Bonus question for that example: Where is SystemDrive defined in the registry? It is used in the registry as value data (i.e., %SystemDrive% as part of a larger string), but I can't find it as a value defined under any key - yet the value is used often in the registry and is passed to the environment. Anyone know how this works?
Related question: I have been able to identify the source of many environment variables in the registry under these keys;
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion (SystemRoot) HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Environment (Comspec, OS, Path, PATHEXT, windir) HKCU\Environment (TEMP, TMP) HKCU\Volatile Environment (APPDATA, HOMEDRIVE, HOMEPATH, LOGONSERVER, SESSIONNAME)
But that still leaves environment variables that I don't find defined in the registry (like SystemDrive) and strings like USERDOMAIN and USERPROFILE that aren't even used in the registry. Where and how are these stored?