Here's some basic questions about Windows 11 Home registry size.
This is an excellent backgrounder on Registry.
- https://googleprojectzero.blogspot.com/2024/10/the-windows-registry-adventure-4-hives.html
- Windows Registry Forensics Cheat Sheet 2025 - Cyber Triage
- Metadata Consulting [dot] ca - Blog: Windows 10 Registry Size, Number of Keys, Values
- RegToText - Registry to Text Utility
Here some stats on how large the registry is
DU v1.62 - Directory disk usage reporter
Copyright (C) 2005-2018 Mark Russinovich
Sysinternals - www.sysinternals.com
Totals:
Files: 160
Directories: 1
Size: 253,415,744 bytes
Size on disk: 253,748,904 bytes or
Counts this included keys and values, can also be empty keys!
Size of HKEY_LOCAL_MACHINE : 662,616
Total key value/pairs : 1,192,866
You can get dureg here....
https://web.archive.org/web/20060415040835/http://download.microsoft.com/download/win2000platform/WebPacks/1.00.0.1/NT5/EN-US/Dureg.exe
Depth counts number of 'subdirectories' for a key. For example this key below, would have a depth of 7 (don't count top hive HKEY_LOCAL_MACHINE).
1 2 0.00% 2 14 0.00% 3 943 0.13% 4 7083 1.01% 5 55661 7.97% 6 181103 25.92% 7 121044 17.33% 8 83524 11.96% 9 56718 8.12% 10 84210 12.05% 11 25604 3.67% 12 31723 4.54% 13 30203 4.32% 14 8822 1.26% 15 3673 0.53% 16 4814 0.69% 17 1440 0.21% 18 946 0.14% 19 573 0.08% 20 209 0.03% 21 34 0.00% 22 67 0.01% 23 65 0.01% 24 42 0.01% 25 58 0.01% 26 8 0.00% 27 4 0.00% 28 4 0.00% 698591
There are 70,145 plain keys, not values.
| "value" alias hex(1) | Default or blank | String value data with escape characters |
| hex alias hex(3) | REG_BINARY | Binary data (any arbitrary data, override interpolated by /e, if not found by Mozilla Universal Charset Detector library) |
| dword alias hex(4) | REG_DWORD | A 32-bit unsigned integer coded in little-endian format |
| hex(0) | REG_NONE | No type (the stored value, if any) |
| hex(1) | REG_SZ | A string value, normally stored and exposed in UTF-16LE (when using the Unicode version of Win32 API functions), usually terminated by a NUL character |
| hex(2) | EXPAND_SZ | An “expandable” string value that can contain environment variables, normally stored and exposed in UTF-16LE, usually terminated by a NUL character |
| hex(3) | REG_BINARY | Binary data (any arbitrary data, override interpolated by /e, if not found by Mozilla Universal Charset Detector library) |
| hex(4) | REG_DWORD_LITTLE_ENDIAN equivalent to REG_DWORD | A 32-bit unsigned integer coded in little-endian format |
| hex(5) | REG_DWORD_BIG_ENDIAN | A 32-bit unsigned integer coded in big-endian format |
| hex(6) | REG_LINK | A symbolic link (UNICODE) to another Registry key, specifying a root key and the path to the target key |
| hex(7) | REG_MULTI_SZ | A multi-string value, which is an ordered list of non-empty strings, normally stored and exposed in UTF-16LE, each one terminated by a NUL character, the list being normally terminated by a second NUL character. |
| hex(8) | REG_RESOURCE_LIST | A resource list, as specified https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_cm_resource_list |
| hex(9) | REG_FULL_RESOURCE_DESCRIPTOR | A resource descriptor, as specified https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_cm_full_resource_descriptor |
| hex(a) | REG_RESOURCE_REQUIREMENTS_LIST | A resource requirements list, as specified https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_io_resource_requirements_list |
| hex(b) | REG_QWORD_LITTLE_ENDIAN equivalent to REG_QWORD | A 64-bit integer little-endian (introduced in Windows XP) |
No comments:
Post a Comment