registery files

"John John - MVP" wrote in message
...

Don't delete these files. These files are created and changed as part of
the normal Windows operation.

The .evt files are Event Log files and are always in use, they can't be
deleted from the Explorer GUI. If you want to delete them use the Event
Viewer. If they are corrupt and in need of manual deletion you have to
disable the Event Log Service and reboot to be able to delete them.

The .log files are registry transactional logs, these files are used to
recover failed registry changes and to assure atomicity of individual
action in the registry. For example, if there is a power failure while
you are trying to change a registry value the .log file will be used to
ensure that the value that you were attempting to change doesn't have a
meaningless value. These .log files are part of the normal Windows
operation, as with the .evt files the .log files cannot be deleted while
Windows is running.

The .sav files are the original registry hives that were used during the
text mode portion of the Windows installation, best not to delete these
files, in 'extreme' repair attempts they could come in handy.

John

Ok I see. I wondered about those .sav files. Is disabling the vent
handler though something I want to do? Atleast for a long time and not just
a moment. You mentioned atomic, now does that have to do with the kernel? I
have seen C functions called atom().

Bill

Bill Cunningham wrote:
"John John - MVP" wrote in message
...

Don't delete these files. These files are created and changed as part of
the normal Windows operation.

The .evt files are Event Log files and are always in use, they can't be
deleted from the Explorer GUI. If you want to delete them use the Event
Viewer. If they are corrupt and in need of manual deletion you have to
disable the Event Log Service and reboot to be able to delete them.

The .log files are registry transactional logs, these files are used to
recover failed registry changes and to assure atomicity of individual
action in the registry. For example, if there is a power failure while
you are trying to change a registry value the .log file will be used to
ensure that the value that you were attempting to change doesn't have a
meaningless value. These .log files are part of the normal Windows
operation, as with the .evt files the .log files cannot be deleted while
Windows is running.

The .sav files are the original registry hives that were used during the
text mode portion of the Windows installation, best not to delete these
files, in 'extreme' repair attempts they could come in handy.

John

Ok I see. I wondered about those .sav files. Is disabling the vent
handler though something I want to do? Atleast for a long time and not just
a moment. You mentioned atomic, now does that have to do with the kernel? I
have seen C functions called atom().

No, you do not want to disable the Event Log! The log is an important
source of information about 'stuff' that happens on your computer.
Problems and errors are often recorded in the Event Log, the log can be
an invaluable troubleshooting tool, it is almost always one of the first
place to look when problems arise. You should familiarize yourself with
the Event Viewer and make it a habit of taking a look in there once in a
while, you might get early warnings of impending problems or be warned
of things going on that would otherwise go unnoticed on your machine.
To launch the Event Viewer enter eventvwr in the Start menur Run box.

Atomicity: A transaction is a unit of work in which a series of
operations occur between the BEGIN TRANSACTION and END TRANSACTION
statements of an application. A transaction executes exactly once and is
atomic — all the work is done or none of it is.

Atomicity and Hive Recovery in the Registry

The Registry ensures atomicity of individual actions. This means that
any change made to a value (to set, delete, or save) either works or
does not work: The result will not be a corrupted combination of the old
and new configuration even if the system stops unexpectedly because of
power failure, hardware failure, or software problems. For example, if
an application sets a value for an entry and the system shuts down while
this change is being made, when the system restarts, the entry will have
either the old value or the new value, but not a meaningless combination
of both values. In addition, the size and time data for the key
containing the affected entry will be accurate whether the value was
changed or not changed.
Flushing Data

In Windows NT, data is written to the Registry only when a flush occurs,
which happens after changed data ages past a few seconds, or when an
application intentionally flushes the data to the hard disk.

The system performs the following flush process for all hives (except
for the System hive):

1. All changed data is written to the hive's .log file along with a
map of where it is in the hive, and then a flush is performed on the
..log file. All changed data has now been written in the .log file.

2. The first sector of the hive file is marked to indicate that the
file is in transition.

3. The changed data is written to the hive file.

4. The hive file is marked as completed.

Note If the system shuts down between steps 2 and 4, when the hive is
next loaded at startup (unless it's a profile hive that is loaded at
logon), the system sees the mark left in step 2, and proceeds to recover
the hive using the changes contained in the .log file. That is, the .log
files are not used if the hive is not in transition. If the hive is in
transition, it cannot be loaded without the .log file.

A different flush process is used for the System hive because it is an
important element during system startup and is used too early during
startup to be recovered as described in the previous flush process.

The System.alt file contains a copy of the data contained in the System
file. During the flush process, changes are marked, written, and then
marked as done. Then the same flush process is followed for the
System.alt file. If there is a power failure, hardware failure, or
software problems at any point during the process, either the System or
System.alt file contains the correct information.

The System.alt file is similar to a .log file except that at load time,
rather than having to reapply the logged changes, the system just
switches to System.alt. The System.alt file is not needed unless the
System hive is in transition.

http://www.microsoft.com/resources/d....mspx?mfr=true
Windows NT Workstation Resource Kit: Overview of the Windows NT Registry

http://msdn.microsoft.com/en-us/libr...84(VS.71).aspx
ACID Properties

John

I remember I used to compress manually my registry files in win98. I
don't know if that can be done anymore or not. Everyone says get a registry
compression tool. I have several registry cleaner tools and one cleans up
where another is clueless. The following hive keys seem to have a header in
them. That could recreate the registry. System, software, sam and hardware.
I would rename my old user.dat and system.dat only onlt two registry files
back then, import the saved reg files from DOS and have a new registry never
needing to be compressed again.

I also made a copy of the swap file then win386.??? something or other.
defrag the copy, rename it and erase the original made by windows. Windows
should also place the swap pagefile.sys now of course at the beginning of
the drive. Can I use these little twinks with XP MCE now? I am running SP2
and I believe I have all the updates. I also have a copy of SSP3 but I'm
just not running it right now.

Bill

Bill Cunningham wrote:
I remember I used to compress manually my registry files in win98. I
don't know if that can be done anymore or not. Everyone says get a registry
compression tool. I have several registry cleaner tools and one cleans up
where another is clueless. The following hive keys seem to have a header in
them. That could recreate the registry. System, software, sam and hardware.
I would rename my old user.dat and system.dat only onlt two registry files
back then, import the saved reg files from DOS and have a new registry never
needing to be compressed again.

You don't really need to bother with these on any of the NT versions
(Windows XP is NT 5.1) System Restore does registry backups. If you
want to use another backup tool try Erunt. If you want to compact the
registry try NTRegOpt, both are available he
http://www.larshederer.homepage.t-online.de/erunt/

In my opinion registry cleaners are next to utterly useless and for most
part they cause more harm than good, you really don't need to use these
cleaners on Windows XP.


I also made a copy of the swap file then win386.??? something or other.
defrag the copy, rename it and erase the original made by windows. Windows
should also place the swap pagefile.sys now of course at the beginning of
the drive. Can I use these little twinks with XP MCE now? I am running SP2
and I believe I have all the updates. I also have a copy of SSP3 but I'm
just not running it right now.

If you want to defrag the pagefile use SysInternals' PageDefrag:

http://technet.microsoft.com/en-us/s.../bb897426.aspx
PageDefrag

PageDefrag will also defrag the registry hives and the event logs.

John

"John John - MVP" wrote in message
...

No, you do not want to disable the Event Log! The log is an important
source of information about 'stuff' that happens on your computer.
Problems and errors are often recorded in the Event Log, the log can be an
invaluable troubleshooting tool, it is almost always one of the first
place to look when problems arise. You should familiarize yourself with
the Event Viewer and make it a habit of taking a look in there once in a
while, you might get early warnings of impending problems or be warned of
things going on that would otherwise go unnoticed on your machine. To
launch the Event Viewer enter eventvwr in the Start menur Run box.

Atomicity: A transaction is a unit of work in which a series of
operations occur between the BEGIN TRANSACTION and END TRANSACTION
statements of an application. A transaction executes exactly once and is
atomic — all the work is done or none of it is.

Atomicity and Hive Recovery in the Registry

The Registry ensures atomicity of individual actions. This means that any
change made to a value (to set, delete, or save) either works or does not
work: The result will not be a corrupted combination of the old and new
configuration even if the system stops unexpectedly because of power
failure, hardware failure, or software problems. For example, if an
application sets a value for an entry and the system shuts down while this
change is being made, when the system restarts, the entry will have either
the old value or the new value, but not a meaningless combination of both
values. In addition, the size and time data for the key containing the
affected entry will be accurate whether the value was changed or not
changed.
Flushing Data

In Windows NT, data is written to the Registry only when a flush occurs,
which happens after changed data ages past a few seconds, or when an
application intentionally flushes the data to the hard disk.

The system performs the following flush process for all hives (except for
the System hive):

1. All changed data is written to the hive's .log file along with a map
of where it is in the hive, and then a flush is performed on the .log
file. All changed data has now been written in the .log file.

2. The first sector of the hive file is marked to indicate that the
file is in transition.

3. The changed data is written to the hive file.

4. The hive file is marked as completed.

Note If the system shuts down between steps 2 and 4, when the hive is next
loaded at startup (unless it's a profile hive that is loaded at logon),
the system sees the mark left in step 2, and proceeds to recover the hive
using the changes contained in the .log file. That is, the .log files are
not used if the hive is not in transition. If the hive is in transition,
it cannot be loaded without the .log file.

A different flush process is used for the System hive because it is an
important element during system startup and is used too early during
startup to be recovered as described in the previous flush process.

The System.alt file contains a copy of the data contained in the System
file. During the flush process, changes are marked, written, and then
marked as done. Then the same flush process is followed for the System.alt
file. If there is a power failure, hardware failure, or software problems
at any point during the process, either the System or System.alt file
contains the correct information.

The System.alt file is similar to a .log file except that at load time,
rather than having to reapply the logged changes, the system just switches
to System.alt. The System.alt file is not needed unless the System hive is
in transition.

http://www.microsoft.com/resources/d....mspx?mfr=true
Windows NT Workstation Resource Kit: Overview of the Windows NT Registry

http://msdn.microsoft.com/en-us/libr...84(VS.71).aspx
ACID Properties

John

What device makes the log and sav files? My system doesn't seem to have
a system.alt on it.

Bill

Bill Cunningham wrote:
"John John - MVP" wrote in message
...

No, you do not want to disable the Event Log! The log is an important
source of information about 'stuff' that happens on your computer.
Problems and errors are often recorded in the Event Log, the log can be an
invaluable troubleshooting tool, it is almost always one of the first
place to look when problems arise. You should familiarize yourself with
the Event Viewer and make it a habit of taking a look in there once in a
while, you might get early warnings of impending problems or be warned of
things going on that would otherwise go unnoticed on your machine. To
launch the Event Viewer enter eventvwr in the Start menur Run box.

Atomicity: A transaction is a unit of work in which a series of
operations occur between the BEGIN TRANSACTION and END TRANSACTION
statements of an application. A transaction executes exactly once and is
atomic — all the work is done or none of it is.

Atomicity and Hive Recovery in the Registry

The Registry ensures atomicity of individual actions. This means that any
change made to a value (to set, delete, or save) either works or does not
work: The result will not be a corrupted combination of the old and new
configuration even if the system stops unexpectedly because of power
failure, hardware failure, or software problems. For example, if an
application sets a value for an entry and the system shuts down while this
change is being made, when the system restarts, the entry will have either
the old value or the new value, but not a meaningless combination of both
values. In addition, the size and time data for the key containing the
affected entry will be accurate whether the value was changed or not
changed.
Flushing Data

In Windows NT, data is written to the Registry only when a flush occurs,
which happens after changed data ages past a few seconds, or when an
application intentionally flushes the data to the hard disk.

The system performs the following flush process for all hives (except for
the System hive):

1. All changed data is written to the hive's .log file along with a map
of where it is in the hive, and then a flush is performed on the .log
file. All changed data has now been written in the .log file.

2. The first sector of the hive file is marked to indicate that the
file is in transition.

3. The changed data is written to the hive file.

4. The hive file is marked as completed.

Note If the system shuts down between steps 2 and 4, when the hive is next
loaded at startup (unless it's a profile hive that is loaded at logon),
the system sees the mark left in step 2, and proceeds to recover the hive
using the changes contained in the .log file. That is, the .log files are
not used if the hive is not in transition. If the hive is in transition,
it cannot be loaded without the .log file.

A different flush process is used for the System hive because it is an
important element during system startup and is used too early during
startup to be recovered as described in the previous flush process.

The System.alt file contains a copy of the data contained in the System
file. During the flush process, changes are marked, written, and then
marked as done. Then the same flush process is followed for the System.alt
file. If there is a power failure, hardware failure, or software problems
at any point during the process, either the System or System.alt file
contains the correct information.

The System.alt file is similar to a .log file except that at load time,
rather than having to reapply the logged changes, the system just switches
to System.alt. The System.alt file is not needed unless the System hive is
in transition.

http://www.microsoft.com/resources/d....mspx?mfr=true
Windows NT Workstation Resource Kit: Overview of the Windows NT Registry

http://msdn.microsoft.com/en-us/libr...84(VS.71).aspx
ACID Properties

John

What device makes the log and sav files? My system doesn't seem to have
a system.alt on it.

A device? A device usually refers to hardware, the files are generated
by Windows, I don't know the exact calls or functions that are used to
create the files.

My error about the system.alt file, I should not have pasted that
information here.

[quote]

Windows XP and Windows Server 2003 do not maintain a System.alt hive
because NTLDR on those versions of Windows can process the System.log
file to bring up to date a System hive that has become inconsistent
during a shutdown or crash.

[end quote]

http://live.sysinternals.com/Tools/W...s-Chapter4.pdf

John