regedit.exe or reg.exe from the command line.What the Registry Is and Why It Matters for A+
The Windows Registry is the central configuration database for Windows operating systems. Every setting that Windows and most applications need — hardware configuration, user preferences, installed software paths, startup programs, security policies, file type associations — is stored in the registry. Before the registry existed (Windows 3.x era), settings were scattered across hundreds of .INI files, making management difficult and inconsistent. The registry consolidated all of this into a structured, searchable, hierarchical database.
For CompTIA A+ technicians, the registry is relevant in several contexts: removing malware that persists through registry run keys, troubleshooting application failures caused by corrupt registry entries, understanding where Windows stores configuration that Group Policy can manage, and performing forensic investigation of what software has been installed or what a user has accessed. Registry editing is a routine task in IT support — and registry corruption or accidental deletion of critical keys can render a system unbootable, which is why backing up registry keys before editing is essential practice.
The Five Registry Hives
Key Registry Paths — What A+ Technicians Actually Use
Startup programs (all users): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Any value in this key is a program that launches for all users at login. Malware commonly adds persistence entries here. This is the first place to check when investigating unwanted programs running at startup.
Startup programs (current user): HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Same as above but per-user. Standard users can add entries here without elevation. Malware installed by a non-admin user uses this key for persistence.
Installed software list: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Every installed program has a subkey here containing its display name, version, publisher, and uninstall command string. This is what Programs and Features (Control Panel) reads to display the installed application list.
Environment variables: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
System-wide environment variables like PATH are stored here. User-level environment variables are at HKCU\Environment.
Services: HKLM\SYSTEM\CurrentControlSet\Services
Every Windows service has a subkey here defining its executable path, start type (automatic/manual/disabled), and dependencies. Malware services are often found here during forensic investigation.
Registry Data Types
| Type | Name | Stores |
|---|---|---|
| REG_SZ | String | Plain text strings — most common type, used for paths, names, and settings |
| REG_DWORD | 32-bit integer | Numeric values — enable/disable flags (0 or 1), port numbers, counts |
| REG_QWORD | 64-bit integer | Large numbers — file sizes, timestamps in some applications |
| REG_BINARY | Binary data | Raw binary — hardware settings, security descriptors, complex configuration |
| REG_EXPAND_SZ | Expandable string | Strings containing environment variable references like %SystemRoot% |
| REG_MULTI_SZ | Multi-string | List of strings — used for ordered lists of values |
regedit.exe — Navigating the Registry
The primary tool for viewing and editing the registry is regedit.exe (Registry Editor), launched by typing regedit in Run (Win+R) or the Start menu search. The left panel shows the registry tree — hives expand into keys (folders) and subkeys. The right panel shows values within the selected key — each value has a name, a data type, and data. To navigate directly to a specific path, use Edit → Find or Ctrl+F to search, or in Windows 10/11 paste the full path into the address bar at the top.
Always back up before editing. Right-click any key and select Export to save a .reg file of that key and all subkeys. If an edit causes problems, double-click the .reg file to restore. For system-critical keys, create a System Restore point before editing. The registry has no undo — a deleted key is gone immediately. Exporting first is the A+ best practice answer to any question about safe registry editing.
The command-line alternative is reg.exe. Common uses: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lists startup entries. reg add and reg delete add and remove values. reg export and reg import back up and restore. PowerShell's Get-ItemProperty and Set-ItemProperty cmdlets also access the registry and are preferred in scripts.
Registry and Malware — The A+ Technician's Perspective
Malware uses the registry for two primary purposes: persistence (ensuring the malware restarts after reboot) and configuration storage (storing command-and-control server addresses, encryption keys, or operational settings). The Run and RunOnce keys under both HKLM and HKCU are the most common persistence locations and should be reviewed during any malware investigation. Beyond Run keys, malware also hides in: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (Userinit and Shell values can be hijacked), scheduled tasks stored at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache, and service entries under HKLM\SYSTEM\CurrentControlSet\Services.
When removing malware, always delete registry persistence keys after removing the malicious executable — otherwise Windows will attempt to re-launch the removed malware on next boot and generate errors. Tools like Autoruns from Sysinternals display every registry-based and scheduled-task-based autostart entry in a single interface, making it far faster to audit startup entries than navigating the registry manually.
Registry Hives on Disk — Where the Files Live
The registry is stored as binary hive files on disk. When Windows boots, it loads these files into memory and presents them through the registry editor interface. The main hive files: SYSTEM — stores hardware and boot configuration, loaded before user login. SOFTWARE — stores installed software settings for all users. SAM (Security Accounts Manager) — stores local user accounts and hashed passwords. The SAM file is locked during normal system operation — attackers use offline attacks (booting to another OS) or exploit techniques like Mimikatz to extract credentials from the SAM or from memory. SECURITY — stores security policies and audit settings. DEFAULT — the default user profile registry settings applied to new users.
Registry hive files are located in C:\Windows\System32\config\ for system hives and in each user's profile at C:\Users\username\NTUSER.DAT for the HKCU hive. The NTUSER.DAT file is the user's registry hive — it's loaded when the user logs in and unloaded when they log off. Group Policy also stores its settings in the registry — policy settings applied by a domain controller write to specific registry keys and are re-enforced at each login, preventing users from permanently modifying settings that Group Policy controls.
Registry vs Group Policy — How They Interact
Group Policy Objects (GPOs) in Active Directory domains enforce settings by writing values to specific registry keys at login. Many Group Policy settings map directly to registry values — a GPO that disables the Control Panel writes a DWORD value to a specific HKCU key. If a user attempts to change that setting directly in the registry, the GPO re-applies at the next login or policy refresh (every 90 minutes by default) and overwrites the user's change. This is why "the setting keeps reverting" is a common symptom of Group Policy enforcement rather than a technical error — the admin is fighting a GPO without realising it. The gpresult /r command shows which GPOs are applied to a user and computer, and is the first diagnostic tool when registry changes don't persist.
Exam Scenarios
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The malware has a persistence entry that relaunches it after each reboot. Deleting the malware executable without removing its Run key entry causes Windows to attempt relaunch on every login.