can’t–Use autoruns

The short answer is that Windows Task Scheduler PROVIDES NO WAY TO SEARCH.
But, fortunately, another program Sysinternals autoruns, does.

Download autoruns here:

(it’s a .zip file so after downloading you’ll have to double-click it to open the .zip file and extract all the files in it to a folder that you’ll remember.)

Then double click on autoruns.exe to start it. (not the file with the ‘c’ in it’s name–that one runs the console-only application. That is, unless you like the command line style.)

Click the “Scheduled Tasks” tab to show ownly scheduled tasks.

Click File -> Find (or type Ctrl-F) and search for your task.

Once you find it, you can see the hierarchy in the first column of where it’s stored in regular task scheduler.


pastebin is a generic term for posting text (usually programming code) online so that others can see it.

For example, to collaborate with people on the internet to improve or debug code.

Or to post a long segment of code in an online forum; rather than include the code directly in the post, just post the link to the pastebin.

The original and namesake is;

Two others are hastebin and GitHub Gist

A related site/concept is jsfiddle which allows pasting of all 3 of these: HTML, Javascript, CSS, and will actually run them for you. So it’s a sharing and testing platform in one.

Enable Admin Shares (C$) on Windows 7

Enable File and Print Sharing

The first step to enable administrative shares is to make sure you have File and Print sharing enabled.  While you’re at it, I recommend turning on Network Discovery also

  1. Click the Windows button (formerly the Start button).
  2. Type “advanced shar” into the search text box (that’s all you need).
  3. Click the link to “Manage advanced sharing settings” (aka “Change advanced sharing settings”).
  4. In the window that opens, expand the “Home or Work” profile and browse to the “Network discovery” section.
  5. Click the link to “Turn on network discovery (Figure 1).
  6. Browse to the “File and printer sharing” section.
  7. Click the link to “Turn on file and printer sharing (Figure 1).
  8. Click Save Changes.

Note that this will only enable file and printer sharing for your home network. If you connect your computer to a public or “unknown” network, your shares will still remain disabled. It is not recommended, but If you want to change this, follow the above procedure for the “Public” profile.


Figure 1

Step 2: LocalAccountTokenFilterPolicy

The next step is to go into the registry and give local users the ability to access remote administrative shares. BE CAREFUL–you can destroy our system by editing the registry.

  1. Click the Windows button and in the Search box, type “regedit”. If you get a User Access Control warning, click Yes.
  2. The Registry Editor will open. Expand the items until you get to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System (Figure 3).
  3. Click Edit from the top menu then New and then DWORD.
  4. Type in LocalAccountTokenFilterPolicy for the name of the DWORD. Hit ENTER.
  5. Double click the new entry and enter “1” for the value. Click OK.
  6. Close the Registry Editor and reboot your computer.
IMAGE:Regedit create LocalAccountTokenFilterPolicy

Regedit create LocalAccountTokenFilterPolicy

What’s going on here?

You might be familiar with UAC (User Account Control)

IMAGE:UAC example

UAC example (for regedit in this case)

This is new for Windows Vista and Windows 7. It is Microsoft’s attempt at security. The idea is that before programs can do dangerous things, or access sensitive areas, the OS will prompt the user for an additional OK. If the user expects this, they can click YES, if it comes out of the blue, they can click NO. For example, if some program is running in the background without the user’s knowledge, and tries to change a sensitive area, this UAC prompt will come out of the blue, and the user can then click NO, protecting his computer.

Clicking YES to the UAC prompt enables what’s called as “elevated privilege”. Ie the process now has more privilege to access and change sensitive areas.

Well, when logging in from a remote PC, like you do when you’re trying to access a network admin share, even if you provide username and password to an administrator account, you do NOT get elevated privilege and there is no UAC prompt.

The LocalAccountTokenFilterPolicy turns this off. The values of 0 and 1 dont make any sense, so i provide mnemonics to help remember below.

Value  Description Mnemonic
0 This value builds a filtered token. This is the default value. The administrator credentials are removed. zero-no privileges
1 This value builds an elevated token. 1-privileges on


Start program WITHOUT UAC, useful at system start and in batch files (use task scheduler)

I like to run the search program Everything (link valid 6/4/2014 but check for any updates) but it is a stand-alone executable downloaded from the internet so it triggers a UAC (User Account Control) warning.

No biggie, but i also want it to start automatically when windows starts. And i dont want to have to click UAC or have my customers click UAC every time they start windows.

I also might want to put commands that must be elevated in batch jobs (.bat files) when there’s no one there to click YES to the UAC.

The workaround is to go thru task scheduler. There you can set up a task to start with elevated privileges which won’t trigger a UAC.

The article at contains the basic, but forgets some points.

My edits are in green:

Creating a Scheduled Task

1. Open Task Scheduler by clicking the Windows Orb and typing “task” and selecting “Task Scheduler” from the search results, or from Control Panel or by running the command control schedtasks from Start, Search box.

2. Left-click Task Scheduler Library category in the left to select it (make it highlighted; or else you can’t do “New Folder” below)

3. Right-click “Task Scheduler Library” category in the left, and choose New Folder

4. Name the folder as MyApps (or whatever name you choose; you’ll use the same name again, below)

5. Click the little triangle to the left of “Task Scheduler Library” to display the list of folders beneath it, including our newly created MyApps folder.
Select the MyApps folder (or whatever you named it) by left clicking on it once.

6. In the Actions pane on the right, click Create Task…

7. Type a name for the task that you want to create. You’re going to have to type this again later, so for convenience, keep it short and dont use any spaces.

8. Enable the option Run with highest privileges. This is an important step. In fact the key to the whole thing.

8.a. (FYI The “Hidden” checkbox refers to only viewing tasks in the task scheduler; there is way to show or now show hidden tasks when in task scheduler; This Hidden settings does not make the task hidden in any way when it runs.)

9. Select the Action tab

10. Click New

11. Click Browse… to select the program (Example: Regedit.exe) you want to run, and mention the parameters (called arguments in task scheduler). required if any, for the application. (For example, to run a .REG file, select Regedit.exe and mention the parameter (argument) as “/s filename.reg” without the quotes. Another example: my Everything program takes a -startup argument to start in the system tray rather than with a window.)

To run Services MMC applet, browse and select MMC.EXE and type services.msc in the Add arguments (optional) field.

12. Select the Conditions tab

12.a. UNcheck “Start the task only if the computer is on AC power”

13. Select the Settings tab

13.a UNcheck “Stop the task if it runs longer than”

13.b at the bottom there is “If the task is already running, then the following rule applies:” You can choose whatever you want here.

If when it’s running you want to not start another one, select “Do not start a new instance”.

If when it’s running you want might want start another one running simultaneously, select “Run a new instance in parallel”.

If when it’s running you want to end the one that’s currently running, and start another one running, select “Stop the existing instance”.

I suppose “Queue a new instance” is helpful, but i can’t think of an example right now.

Note, you can export this to an xml file (see below) and then import it into another system

Creating a Scheduled Task via cmd line schtasks

(NOTE: this method is NOT AS GOOD–see below)

Alternatively, you can create a task via the cmd line schtasks :

schtasks /create /sc once /tn cmd_elev /tr cmd /rl highest /st 00:00
invoke the schtasks.exe cmd line program
schtasks can also query, delete, etc; we want to create a task
/sc once
how often to run; we’re not creating a repetitive task; in fact we dont want to run it at all, just set it up to be run manually, but that option does not appear to be available, so “once” is the closest (see explanation at /sc starttime)
/tn cmd_elev
/tn stands for Task Name and you can name it anything you want (but you have to use the same name when you later invoke /run
/tr cmd
the command to run, in this case the cmd.exe program, aka command prompt
/rl highest
Why we came to the party. /rl stands for Run at privilege Level; and we want the highest priv level

/st 00:00
/st stands for Start Time; dont want a start time, but it appears to require one. When you create thru the GUI you dont have to have a trigger at all, but via cmd line you seem to (or was it just me?). I just put in 00:00 (format is HH:MM) which is never in the future, which means it’ll trigger a warning

WARNING: Task may not run because /ST is earlier than current time.

Yeah, that’s what i want. (NOTE: love those microsoft guys: it’s a nit, but when the time is EQUAL to the current time, you get the warning)

If all goes well, you should see

SUCCESS: The scheduled task "cmd_elev" has successfully been created.

or whatever name you called it.

If you re-run the line (let’s say you were experimenting 😉 you will get the warning

WARNING: The task name "cmd_elev" already exists. Do you want to replace it (Y/N)? y

You can safely say Y to this.

NOTE: this method is NOT AS GOOD as creating thru the GUI. At least i could not find the switches to set some important things.


  • “start the task only if the computer is on ac power” will be checked in the conditions tab; not ideal
  • “stop the task if it runs longer than [time]” where time defaults to “3 days” will be checked in the setting tab; not ideal

Launching a Scheduled Task item manually

To run a scheduled task item manually, use the schtasks.exe command-line tool that comes with Windows. For example, to launch the Services console task that you already created, use the following command:


Note: Where MyApps\REGEDIT is the name you chose for the folder and Taskname. You’ll need to enclose the task name within double-quotes if the task name contains blank spaces in between. (Example: SCHTASKS.EXE /RUN /TN folder\“Name of the Task”) If the folder has spaces, you’ll have to enclose that in double-quotes; perhaps best to enclose the whole thing. (Example: SCHTASKS.EXE /RUN /TN “folder\Name of the Task”)

Creating Shortcuts to run each Task

You can create a Desktop shortcut for each scheduled task item you’ve created earlier. Right-click on the Desktop and choose New, Shortcut. Type the command-line (say, SCHTASKS.EXE /RUN /TN MyApps\REGEDIT). Mention a name for the shortcut and click Finish.

Run the task minimized

As Schtasks.exe is a console utility, you’ll see the Command Prompt window opening and closing quickly whenever you run the shortcut. So, you may configure the shortcut to run in a minimized window state, in the the shortcut properties.

  • Right-click on the shortcut and click Properties.
  • In the Run drop-down options, change the selection from “Normal Window” to Minimized.
  • Click OK.

Note: In the shortcut properties, you may want to click Change Icon and assign appropriate icon for the shortcut. The icons should be present inside the executable itself, in most cases. For Regedit.exe, browse to Regedit.exe and choose an icon. You may also browse the shell32.dll and imageres.dll files for additional icons.

xml file

Once you set up a task the way you like it via the GUI (recommended method), you can export it to an xml file so that it’s easier to set up on the next system.

Here’s my xml file for (Search) Everything. Filename ends in .xml.txt so change it to just .xml befor importing to task scheduler. start_search_everything.xml.txt

Other Methods

There are at least three other compelling methods.

The first two come from

1. NirSoft NirCmd

nircmdc has an elevate cmd

nircmdc elevate cmd

2. SysInternals PsExec

Part of PsTools suite.

psexec.exe -accepteula -h -u “$username” -p “$password” cmd.exe

The “-h” switch is the one doing the magic:

-h If the target system is Vista or higher, has the process run with the account’s elevated token, if available.

The third comes from

3. vbs or PowerShell to elevate

key lines are to use the visual basic script / vbscript command UAC.ShellExecute to perform the elevation, create a new cmd (command prompt), and re-run the original bat file, now elevated. Does that by writing a .vbs file:

ECHO UAC.ShellExecute "!batchPath!", "ELEV", "", "runas", 1 >> "%temp%\OEgetPrivileges.vbs"

Or, you can use PowerShell to elevate:

if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( powershell "saps -filepath %0 -verb runas" >nul 2>&1)

Elevated command prompt and mapped drives

One problem you might encounter when using this method if you’re running a batch file (.bat) in elevated mode, is: Mapped drives (incl net use) missing from elevated processes eg UAC cmd run as administrator. Fortunately, there’s some solutions in that blog post.

Windows 7 ISO direct Digital River download links from Microsoft

UPDATE 11/8/2015:

You can try them, but 11/8/2015 they redirect to Microsoft Home Use Progrgam (hup) for employees of corporations that have paid for MS software licenses at work.

Best thing to do is keep googling for links. Sometimes you need a key to get the download–but then dont need a key to install as trial.

An excerpt from the excellent Sean’s Windows 7 Install & Optimization Guide for SSDs & HDDs at url: <>

Windows 7 ISO download links:

  • Have you lost your disc or is it damaged beyond use and need a legitimate copy of windows 7?
  • Are you getting error messages or BSoDs with your installer?
  • Do you just want a copy of Windows 7 with SP1 pre-installed?

    These are new SP1-U ISOs directly from Microsoft; having a direct Digital River download from Microsoft is the only way you can link Windows 7 downloads on this site. You will still need an activation key to use these copies after the 30 day grace period is over.

    Windows 7 Home Premium SP1-U ISO:
    English 32-bit


    English 64-bit

    Windows 7 Professional SP1-U ISO:
    English 32-bit


    English 64-bit

    Windows 7 Professional N SP1-U ISO: (Note: N editions come without media components)
    English 32-bit


    English 64-bit

    Windows 7 Ultimate SP1-U ISO:
    English 32-bit


    English 64-bit


    Multilingual Windows 7 versions here: (link)

Windows ClipBoard Viewer

When you cut and paste, what you cut is stored in the windows “clipboard”.  You can cut and paste (or copy and paste) using the Edit -> Cut (or Edit -> Copy) and Edit -> Paste menu options in nearly all programs.  Or you can cut (or copy) and paste using the Ctrl-X (or Ctrl-C) and Ctrl-V keyboard shortcuts.  As you probably know, “cut” deletes the old one, whereas “copy” preserves the old one.

Either way, this “clipboard”  which stores your cut (or copy) is normally invisible.

On Windows XP there was a way to view it.  You had to run the program "clipbrd" (file: clipbrd.exe) and because it was in the C:\WINXP\system32 or C:\Windows\system32 folder you could run this by using Start->Run and typing clipbrd into the box.

Windows Vista and Windows 7 do not contain the clipbrd program file.

But, you can copy the file from a Windows XP system and just place it in your Windows Vista or Windows 7 C:\Windows\system32 folder and it should just work.


CHKDSK results in Windows 7

On Windows XP CHKDSK used to record its output to a file called Bootex.log in the root of the volume being checked. “Bootex” is short for BootExecute the name of the registry entry that triggers the boot-time CHKDSK. But no such file is produced on Windows 7.

Instead go to, Control Panel -> Administrative Tools -> Event Viewer

Or just type Event in the Windows 7 Start Menu search box. It should find Event Viewer, then just click on it.

The exact name of the exe file is eventvwr.msc

Then, Windows Logs -> Application -> Wininit

Most things are found in the System log, not Application. CHKDSK results is one of the exceptions.

Wininit is found under the source column. Wininit is not a very common value for source. Some people online say Winlogon. But i found it in Wininit.


How to run CHKDSK –

CHKDSK help fILe –


HTML5 is a set of new web development technologies that bring the mobile (ie iPhone or smartphone) experience to websites.

In doing so, they also achieve the ability to write one application and have it run the same way on the web and on an iPhone, or other smartphone.

In other words, they bring features common to smartphone apps to web development, namely

  • Touch events
  • Swipe events
  • Pinch zoom in/out
  • Location access (eg GPS)
  • Camera access
  • Offline storage, eg each app can store data, info, files
  • Offline app usage.
    • Web apps require you to be online to run them. They have always been websites up til now.
    • Most smartphone apps run whether or not you’re online
    • HTML5 allows web apps to run while offline, like smartphone apps

Here’s a quote of the text of, captures 8/25/2013, a good overview of HTML5 resources:

HTML5 is the latest version of HTML and XHTML. The HTML standard defines a single language that can be written in HTML and XML. It attempts to solve issues found in previous iterations of HTML and addresses the needs of Web Applications, an area previously not adequately covered by HTML.

Here are several resources worth exploring:

The Windows Registry

The Windows Registry replaces .ini files. It is a place where programs store the data they need to run. Eg, configuration settings.

Some key facts to remember.

Root Keys

[P] – primary key
[A] – alias to some other key in the registry

    • On Windows 2000 and above, HKCR is a compilation of user-based HKCU\Software\Classes and machine-based HKLM\Software\Classes. If a given value exists in both of the subkeys above, the one in HKCU\Software\Classes takes precedence.
    • a link to the subkey of HKEY_USERS that corresponds to the user; the same information is accessible in both locations
    • It is a handle (alias) to the key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current" (only exists in Windows 9x/Me and NT-based versions of Windows)
  6. HKEY_PERFORMANCE_DATA (only in NT-based versions of Windows, but invisible in the Windows Registry Editor)
  7. HKEY_DYN_DATA (only in Windows 9x/Me, and visible in the Windows Registry Editor)

hive file locations

The Registry is stored in hive files.


  • %SystemRoot% is usually c:\windows
  • %UserProfile% is usually
    w2k w2003 wxp
    c:\Documents and Settings\[USERNAME]
    Vista w7 w8

  • (SAM stands for “Security Accounts Manager”)
HKEY_USERS\[User SID]_Classes (HKEY_CURRENT_USER\Software\Classes) (part of HKEY_CLASSES_ROOT)
w2k w2003 wxp
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (path is localized)
Vista w7 w8
%UserProfile%\AppData\Local\Microsoft\Windows\UsrClass.dat (path is not localized)