Storage of Boolean values in Windows System Registry

The article delivers the systematisation of methods for the Boolean values storage in the Windows system registry. Each method is supplied with the example of the system policy using such a storage method.

«Single bit is such an amount of information that twice diminishes the uncertainty». I have delivered the definition of one bit from the information theory, because the talk in the article will be about the ways of logical values storage in the Windows system registry.

It looks like that the Boolean or logical values, for which storage one bit is enough, taking two values: «false» or «true» and are well-known to any programs developers, became for Microsoft one more way to manifest at minimum either peculiarity or to create good ground for the future bugs, service packs or incompatibility.

While developing the system programs for the administering of various Windows 32-bit versions, I had to encounter the different Microsoft approaches to the storage of logical values. The fact is that the majority of the system policies and settings are represented with to Boolean values: «Yes» or «No». Besides this, it is necessary here to note, that again, in the majority of cases, the missing of value or the «value by default» (soon of all there will be the value in the system registry or its absence) is taken for «false». This article is an attempt to systemise nine, discovered by me, ways by which Windows stores the logical values in the system registry. By the way, this knowledge can be easily extrapolated for the obsolete initialisation files.

Binary values

The logical values are stored in the system registry by two ways.

1. The pair of values «01 00 00 00» (true), «00 00 00 00» (false) is mostly encountered. The values of system policies in early Windows version 95, 98 are stored in such a way. The transition was made to the storage Boolean values in values of integer DWORD type in version ME, NT, 2000 or XP.

I give an example of system policy behaving in such a manner: «Clear history of recently opened documents on exit». While enabled, this policy forces the automatic clear the following histories: the list of recent documents in «Documents» menu, the search list and the list of «Run» dialog box, available on «Start» menu, as well as the list of network addresses typed in the Internet Explorer address bar, when the Windows session or current user session finishes. The value «ClearRecentDocsOnExit» storing the state of this policy has the binary type in Windows 95/98 with the pair of values: «01 00 00 00», «00 00 00 00», and the integer type in other versions. It is stored in the registry branch «Software\Microsoft\Windows\CurrentVersion \Policies\Explorer» both in HKEY_CURRENT_USER hive and HKEY_LOCAL_MACHINE hive and can have the range either the entire «Computer» (Local Machine), or the «Current user» correspondingly.

2. The following, rarer pair of binary values, representing the «true» and «false» is «01» and «00». Such a pair is used to store system settings. Such a pair of values is used for the storage of system setting in Windows 9.x, standing for the item «Suspend» display on «Start» menu, which switches the computer to the energy saving mode. The «APMMenuSuspend» value is located in the «Enum\Root\*PNP0C05\0000» of LOCAL_MACHINE system registry hive. The manual modification of this value has the sense, when the switching to energy saving mode is erratic.

Integer DWORD values

Here I discovered three methods of Boolean values storage.

3. The most frequently met pair is «1» and «0», meaning the «true» and «false» correspondingly. This method is used to store the system policies of Windows in the overwhelming majority of cases. It is necessary to note here, that the way of representation for the most of system policies in Windows 95, 98 suffers the transformation from the storage of values of binary type «01 00 00 00» and «00 00 00 00» to the storage of the values of integer type «1» and «0» for the same policies in Windows Windows Me, 2000 e XP. The obvious attempt by Microsoft to unify the storage of the system policy states is tracked down.

For an instance, I bring the system policy, which, when enabled, blocks the context menu of «Windows Explorer» and «Desktop». The integer value «NoViewContextMenu», stored in the «Software\Microsoft\Windows\CurrentVersion \Policies\Explorer» branch, responds for the state of this policy. The value can be located either in HKEY_CURRENT_USER hive or HKEY_LOCAL_MACHINE hive and have the range either of «Local Machine» or «Current User».

When the policies, stored in different system registry hives, are conflicted, the policy with the range of «Computer» and stored in HKEY_LOCAL_MACHINE hive, has a priority over the policy, stored in HKEY_CURRENT_USER hive and with the range of «Current User».

4. Another pair of integer values representing the logical values is «2», denoting «true», and «0», denoting «false», correspondingly. Such, rather strange, at the first look; the representation of Boolean values is used most often to the store the policies related to the Microsoft Internet applications such as Internet Explorer and Outlook Express. Really, there is a little part of the system policies having three states, and three values, used for the representation: "0", "1" and "2". But these are not Boolean values and are out of this article topic.

The policy, removing the MSN Messenger from the interface of Outlook Express, can serve as an example of policy, using such a type of logical value representation. The value of DWORD type «Hide Messenger», which can be present in «SOFTWARE\Microsoft\Outlook Express» branch of HKEY_LOCAL_MACHINE hive, taking the value of «2», removes the MSN Messenger functionality from the mail client Outlook Express.

5. The following way, how it could seem, is the most logical and economical, is used by Microsoft rather rare. To keep the settings the single bit (binary digit unity), stored in integer value. Two values: «set on», i.e. equals to «1», or «set off», in other words, equals to «0», are taken for «true» and «false». This is rarely encountered for the storage of settings in Microsoft Office. I found the explanation to this, that to check or manipulate the binary values, having bit representation, is more complex in program realisation.

As an illustration I give the «Options6» value, the third bit of which stands for the displaying the warning on macros launch in Microsoft Excel. It is stored in the «Software\Microsoft\Office\8.0\Excel\Microsoft Excel» branch of HKEY_CURRENT_USER hive. Excel from Office 2000 or XP stores this setting in the similar branch, where the digits «8.0» are replaced for «9.0» or «10.0» correspondingly.

String values

The abundance of ways to store the logical variables in the values of string type leads to the thought that, here the fantasy of Microsoft programmers was on the loose.

6. The first, rather spread pair is «Yes», «No», responding for the «true» and «false». The most often this way is used yo store the setting in Internet and Windows Explorer. This pair of values is written in different ways: either with capital letters, or letters in lower case, or simply with first capital letter. The state of case is crucial for the several settings in Internet Explorer, where all the values are written only in lower case - «yes», «no». In other cases Windows processes these values in any form.

The string value «BrowseNewProcess» stored in «Software\Microsoft\Windows\CurrentVersion \Explorer\BrowseNewProcess» of HKEY_CURRENT_USER hive can serve as an example of this. This setting determines whether the new process is created for each launched Windows Explorer or Internet Explorer instances. The activation of this system setting allows increasing the Windows stability but can diminish a little the performance rate.

7. The second rare pair of string values, very similar for the first one, is «Y», «N», signifying the «true» and «false», is used to store the Windows system settings.

The system setting allowing the distributed COM-objects launch and connection to them the remote clients can serve as an illustration for this method. This value «EnableDCOM» is stored in «Software\Microsoft\OLE» of HKEY_LOCAL_MACHINE hive. Here I note that the access to write and free manipulation of this setting state is recommended only for administrators of systems.

8. It is evident that, to say openly: «yes or no» is as foreign to Microsoft as to diplomats. Because there is another way to store this state in the system registry - «TRUE» e «FALSE». It is necessary to note, that in particular cases the case has the importance, in other words, the value «true», written in lower case, is taken for «false». This method is encountered in the storage of the network settings of Windows.

There is the system policy for Windows NT, 2000 and XP, which is responsible for the displaying of the message about unsuccessful connection to the domain controller, keeping the «roaming users' profiles». The content of the value «ReportControllerMissing», being worked through while registration in the system, which is stored in «SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon» branch of HKEY_LOCAL_MACHINE, is case sensitive.

9. Like for the integer values, the pair of «1» and «0», responding for the «true» and «false», is encountered. It is remarkable that, there are many policies in Windows NT, for the states of which the values «1» or «0», but can have either string or integer type. Such a situation is extra rare in Windows 2000, and for the system policies inherited from Windows NT. This Boolean values representation for the storage of system settings and policies is used in Microsoft Office, the most often for the network settings, memory management and installation of applications.

As an instance, I give the system policy, compulsorily finishing the 16-bit processes, working in the Virtual DOS Machine, while ending Windows session. This closes the hung applications but can be the reason of data lost. The string value «AutoEndTasks», accepting «1» or «0» and responsible for the state of this policy, is stored in branch «Control Panel\Desktop» of HKEY_CURRENT_USER system registry hive.

The implementation in Activity and Authentication Analyzer

All of these above-mentioned policies are realised in Activity and Authentication Analyzer.