Windows NT's registry exists completely in RAM and is created through the combination of numerous files. The top-level keys in the registry are actually made up from the information in two sections: HKEY_LOCAL_MACHINE and HKEY_USERS.
Under HKEY_LOCAL_MACHINE, there are five subkeys. With the exception of the hardware subkey, each of these subkeys—SAM, security, software, and system—is generated from a file of the same name that resides at %systemroot%\system32\config\. The contents of the hardware subkey are generated during the boot process.
Likewise, HKEY_USERS is made up of at least two subkeys. One is named .DEFAULT and the other is named by the SID that's associated with the Administrator user. The .DEFAULT subkey is generated from the contents of %systemroot%\profiles\DefaultUser\ntuser.dat, while the second subkey is generated from the contents of %systemroot%\profiles\Administrator\ntuser.dat. If there are other users, their subkeys will also reside here.