Why do Windows registry hives appear empty?

3

I went into "C:\Windows\System32\config" on my Windows 10 machine, and tried to open the registry hive files.

SOFTWARE, for example, has a size of exactly 128 MB as reported by Explorer, but when opening it with Visual Studio Code, it is shown as empty. Notepad refuses to open it because it is "used by another process". I get the same results for the other files (SYSTEM, SECURITY, etc.).

Is Windows trying to prevent me from doing something stupid? Are these files special in some way (besides hosting the registry)?

Hey

Posted 2019-05-25T17:44:13.727

Reputation: 939

2Of course they are special - they are the heart of Windows. – harrymc – 2019-05-25T17:51:00.280

@harrymc: So is ntoskrnl.exe, but that opens up in Notepad just fine. – user1686 – 2019-05-25T18:43:00.597

1@grawity: Are you looking for homogeneity in Windows permissions? – harrymc – 2019-05-25T19:16:49.003

@harrymc: You did say "of course they're special" as if it should be obvious to the reader, so of course I am. – user1686 – 2019-05-26T10:03:11.837

@grawity: You are destined to be disappointed. – harrymc – 2019-05-26T10:27:14.730

Answers

9

They appear as empty because Visual Studio Code doesn't understand the concept of not being able to open the file. They're not actually empty, vscode is just literally unable to know whether they are or not.

Windows has the concept of "exclusive open" (aka "share modes", elsewhere also called "mandatory locking"). It is commonly used by database software to prevent another program from writing data at the same time as the database engine is managing it; if two handlers tried to write at once, they could end up corrupting the entire database. The same applies to filesystems – Windows doesn't actually let you access the raw disk device if it is mounted as a filesystem.

(That said, there are database formats specifically made for simultaneous access, such as LMDB.)

But the primary reason Windows Registry uses exclusive open is for security enforcement. Each Registry key can have a set of permissions (DACL/SACL) attached to it, just like a file or folder. If you could directly open a registry hive (especially the system or security hives), you could simply read the data that was supposed to be secured via permissions.

user1686

Posted 2019-05-25T17:44:13.727

Reputation: 283 655

1Blocking other readers is potentially useful for a database that doesn't want other readers to see some of the file from before a transaction, some of the file from after a write, and even some bytes from the file during a supposedly atomic transaction. It's certainly inconvenient for use-cases where you don't care about getting a clean snapshot of the whole file, though. – Peter Cordes – 2019-05-26T02:36:42.817

"vscode is just literally unable to know whether they are or not" — this looks like a limitation in VSC implementation, not something imposed by the FS or OS. Explorer, for one, was able to determine the size, as noted in the OP. If a file's size is nonzero, the file is obviously not empty. – Ruslan – 2019-05-26T08:33:00.140

Yes, all programs receive the same error codes when trying to open a locked file... VSC just ignores it. What I was trying to say is VSC's "core" ignores the error and the "frontend" doesn't receive the information. – user1686 – 2019-05-26T10:00:58.683

Asked: 2019-05-25T17:44:13.727

Viewed: 344 times

Active: 2019-05-25T18:18:01.597