Do HKLM registries take precedence over HKCU for system policies?
I can't seem to find anything definitive, as there are some sources that say:
If an entry exists in both
HKLM\SOFTWARE\ClassesandHKCU\SOFTWARE\Classes, then the value of the entry inHKCU\SOFTWARE\Classestakes precedence.
However, I can't tell if this rule carries over to system policies; specifically, I am concerned about DisableLockWorkstation within:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Which one of these would take precedence if both exist and are conflicting, and is there a general rule for this?
Qoting from Wikipedia Windows Registry:
The HKEY_LOCAL_MACHINE (local machine-specific configuration data) and HKEY_CURRENT_USER (user-specific configuration data) nodes have a similar structure to each other; user applications typically look up their settings by first checking for them in "HKEY_CURRENT_USER\Software\Vendor's name\Application's name\Version\Setting name", and if the setting is not found, look instead in the same location under the HKEY_LOCAL_MACHINE key.
However, the converse may apply for administrator-enforced policy settings where HKLM may take precedence over HKCU. The Windows Logo Program has specific requirements for where different types of user data may be stored, and that the concept of least privilege be followed so that administrator-level access is not required to use an application.
Unfortunately, I don't think there is a definitive answer to the question, so that it all depends on the program in question.
It seems as if user applications will prefer HKCU, while Windows will prefer HKLM for policies that are not user-specific. However, the rules are not set in concrete, and plenty of exceptions may exist.
The Wikipedia link to the Windows Logo Program has elapsed, but I managed to find Designed for Windows XP Application Specification (archived article), which pertains to the above-mentioned "Windows Logo Program", containing the following rules which in general support the above:
Using the Registry
Applications may also use the registry to store read/write application data and configuration files.
- The HKCU registry hive is appropriate for storing small amounts of data (approximately 64K) and for policy settings that are per user.
- Avoid writing to HKLM during runtime, because limited users have read-only access to the entire HKLM tree by default. In addition, HKLM does not support roaming.
- Larger, file-based data should be placed in the Application Data folder. For example, Internet Explorer’s Temporary Internet Cache is stored within the user profile and not in the registry.
- At installation time, the application must not store more than a total of 128K across HKCU and HKLM. Note that HKEY_CLASSES_ROOT is excluded.
This is the earliest document with guidelines on using the registry that I could manage to find. I don't know how well these guidelines were or are being followed.
There is no iron rule here. Precedence depends wholy from programmers decicions therefore it differs between different systems and sometimes even different programs from the same developer.
As a rule of thumb, applications prefer HKCU as more specific. It's logical that if user have specific setting, its probably better for him than general setting. But ie. .\Run entries are first read from HKLM and many policies are prioritizing HKLM setting over HKCU.
Considering that DisableLockWorkstation is a policy, I would assume that HKLM will take priority in this case. But there is no way to tell that other than by test on a living system.