Editing Windows Registry (section)

====HKEY_LOCAL_MACHINE (HKLM)====
Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are specific to the local computer.<ref>{{cite web|url=https://technet.microsoft.com/en-us/library/cc959046.aspx|title=HKEY_LOCAL_MACHINE|publisher=Gautam|year=2009|access-date=2009-04-08}}</ref>

The key located by HKLM is actually not stored on disk, but maintained in memory by the system kernel in order to map all the other subkeys. Applications cannot create any additional subkeys. On Windows NT, this key contains four subkeys, "SAM", "SECURITY", "SYSTEM", and "SOFTWARE", that are loaded at boot time within their respective files located in the {{code|%SystemRoot%\System32\config\}} folder. A fifth subkey, "HARDWARE", is volatile and is created dynamically, and as such is not stored in a file (it exposes a view of all the currently detected Plug-and-Play devices). On Windows Vista and above, a sixth and seventh subkey, "COMPONENTS" and "BCD", are mapped in memory by the kernel on-demand and loaded from {{code|%SystemRoot%\System32\config\COMPONENTS}} or from boot configuration data, {{code|\boot\BCD}} on the system partition.

* The "{{code|HKLM\SAM}}" key usually appears as empty for most users (unless they are granted access by administrators of the local system or administrators of domains managing the local system). It is used to reference all "[[Security Accounts Manager]]" (SAM) databases for all domains into which the local system has been administratively authorized or configured (including the local domain of the running system, whose SAM database is stored in a subkey also named "SAM": other subkeys will be created as needed, one for each supplementary domain). Each SAM database contains all builtin accounts (mostly group aliases) and configured accounts (users, groups and their aliases, including guest accounts and administrator accounts) created and configured on the respective domain, for each account in that domain, it notably contains the user name which can be used to log on that domain, the internal unique user identifier in the domain, a [[Cryptographic hash function|cryptographic hash]] of each user's password for each enabled [[authentication protocol]], the location of storage of their user registry hive, various status flags (for example if the account can be enumerated and be visible in the logon prompt screen), and the list of domains (including the local domain) into which the account was configured.
* The "{{code|HKLM\SECURITY}}" key usually appears empty for most users (unless they are granted access by users with administrative privileges) and is linked to the Security database of the domain into which the current user is logged on (if the user is logged on the local system domain, this key will be linked to the registry hive stored by the local machine and managed by local system administrators or by the builtin "System" account and Windows installers). The kernel will access it to read and enforce the security policy applicable to the current user and all applications or operations executed by this user. It also contains a "SAM" subkey which is dynamically linked to the SAM database of the domain onto which the current user is logged on.
* The "{{code|HKLM\SYSTEM}}" key is normally only writable by users with administrative privileges on the local system. It contains information about the Windows system setup, data for the secure random number generator (RNG), the list of currently mounted devices containing a filesystem, several numbered {{code|HKLM\SYSTEM\Control Sets}} containing alternative configurations for system hardware drivers and services running on the local system (including the currently used one and a backup), a "{{code|HKLM\SYSTEM\Select}}" subkey containing the status of these Control Sets, and a "{{code|HKLM\SYSTEM\CurrentControlSet}}" which is dynamically linked at boot time to the Control Set which is currently used on the local system. Each configured Control Set contains:
** an "Enum" subkey enumerating all known Plug-and-Play devices and associating them with installed system drivers (and storing the device-specific configurations of these drivers),
** a "Services" subkey listing all installed system drivers (with non device-specific configuration, and the enumeration of devices for which they are instantiated) and all programs running as services (how and when they can be automatically started),
** a "Control" subkey organizing the various hardware drivers and programs running as services and all other system-wide configuration,
** a "Hardware Profiles" subkey enumerating the various profiles that have been tuned (each one with "System" or "Software" settings used to modify the default profile, either in system drivers and services or in the applications) as well as the {{code|Hardware Profiles\Current}} subkey which is dynamically linked to one of these profiles.
* The "{{code|HKLM\SOFTWARE}}" subkey contains software and Windows settings (in the default hardware profile). It is mostly modified by application and system installers. It is organized by software vendor (with a subkey for each), but also contains a "Windows" subkey for some settings of the Windows user interface, a "Classes" subkey containing all registered associations from file extensions, MIME types, Object Classes IDs and interfaces IDs (for OLE, COM/DCOM and ActiveX), to the installed applications or DLLs that may be handling these types on the local machine (however these associations are configurable for each user, see below), and a "Policies" subkey (also organized by vendor) for enforcing general usage policies on applications and system services (including the central certificates store used for authenticating, authorizing or disallowing remote systems or services running outside the local network domain).
* The "{{code|HKLM\SOFTWARE\Wow6432Node}}" key is used by 32-bit applications on a 64-bit Windows OS, and is equivalent to but separate from "{{code|HKLM\SOFTWARE}}". The key path is transparently presented to 32-bit applications by [[WoW64]] as {{code|HKLM\SOFTWARE}}<ref>{{cite web|url=https://msdn.microsoft.com/en-us/library/aa384253.aspx |title=Registry Keys Affected by WOW64 (Windows) |publisher=Msdn.microsoft.com |access-date=2014-04-10}}</ref> (in a similar way that 64-bit applications see {{code|%SystemRoot%\Syswow64}} as {{code|%SystemRoot%\System32}})