Registry data is written to the writeable (RW) sub-layer even though an exclude entry was created for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
Quoting from Microsoft:
A control set contains system configuration information such as device drivers and services. You may notice several instances of control sets when viewing the Registry. Some are duplicates or mirror images of others and some are unique. This article describes how to find control sets, which ones are important, and why.
Control sets are stored in the HKEY_LOCAL_MACHINE subtree, under the SYSTEM key. There may be several control sets depending on how often you change system settings or have problems with the settings you choose. A typical installation of Windows NT will contain four: \ControlSet001 \ControlSet002 \CurrentControlSet \Clone
ControlSet001 may be the last control set you booted with, while ControlSet002 could be what is known as the last known good control set, or the control set that last successfully booted Windows NT. The CurrentControlSet subkey is really a pointer to one of the ControlSetXXX keys.
When an application attempts to write data to CurrentControlSet, Microsoft redirects the request to one of the ControlSetXXX keys and because of this, the exclude entry for the CurrentControlSet key is ineffective.
The proper way to exclude data from being written to CurrentControlSet is to create an exclude for the ControlSetXXX keys instead. You can create explicit exclude entries for each of the ControlSetXXX keys, or use a wildcard to exclude both, ControlSet00*.
Subscribing will provide email updates when this Article is updated. Login is required.