27

I use Sysinternals Procmon utility to monitor the registry access by some programs. Most log entries have the Path property starting from HKCU\… or HKLM\…, that corresponds to the registry hives HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE that can be seen using Regedit. But some entries have the Path starting from \REGISTRY\A\…:

enter image description here

Could you please explain what part of the registry it is? Can I see it using Regedit or some other utility? Can I access it programmatically?

I am running Windows 8.1 Enterprise x64.

UPDATE: I've contacted Procmon developers and they pointed me to the following MSDN resources covering this question:

Community
  • 1
Vladimir Reshetnikov
  • 777
  • 1
  • 8
  • 20
  • 2
    A related question: http://stackoverflow.com/questions/4611291/mysterious-native-a-registry-key-with-path-registry-a – Vladimir Reshetnikov Dec 19 '13 at 17:24
  • Did you try right-clicking one and selecting *Jump To*? – Synetech Dec 22 '13 at 04:18
  • Yes, but it jumps to an unrelated key. – Vladimir Reshetnikov Dec 22 '13 at 22:47
  • Are you sure it’s unrelated? Did you try using jump-to to a similar key to see if it jumps to a similar key or to a completely different key? For example, if `registry\a\foobar\1` jumps to `hkcu\software\blah\a` but `registry\a\foobar\2` jumps to `hklm\software\microsoft\internet explorer`, then they do seem to be unrelated, but if the second one jumps to `hkcu\software\blah\b`, then they seem to be related in *some way*; there’s some sort of mapping. – Synetech Dec 22 '13 at 23:16
  • Hmm, I think I know how you can find out exactly what it is, but it’ll have to wait until tomorrow morning (my time) when I can test it… – Synetech Dec 22 '13 at 23:31
  • Sorry it took so long; yesterday was busier than expected. I’ve posted the answer now. Let us know if you find out what it was. – Synetech Dec 24 '13 at 15:09
  • Maybe this could be registry virtualization? http://msdn.microsoft.com/en-us/library/windows/desktop/aa965884(v=vs.85).aspx – NothingsImpossible Dec 26 '13 at 08:35
  • @NothingsImpossible, doubtful; that is meant to redirect writes from the system keys to user keys; for example `hklm\software\foobar` to `hkcu\virtualstore\machine\software\foobar`. It’s just like the virtualstore folder. However it could be like a symbolic link or junction point, mounting another registry hive to the path (in which case it would/ *should* be listed in the key I mentioned below). – Synetech Dec 26 '13 at 15:13

4 Answers4

12

It is application hive, which can be seen in volatilty by no name! pplication hives are registry hives loaded by user-mode applications to store application-specific state data. An application calls the RegLoadAppKey function to load an application hive.

more info on

http://msdn.microsoft.com/en-us/library/windows/hardware/jj673019%28v=vs.85%29.aspx

abs2run
  • 136
  • 1
  • 2
6

I need to answer to my own question in comments.

To edit private hive it should be loaded before.

For Visual Studio it can be made this way:

https://social.msdn.microsoft.com/Forums/vstudio/en-US/f636ee47-1eb7-45ed-ae2a-674cbabb8b2c/clear-mru-list-in-visual-studio-2017?forum=visualstudiogeneral

The increase the isolation and resilience of VS 2017, it uses now a private registry hive. Internally VS uses a redirection and while for VS extensions (which are dlls) this is transparent, for external processes (that are exes), this causes them not to work.

To change values in the private registry hive by hand, you can use regedit.exe to load a private hive. You need to select the HKEY_USERS node, and click the File > Load Hive… menu. You select the privateregistry.bin file, give a name to the hive (I entered “VS2017PrivateRegistry”) and now you can see the 15.0_Config key populated as usual (note: use File > Unload Hive when done):

screenshot

To change values in the private registry hive programmatically you need either to build an extension for VS or if you want to use an external exe you need to use the RegLoadAppKey function or avoid using the registry directly and use the External Settings Manager. See the section “Change: Reduce registry impact” in Breaking Changes in Visual Studio 2017 extensibility.

Do not forget to unload hive in regedit before starting application using it.

Maxim
  • 264
  • 3
  • 8
6

What does the path '\REGISTRY\A\…' in Sysinternals Procmon log mean? Could you please explain what part of the registry it is? Can I see it using Regedit or some other utility? Can I access it programmatically?

I can’t reproduce what you are seeing on my system, but I can tell you how you can find out what it is on yours. You can see a list of all registry hives that are currently mounted under any name (including system-wide hives, user hives for users that are currently logged on, and any hives loaded manually or by software) at the following registry key. It will show both the internal registry path and the path to the hive file (figure 1).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

You can use this command to see which services are being hosted by the specific instance of svchost.exe. I’ve used the pid (1240) that it was using at the time of your screenshot; replace it with the current PID.

tasklist /svc /fi "pid eq 1240"

Figure 1: Screenshot of registry-editor with hivelist key highlighted, showing mounted registry hives

Screenshot of registry-editor with hivelist key highlighted

Synetech
  • 68,243
  • 36
  • 223
  • 356
  • 2
    `\REGISTRY\A` isn't listed in the `hivelist` key. The [answer](http://superuser.com/a/805662/33682) from @abs2run is the correct answer in general. – Eryk Sun Aug 09 '16 at 02:34
  • 1
    Though the information about `hivelist` is interesting and useful, even though this doesn’t explain `\REGISTRY\A`. – binki Jan 13 '17 at 07:00
6

\REGISTRY\A is a hidden registry hive for use by Windows Store apps (aka Metro-style apps).

Piotr Shatalin
  • 359
  • 2
  • 5
  • 2
    A few issues: • [This question](http://stackoverflow.com/questions/4611291) has the registry hive in question but is on *Windows 7*, so it doesn’t look like it is connected Windows apps. • Even if you are correct, what and how exactly do Windows apps use it; that is, what does it provide that the regular registry does not? • The Wikipedia page you linked to does not mention the registry at all, so we have no way to confirm what you said or learn about it. – Synetech Dec 26 '13 at 22:15
  • In win10, if you do a procmon boot log, and filter on "path contains \registry\a" and "operation is regloadkey", in details you'll see "hive path: system32\config\BBI" and many "hive path: activationstore.dat" files processed for windows apps during boot. Sometimes the dcomlaunch service takes a long time with the BBI hive depending on the number of users. – js2010 Oct 04 '17 at 14:46