Managing the System Registry Hive on Windows Server 2003 and Windows Server 2008 Integrity Systems
known failed ControlSet. For the purposes of this document, the CurrentControlSet key is
considered an exact replica or alias of one of the other ControlSets, and does not consume any
System hive space.
The other important key to note is the Select key, as shown in Figure 2.
Figure 2 Select Key values
In the Select key, the Current and LastKnownGood subkey values are critically important. In
Figure 2 you can see the values for both are “1”. If an application or hardware change had recently
occurred, the LastKnownGood value would be different than the Current value. Therefore, in
the example above, this means that ControlSet003 is actually superfluous and could theoretically
be deleted in order to gain space in the System hive.
IMPORTANT: If the system is running Windows Server 2003 for Itanium-based Systems, an
understanding of Select key values is critical for configuring the system to reduce the size of the
System hive.
Estimating System Hive Size
The System hive is essentially a database of keys that is stored on the filesystem of the boot drive
in the following location:
%SystemRoot%\System32\Config\SYSTEM
It is important to note that the size of the file does not necessarily reflect the size of that database.
This is because the System hive never shrinks under normal operation. For example, when 5 MB
of data is added to the System hive, its size grows by 5 MB (to a maximum of 32 MB). However,
if that same 5 MB of data is deleted from the hive, its file size does not change, even though that
space is now available for reuse. Therefore, a hive size of 32 MB does not necessarily mean that
much space is being utilized, and normal system operation can still proceed.
The easiest method to determine true hive size is to use RegEdit to save the System hive in binary
form. RegEdit has the ability to compact the System hive and remove any free space, thus reporting
8