Recently I had the pleasure of troubleshooting a rather interesting problem which appeared to be related to custom forms within Microsoft Outlook 2007. Custom forms allow a user to tailor various screens within Outlook (for example - the compose new message screen) to suit their own needs. In this case the creation of the form was successful however when the user logged out and in again, any attempt to use the custom form gave the following error:
Given the message above seemed to suggest something was amiss with the registry I thought I would grab a copy of Process Monitor from SysInternals and see what was going on...
Quick side note here - if you haven't already checked this out, put \\live.sysinternals.com\tools into explorer (or Start | Run) to get direct access to SysInternals tool without needing to download them - very cool!
Anyway, I started Process Monitor and put a filter on OUTLOOK.EXE and started to capture registry information. As I was trawling through the output I came across this little block shown in this capture...
This was certainly concerning, firstly because HKEY_CURRENT_USER\Software\Classes appeared to be missing but also because HKEY_CURRENT_USER\Software\Classes is special. Just to double check there wasn't something wrong with Process Monitor (not that I doubted Mark's tools) I opened the registry editor and indeed confirmed the key was missing. OK let me digress a little here... The reason that the dump from Process Monitor was bizarre is that HKEY_CURRENT_USER\Software\Classes is not actually a real registry key - it's actually a registry value with a special type, REG_LINK. A registry value with the type REG_LINK is basically a symbolic link that points to another registry location - in this case, HKEY_CURRENT_USER\Software\Classes is actually linked to HKEY_USERS\<sid of user>_Classes (e.g. HKU\S-1-5-21-1785801851-1584271993-1816888821-1113_Classes). This link is made when the user first logs on.
When a user logs on they have 2 files within their profile which contain user data - these are known as registry hive files. One of these is called NTUSER.DAT and basically contains everything (except classes) that is found below HKEY_CURRENT_USER - this file is normally found in the root of the user's profile. The second file is called USRCLASS.DAT and contains everything typically below HKEY_CURRENT_USER\Software\Classes - this file is normally found in \Local Settings\Application Data\Microsoft\Windows within the user's profile.
At logon time, these files are loaded and mapped to locations below HKEY_USERS using the user's SID to distinguish them. NTUSER.DAT is loaded using the user's SID as its name and USRCLASS.DAT is loaded using the user's SID with _Classes at the end. The following capture from Registry Editor shows these files loaded for a user - on a Terminal Server for example there would be 2 files for each logged on user.
NB: Within the registry you can go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist to see a list of loaded hives and the files that are used for them.
So once these registry hive files are loaded and mapped into the registry, WINLOGON.EXE creates the symbolic link HKEY_CURRENT_USER\Software\Classes which points to the loaded USRCLASS.DAT. Technically speaking the link is made below the loaded NTUSER.DAT which in turn is linked to from HKEY_CURRENT_USER but we digress. The Process Monitor capture shown here shows the symbolic link being created for a user:
Once I had established that indeed the HKEY_CURRENT_USER\Software\Classes link was missing for some reason I assumed something was happening during logon to either not create this link or damage it somehow.
Once I started to examine what was going on at logon I came across some registry importing which was loading various files into the registry. This is common and typically known as a hybrid profile which is where a non-flexible (typically mandatory) profile is used and personalization is obtained through the use of registry importing / exporting and file / folder copies. Scripts can be written using the REG.EXE utility to perform this or vario