Windows 11 Home Registry Size, Number of Keys, Values

Here's some basic questions about registry size for Windows 11 Home default installation with Office Home Edition.

This is an excellent backgrounder on Registry.

1. https://googleprojectzero.blogspot.com/2024/10/the-windows-registry-adventure-4-hives.html
2. Windows Registry Forensics Cheat Sheet 2025 - Cyber Triage
3. Metadata Consulting [dot] ca - Blog: Windows 10 Registry Size, Number of Keys, Values
4. RegToText - Registry to Text Utility

Here some stats on how large the registry is

DU v1.62 - Directory disk usage reporter
Copyright (C) 2005-2018 Mark Russinovich
Sysinternals - www.sysinternals.com


Totals:
Files:        160
Directories:  1
Size:         253,415,744 bytes
Size on disk: 253,748,904 bytes or  242.01 MB on disk

Raw Counts for Entire Registry Export file

File Name    Size    

---------    ----    

win11org.reg 515.71 MB

Number of Subkey paths in registry export file. Line starts with [

698591

Number of Default key/value pairs in registry export file. Line starts with @ (default) key

290280

Number of Named key/value pairs in registry export file. Line starts with " a named key

902551

Total Number of key/value pairs in registry export file. Line starts with @ (default) key or " a named key

1,192,831

There are 1,192,866 registry paths. 

Counts this included keys and values, can also be empty keys! 
There are 70,145 plain keys/paths, that have no key/value pairs under them.

Dureg Command

C:\Program Files (x86)\Resource Kit>dureg /a

Size of HKEY_CLASSES_ROOT   :   33,754,161
Size of HKEY_USERS          :   10,603,222
Size of HKEY_LOCAL_MACHINE  :   74,425,586

    Total Registry data size:    118,782,969   

You can get dureg here....

https://web.archive.org/web/20060415040835/http://download.microsoft.com/download/win2000platform/WebPacks/1.00.0.1/NT5/EN-US/Dureg.exe

Depth of keys 

Depth counts number of 'subdirectories' for a key. For example this key below, would have a depth of 7 (don't count top hive HKEY_LOCAL_MACHINE).  

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Content Indexer Cleaner] 

1	2	0.00%
2	14	0.00%
3	943	0.13%
4	7083	1.01%
5	55661	7.97%
6	181103	25.92%
7	121044	17.33%
8	83524	11.96%
9	56718	8.12%
10	84210	12.05%
11	25604	3.67%
12	31723	4.54%
13	30203	4.32%
14	8822	1.26%
15	3673	0.53%
16	4814	0.69%
17	1440	0.21%
18	946	0.14%
19	573	0.08%
20	209	0.03%
21	34	0.00%
22	67	0.01%
23	65	0.01%
24	42	0.01%
25	58	0.01%
26	8	0.00%
27	4	0.00%
28	4	0.00%
	698591	

Registry Types for Win11

Windows 11 Strange New Values in Registry ? 

"SCO Support Level"=hex(200000):

"ManufacturerName"=hex(20004)

"WUDF"=hex(100000):

These are all the windows registry types that appear in .reg file are translated. 

"value" alias hex(1)	Default or blank	String value data with escape characters
hex alias hex(3)	REG_BINARY	Binary data (any arbitrary data, override interpolated by /e, if not found by Mozilla Universal Charset Detector library)
dword alias hex(4)	REG_DWORD	A 32-bit unsigned integer coded in little-endian format
hex(0)	REG_NONE	No type (the stored value, if any)
hex(1)	REG_SZ	A string value, normally stored and exposed in UTF-16LE (when using the Unicode version of Win32 API functions), usually terminated by a NUL character
hex(2)	EXPAND_SZ	An “expandable” string value that can contain environment variables, normally stored and exposed in UTF-16LE, usually terminated by a NUL character
hex(3)	REG_BINARY	Binary data (any arbitrary data, override interpolated by /e, if not found by Mozilla Universal Charset Detector library)
hex(4)	REG_DWORD_LITTLE_ENDIAN equivalent to REG_DWORD	A 32-bit unsigned integer coded in little-endian format
hex(5)	REG_DWORD_BIG_ENDIAN	A 32-bit unsigned integer coded in big-endian format
hex(6)	REG_LINK	A symbolic link (UNICODE) to another Registry key, specifying a root key and the path to the target key
hex(7)	REG_MULTI_SZ	A multi-string value, which is an ordered list of non-empty strings, normally stored and exposed in UTF-16LE, each one terminated by a NUL character, the list being normally terminated by a second NUL character.
hex(8)	REG_RESOURCE_LIST	A resource list, as specified https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_cm_resource_list
hex(9)	REG_FULL_RESOURCE_DESCRIPTOR	A resource descriptor, as specified https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_cm_full_resource_descriptor
hex(a)	REG_RESOURCE_REQUIREMENTS_LIST	A resource requirements list, as specified https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_io_resource_requirements_list
hex(b)	REG_QWORD_LITTLE_ENDIAN equivalent to REG_QWORD	A 64-bit integer little-endian (introduced in Windows XP)

To convert these values to text get my tool at RegToText - Registry to Text Utility

 

BMO Phishing email with subject BMO Security Alert

For the record, this is BMO phishing email attempt that is recently going around, with subject "BMO Security Alert" What to do?  Report them, goto bottom of page. 

From : BMO Bаnk Of Mоntrеаl <stoffregen@tron.mexoliehotel.co.id> Subject : BMO Security Alert. Outlook has identified this email from an unknown source and it when to junk folder.

PHISHING LINKs;

1. Hover over image
https://sl.ut.ac.id/xxxx 

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the  company's website then forget it.
3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have recievied this email take further 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Are Macs, Linux safer than Windows PCs - 2025 Update

You would be amazed at how many people believe and how Apple Store representatives perpetuate the following myth;

"Mac's don't need an anti-virus solution". It's a Mac, it's safe by design. 

FYI, Macs (5% of marketplace) come with XProtect which is an antivirus(AV) software. XProtect is not well known. It's a lightweight, behind-the-scenes guardian which uses only signature-based (known threats only) rules. 

Windows (75% of marketplace) comes with Microsoft Defender is a full-featured antivirus and anti-malware suite and uses signature-based + behavioral analysis + cloud protection rules.

Linux (4% of marketplace) does not have a default AV. The common free (sudo apt install clamav) ClamAV, which is signature-based and has basic heuristic capabilities. ClamAV can perform on-access scanning and process memory scanning, though these features require setup and aren’t enabled by default. ClamAV is open-source but was purchased by Cisco Systems Inc. in 2013.

The problem with signature-based solution is you are always behind and have to play catch-up. Any new malware will easily spread before it's identified and quarantined.

Generally speaking, according to the Common Vulnerabilities and Exposures (CVE) All Time Board (see image below) macOS and Windows are virtually tied for number of vulnerabilities.

Android and IPhone have more vulnerabilities, and do not have any antivirus built-in, but are full blown computers (see Phone Security Brief).  

TL;DR

Don't surf on your phone, or bank on it. Use a desktop and buy the best malware antivirus solution available.

Phone Security Brief

It might seem strange that Kaspersky Lab doesn’t offer an antivirus app for iOS, but there’s a good reason: Apple doesn’t allow any proper antivirus apps into the App Store, saying “Apple designed the iOS platform with security at its core” and that the operating system does not need an antivirus utility. An antivirus for iPhone — does it even exist? | Kaspersky official blog

Both Android and IOS market their security using sandboxing, which is a good technique but has not prevented the number of vulnerabilities for attack. Again, phone companies, will never tell your phone needs an antivirus, even though it's a full blow computer. Open up a  Mac Book Air and inside is an iPhone. According to ESET, Android malware attacks surged by 160% in the first half of 2025. A major contributor is the "Kaleidoscope" ad fraud operation, and drive-by malware that require no-click activation (this would be block by an AV). So major AV players just added AV into browsers, that's how they got around phone restrictions. See below for more info.

Case in point: Aug 21, 2025 - Drive-by image malware. Zero-day means A flaw in a system that hasn’t been discovered or patched yet (not in signatures). Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks (thehackernews.com)

July 8, 2025 - https://www.bleepingcomputer.com/news/security/android-malware-anatsa-infiltrates-google-play-to-target-us-banks/

Source: Top 50 products having highest number of cve security vulnerabilities (cvedetails.com)

Mac OS X covers a longer historical period, including older versions like Leopard, Snow Leopard, etc.

macOS versions (like Catalina (2019), Big Sur, Monterey) benefit from more advanced security features and sandboxing.

Phone Security Details

Sandboxing implementation for phones, neither promote or have a built-in antivirus, for fear of bad publicity and performance.

Android

• Kernel-Level Sandbox: Each app runs with a unique Linux UID, isolating it at the process level using standard UNIX-style permissions.

• SELinux Enforcement: Since Android 5.0, SELinux adds mandatory access control, and by Android 9, each app gets its own SELinux context.

• Seccomp Filters: Android 8.0 introduced syscall filtering to limit what apps can do at the kernel level.

• App Runtime (ART): Replaced Dalvik VM, offering process-level isolation and performance optimization.

iOS

• Strict App Sandboxing: Every app is confined to its own directory with limited access to system resources and other apps.

• Entitlements System: Apps must declare specific permissions (e.g., access to iCloud or camera), which are cryptographically signed and enforced.

• ASLR & Execute Never (XN): Memory protection techniques like Address Space Layout Randomization and marking memory pages as non-executable prevent code injection attacks.

🔐 iOS App Security

Strengths:

• Closed ecosystem: Apple tightly controls the App Store, vetting apps for malware and enforcing strict privacy guidelines.

• Sandboxing: Apps are isolated from each other and the system, reducing the risk of cross-app data leaks.

• Frequent updates: Apple supports older devices longer, ensuring timely security patches.

• Privacy-first features: iOS includes indicators for microphone/camera use, approximate location sharing, and tracker blocking in Safari.

Weaknesses:

• Limited customization: Users have less control over app permissions compared to Android.

• Apple-centric data flow: A study found iPhones send more data to Apple servers than Android does to Google—but less to third parties.

🔐 Android App Security

Strengths:

• Customizability: Users can fine-tune app permissions and install apps from outside the Play Store.

• Security platforms: Some manufacturers (e.g., Samsung with Knox) offer enhanced device-level security.

• Google Play Protect: Scans apps for malware, though effectiveness varies.

Weaknesses:

• Fragmentation: Different manufacturers and OS versions lead to inconsistent security updates.

• Third-party exposure: Android apps tend to send more data to external servers, including those in countries with questionable privacy laws.

• Higher malware risk: Open app ecosystem makes Android more vulnerable to malicious apps.

Original post in 2016

2016: Are Macs safer than Windows? Ans: A resounding NO, TL:DR read the highlighted text

The Crabwood binary source code revisited with AI

The Crabwood binary code refers to a complex crop circle discovered in 2002 near Crabwood Farm in England, which contains a binary message. The message is encoded in ASCII binary code and is believed to contain warnings about deception and the existence of extraterrestrial intelligence. The binary code consists of a detailed humanoid face and a spiral sequence of dots, which some researchers interpret as a warning about false gifts and promises. The message has been analyzed for its meaning, with interpretations suggesting it may relate to advanced technology and the potential presence of extraterrestrial life.

The binary-ASCII code from Crabwood 2002: a second message embedded somewhere?   by Red Collie (cropcircleconnector.com)

Grok 

Beware the bearers of FALSE gifts & their BROKEN PROMISES.Much PAIN but still time.EELIEVE.THERE is GOOD out there.WE OPPOSE DECEPTION.CONDUIT CLOSING\

ChatGPT

The binary you've provided translates to the following ASCII text:

Beware the bearers of FALSE gifts & their BROKEN PROMISES. Much PAIN but still time. BELIEVE. There is GOOD out there. We Oppose DECEPTION. Conduit CLOSING.

This is a well-known message associated with a **Crop Circle phenomenon**—often called the "Arecibo reply" or the **2002 Crabwood Crop Circle**. The binary message was found encoded in the design of a crop formation near **Winchester, UK**, featuring an alien-like figure and a disc with binary code.

It's widely discussed in UFO and conspiracy circles, but it's almost certainly a human-made artistic hoax. Still, it’s a clever example of binary ASCII encoding used in speculative or fictional communications.

Would you like a breakdown of how the binary was decoded or the history behind the crop circle?

Edited source Crabwood Binary Code

01000010
01100101
01110111
01100001
01110010
01100101
00100000
01110100
01101000
01100101
00100000
01100010
01100101
01100001
01110010
01100101
01110010
01110011
00100000
01101111
01100110
00100000
01000110
01000001
01001100
01010011
01000101
00100000
01100111
01101001
01100110
01110100
01110011
00100000
00100110
00100000
01110100
01101000
01100101
01101001
01110010
00100000
01000010
01010010
01001111
01001011
01000101
01001110
00100000
01010000
01010010
01001111
01001101
01001001
01010011
01000101
01010011
00101110
01001101
01110101
01100011
01101000
00100000
01010000
01000001
01001001
01001110
00100000
01100010
01110101
01110100
00100000
01110011
01110100
01101001
01101100
01101100
00100000
01110100
01101001
01101101
01100101
00101110
01000101
01000101
01001100
01001001
01000101
01010110
01000101
00101110
01010100
01101000
01100101
01110010
01100101
00100000
01101001
01110011
00100000
01000111
01001111
01001111
01000100
00100000
01101111
01110101
01110100
00100000
01110100
01101000
01100101
01110010
01100101
00101110
01010111
01100101
00100000
01101111
01010000
01110000
01101111
01110011
01100101
00100000
01000100
01000101
01000011
01000101
01010000
01010100
01001001
01001111
01001110
00101110
01000011
01001111
01101110
01100100
01110101
01101001
01110100
00100000
01000011
01001100
01001111
01010011
01001001
01001110
01000111
01011100

iCloud Phishing email with subject Nous avons bloqu votre compte Le 31 juillet 2025, vos photos et vidos seront supprimes.

For the record, this is a iCloud phishing email attempt that is recently going around, with subject line "Nous avons bloqu votre compte ! Le 31 juillet 2025, vos photos et vidos seront supprimes. Agissez !". 

What to do?  Report them, goto bottom of page. 

From : Paiement refus<newsletter@advancedroadcrafttechniques.com.au> Subject : Nous avons bloqu votre compte ! Le 31 juillet 2025, vos photos et vidos seront supprimes. Agissez !

PHISHING LINKs;

1. https://4.magnitudenetwork.net/xxxx

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the  company's website then forget it.
3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing to Google

If you have received this email, take further action by

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

CM_PARTIAL_RESOURCE_DESCRIPTOR c# equivalent

Thanks to AI, you can really be productive in dealing with unions in C.

 CM_PARTIAL_RESOURCE_DESCRIPTOR (wdm.h) - Windows drivers | Microsoft Learn

using System;
using System.Runtime.InteropServices;

//
// Windows types for clarity
//
using PHYSICAL_ADDRESS = System.Int64;               // LARGE_INTEGER
using KAFFINITY        = System.UIntPtr;             // ULONG_PTR

namespace NativeInterop
{
    /// <summary>
    /// C# equivalent of CM_PARTIAL_RESOURCE_DESCRIPTOR (winnt.h).
    /// </summary>
    [StructLayout(LayoutKind.Explicit, Pack = 1)]
    public struct CM_PARTIAL_RESOURCE_DESCRIPTOR
    {
        // ---- common header -------------------------------------------------
        [FieldOffset(0)] public byte   Type;
        [FieldOffset(1)] public byte   ShareDisposition;
        [FieldOffset(2)] public ushort Flags;

        // ---- union: one of these is valid, chosen by <Type> ---------------
        [FieldOffset(4)] public GENERIC_RESOURCE           Generic;
        [FieldOffset(4)] public PORT_RESOURCE              Port;
        [FieldOffset(4)] public MEMORY_RESOURCE            Memory;
        [FieldOffset(4)] public MEMORY40_RESOURCE          Memory40;
        [FieldOffset(4)] public MEMORY48_RESOURCE          Memory48;
        [FieldOffset(4)] public MEMORY64_RESOURCE          Memory64;
        [FieldOffset(4)] public INTERRUPT_RESOURCE         Interrupt;
        [FieldOffset(4)] public MESSAGE_INTERRUPT_RESOURCE MessageInterrupt;
        [FieldOffset(4)] public DMA_RESOURCE               Dma;
        [FieldOffset(4)] public DMAV3_RESOURCE             DmaV3;
        [FieldOffset(4)] public DEVICE_PRIVATE_RESOURCE    DevicePrivate;
        [FieldOffset(4)] public BUSNUMBER_RESOURCE         BusNumber;
        [FieldOffset(4)] public DEVICESPECIFIC_RESOURCE    DeviceSpecificData;
        [FieldOffset(4)] public CONNECTION_RESOURCE        Connection;
    }

    #region simple (start,length) pairs
    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct GENERIC_RESOURCE  { public PHYSICAL_ADDRESS Start; public uint Length; }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct PORT_RESOURCE     { public PHYSICAL_ADDRESS Start; public uint Length; }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct MEMORY_RESOURCE   { public PHYSICAL_ADDRESS Start; public uint Length; }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct MEMORY40_RESOURCE { public PHYSICAL_ADDRESS Start; public uint Length40; }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct MEMORY48_RESOURCE { public PHYSICAL_ADDRESS Start; public uint Length48; }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct MEMORY64_RESOURCE { public PHYSICAL_ADDRESS Start; public uint Length64; }
    #endregion

    #region interrupt resources
    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct INTERRUPT_RESOURCE
    {
        public uint      Level;      // ULONG for both x86/x64 builds
        public uint      Vector;
        public KAFFINITY Affinity;
    }

    // Message‑signalled interrupt has an inner union (Raw vs Translated)
    [StructLayout(LayoutKind.Explicit, Pack = 1)]
    public struct MESSAGE_INTERRUPT_RESOURCE
    {
        [FieldOffset(0)] public MESSAGE_INTERRUPT_RAW        Raw;
        [FieldOffset(0)] public MESSAGE_INTERRUPT_TRANSLATED Translated;
    }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct MESSAGE_INTERRUPT_RAW
    {
        public ushort    Group;
        public ushort    Reserved;
        public ushort    MessageCount;
        public uint      Vector;
        public KAFFINITY Affinity;
    }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct MESSAGE_INTERRUPT_TRANSLATED
    {
        public uint      Level;
        public uint      Vector;
        public KAFFINITY Affinity;
    }
    #endregion

    #region DMA
    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct DMA_RESOURCE
    {
        public uint Channel;
        public uint Port;
        public uint Reserved1;
    }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct DMAV3_RESOURCE
    {
        public uint  Channel;
        public uint  RequestLine;
        public byte  TransferWidth;
        public byte  Reserved1;
        public byte  Reserved2;
        public byte  Reserved3;
    }
    #endregion

    #region miscellaneous
    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct DEVICE_PRIVATE_RESOURCE
    {
        public uint Data0;
        public uint Data1;
        public uint Data2;
    }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct BUSNUMBER_RESOURCE
    {
        public uint Start;
        public uint Length;
        public uint Reserved;
    }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct DEVICESPECIFIC_RESOURCE
    {
        public uint DataSize;
        public uint Reserved1;
        public uint Reserved2;
    }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct CONNECTION_RESOURCE
    {
        public byte  Class;
        public byte  Type;
        public byte  Reserved1;
        public byte  Reserved2;
        public uint  IdLowPart;
        public uint  IdHighPart;
    }
    #endregion
}

Declare the two structs in the union as C# structs in the usual way. Then declare a type for the union, using an explicit layout.

[StructLayout(LayoutKind.Explicit)] 
public struct _WAITCHAIN_NODE_INFO_UNION
{
    [FieldOffset(0)]
    _WAITCHAIN_NODE_INFO_LOCK_OBJECT LockObject;
    [FieldOffset(0)]
    _WAITCHAIN_NODE_INFO_THREAD_OBJECT ThreadObject;
}

Then add the union to your struct:

[StructLayout(LayoutKind.Sequential)]
public struct WAITCHAIN_NODE_INFO
{
    public WCT_OBJECT_TYPE ObjectType;
    public WCT_OBJECT_STATUS ObjectStatus;
    public _WAITCHAIN_NODE_INFO_UNION Union;
}

When you overlay objects like this, extra requirements are placed on the types involved. You cannot overlay a type containing a string or an array for instance. So the character array will have to be implemented as a value type, for instance a fixed array. This is inconvenient to operate with but MS did not define the types with C# in mind.