Jump to content

Which takes precedence in the registry - HKLM or HKCU

Idontwantspam

By Idontwantspam
in Windows XP

 Share

Recommended Posts

Idontwantspam

Idontwantspam

Posted
Posted

Do settings for the whole computer, in the HKEY_LOCAL_MACHINE key, over-ride those for specific users, in the HKCU key, or do the individual user settings over-ride the machine settings? In other words, which is more "powerful" when there is a conflict in the registry - HKLM or HKCU?

Link to comment
Share on other sites

[deXter]

[deXter]

Posted
Posted

There is never a conflict. HKLM is the 'master' key. Windows (or an app) would first look in HKCU for the current users settings, if its present, it'll use it. If a particular value isn't set in the HKCU, it'll get it from HKLM.

Link to comment
Share on other sites
nmX.Memnoch

nmX.Memnoch

Posted
Posted

Well...this all depends.

Generally an application contains global settings in HKLM and user settings in HKCU. Those settings aren't usually the same between HKCU and HKLM. Yes, there may be common keys, but the values are usually different. Sometimes they are the same, in which case HKLM should take precedence.

As far as system policies, HKLM should take precendence, depending on the policy.

Link to comment
Share on other sites
jcarle

jcarle

Posted
Posted (edited)
Unless we're talking about group policies (another wrinkle) - user settings (HKCU) take preference over computer settings (HKLM), at least in the Administrative Templates.

Sure, but it's still a programming choice that was made within Windows itself. You simply don't just read a registry key that will return one or the other, you have to programmatically and implicitly read the HKCU key and if not found then programmatically and implicitly read the HKLM key.

Edited by jcarle
Link to comment
Share on other sites
Idontwantspam

Idontwantspam

Posted
  • Author
Posted

I was referring to when I use the registry to make changes to a user's policies. For example, if I were to put a DWORD value of 1 named NoRun in

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

it would disable the run command for all users. But what would happen if I put that same value, but set to 0 rather than 1, in my HKCU (in other words in my NTUSER.DAT file - my profile). Would I be able to use Run or not? Which would trump the other - my setting or the system setting? I'm getting confused.

nmX.Memnoch said:

As far as system policies, HKLM should take precendence, depending on the policy.

but cluberti said:

Unless we're talking about group policies (another wrinkle) - user settings (HKCU) take preference over computer settings (HKLM), at least in the Administrative Templates.

Now where are Group Policies stored? for groups I mean. Because the group SIDs don't appear in the registry, and I haven't located any NTUSER.DAT files for groups. Group policy editor when used locally appears to only affect HKCU, so I tend to use the registry when changing for individual users. Am I doing this wrong?

The sense I'm getting is that HKCU is looked in and if the value's not found, then HKLM is looked in USUALLY but not always. Is this right?

I'm confused! :wacko:

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
I was referring to when I use the registry to make changes to a user's policies. For example, if I were to put a DWORD value of 1 named NoRun in

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

it would disable the run command for all users. But what would happen if I put that same value, but set to 0 rather than 1, in my HKCU (in other words in my NTUSER.DAT file - my profile). Would I be able to use Run or not? Which would trump the other - my setting or the system setting? I'm getting confused.

In this case, HKLM would take precedence, because you're setting it locally on the machine's policies or registry directly.

Now where are Group Policies stored? for groups I mean. Because the group SIDs don't appear in the registry, and I haven't located any NTUSER.DAT files for groups. Group policy editor when used locally appears to only affect HKCU, so I tend to use the registry when changing for individual users. Am I doing this wrong?

Group policies, if you're using an AD domain, are stored in the SYSVOL share of DCs in a domain - but most GPO settings are just registry files (some are old-style registry .pol files, but they're still registry settings!). The policies that change settings on a machine or for a user get applied when the machine is (re)started, or when a user logs in. Policies can also be refreshed and reapplied in intervals, unless a policy change requires a logoff or a restart.

The sense I'm getting is that HKCU is looked in and if the value's not found, then HKLM is looked in USUALLY but not always. Is this right?

I'm confused! :wacko:

Welcome to the brave world of policies. Some are HKCU, some are HKLM, and override isn't 100% consistent (even in GPO). The basic rule of thumb is that if you edit the registry directly (or assign an ntuser.dat that has been modified), HKLM policies will take preference over HKCU policies, but only if the policy that you're setting is configured as such. In general, HKLM policies override HKCU policies when defined locally, but just the opposite occurs when you configure policies via GPOs :)

Link to comment
Share on other sites
Idontwantspam

Idontwantspam

Posted
  • Author
Posted (edited)

GGAAAAAAAAAAAA :wacko: ME == Confused :blink:

OK, thank you Cluberti. I will assume that HKLM takes precedence, but I will NEVER EVER assume that that's always the case.

I am not using AD or anything like that. This is just on a local machine. Do you know where the policies for groups are on a local machine, if indeed they exist?

Oh and another question, slightly unrelated, but you might know and I don't :rolleyes:

If I were to enable auditing of various things, like logons, policy change, etc. where would that info be stored? I've never used this before, and I'm wondering where I would find the audit logs or whatever if I were to enable this auditing. Does anyone know? This would be locally on a Windows XP Media Center Edition machine. I'm talking about the settings in 

Local Computer Policy\Computer Configuration\Windows Settings\Local Policies\Audit Policy

Anyone know?

Figured it out - thanks Google!

Eventvwr.msc

Edited by Idontwantspam
Link to comment
Share on other sites
nmX.Memnoch

nmX.Memnoch

Posted
Posted (edited)
I am not using AD or anything like that. This is just on a local machine. Do you know where the policies for groups are on a local machine, if indeed they exist?

There are no policies for user groups. Only machine and user policies. "GPO" does indeed stand for "Group Policy Object", but that's domain level terminology and does not corrolate to user groups in the way that you're thinking. :)

Figured it out - thanks Google!

Eventvwr.msc

Or just choose Event Viewer from Admin Tools. It's also located in Computer Management.

Edited by nmX.Memnoch
Link to comment
Share on other sites
Idontwantspam

Idontwantspam

Posted
  • Author
Posted (edited)

OK, thank you. I'm kinda new to the whole policy thing, so I appreciate the help.

Another question. Is there any way to edit user policies - for individual users - from the Group Policy Editor, rather than using the registry, if I'm dealing with local policies? Right now I just load the NTUSER.DAT file of the user I want to modiy, or open their SID in the HKU key if it's open. Is there an easier way, or am I stuck? And as for local security policies - can I set audit policies on Windows XP Home or is that not possible?

Edited by Idontwantspam
Link to comment
Share on other sites
Idontwantspam

Idontwantspam

Posted
  • Author
Posted (edited)

OK but in gpedit how do I edit policies for individual specific users, if possible? And how can I get gpedit on XP home? Sounds very useful. :thumbup Particularly auditing logon events would be nice. We want to see when who uses the family computer.

Edited by Idontwantspam
Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
OK but in gpedit how do I edit policies for individual specific users, if possible?

That you cannot do - setting User Configuration policies on a machine configures it for all users and cannot be broken down in a more granular fashion (some security options can be set for specific users and groups, but that's about it). If you want to target specific users, you either do what you've been doing (edit ntuser.dat), or upgrade to a domain infrastructure.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...