On this page
§11.4
Configuration Reference
Complete reference for all LCS self-configuration parameters. Every
parameter lives under Machine\System\Registry\ and follows the
self-configuration mechanism described in §8.2: compiled-in
defaults at boot, hot-swapped via self-watch
when registry values are available, validated against defined
ranges, invalid values rejected with audit event.
All parameters are REG_DWORD (uint32). All have compiled-in defaults that produce correct behaviour without any registry configuration.
§11.4.1 Timeouts
| Full path | Default | Min | Max | Unit | Description | Errno on violation |
|---|---|---|---|---|---|---|
Machine\System\Registry\RequestTimeoutMs |
30000 | 1000 | 600000 | milliseconds | Per-request timeout for RSI operations, measured from first attempt to reserve an in-flight slot through response receipt. When exceeded, the calling thread receives ETIMEDOUT. The source stays alive. | ETIMEDOUT |
Machine\System\Registry\TransactionTimeoutMs |
30000 | 1000 | 600000 | milliseconds | Maximum lifetime of an open transaction from reg_begin_transaction to auto-abort. Prevents stalled or malicious processes from holding the source's write lock indefinitely. | Transaction auto-aborted; caller's next operation returns EINVAL. |
§11.4.2 Path and naming limits
| Full path | Default | Min | Max | Unit | Description | Errno on violation |
|---|---|---|---|---|---|---|
Machine\System\Registry\MaxKeyDepth |
512 | 32 | 4096 | levels | Maximum nesting depth for the key hierarchy. Bounds ancestor chain memory per fd and path resolution walk length. | EINVAL on reg_open_key / reg_create_key |
Machine\System\Registry\MaxPathComponentLength |
255 | 64 | 1024 | UTF-8 bytes | Maximum length of a single key name component, value name, or layer name. | ENAMETOOLONG |
Machine\System\Registry\MaxTotalPathLength |
16383 | 1024 | 65535 | UTF-8 bytes | Maximum total length of a full registry path including all components and separators. Matches or exceeds the Windows limit. | ENAMETOOLONG |
Machine\System\Registry\SymlinkDepthLimit |
16 | 1 | 64 | hops | Maximum symlink resolution recursion depth during path resolution. | ELOOP |
§11.4.3 Value limits
| Full path | Default | Min | Max | Unit | Description | Errno on violation |
|---|---|---|---|---|---|---|
Machine\System\Registry\MaxValueSize |
1048576 | 4096 | 67108864 | bytes | Maximum data payload size for a single value. Default 1 MB, ceiling 64 MB. | ENOSPC |
§11.4.4 Layer limits
| Full path | Default | Min | Max | Unit | Description | Errno on violation |
|---|---|---|---|---|---|---|
Machine\System\Registry\MaxLayersPerValue |
128 | 1 | 1024 | layers | Maximum number of layers that can write to the same (key GUID, value name) pair. Bounds per-value layer resolution cost. | ENOSPC |
Machine\System\Registry\MaxTotalLayers |
1024 | 16 | 65536 | layers | Maximum number of distinct layers in the in-memory layer table. Bounds kernel memory consumption from layer creation. | ENOSPC on layer creation |
§11.4.5 Transaction limits
| Full path | Default | Min | Max | Unit | Description | Errno on violation |
|---|---|---|---|---|---|---|
Machine\System\Registry\MaxBoundTransactionsPerSource |
16 | 1 | 256 | transactions | Maximum number of concurrently bound (write-lock-holding) transactions per source. Prevents transaction chaining DoS. | EBUSY on the operation that would bind the transaction |
Machine\System\Registry\MaxReadOnlyTransactionsPerSource |
16 | 1 | 256 | transactions | Maximum number of concurrently active read-only snapshot transactions per source, used by REG_IOC_BACKUP. Prevents backup snapshot DoS without treating backups as write-lock-holding transactions. | EBUSY on REG_IOC_BACKUP |
§11.4.6 Source limits
| Full path | Default | Min | Max | Unit | Description | Errno on violation |
|---|---|---|---|---|---|---|
Machine\System\Registry\MaxRegisteredSources |
32 | 1 | 256 | sources | Maximum number of concurrently registered sources. | ENOSPC on REG_SRC_REGISTER |
Machine\System\Registry\MaxHivesPerSource |
64 | 1 | 1024 | hives | Maximum number of hives a single source can register. | ENOSPC on REG_SRC_REGISTER |
Machine\System\Registry\MaxConcurrentRSIRequests |
256 | 8 | 4096 | requests | Maximum simultaneously dispatched RSI requests awaiting response per source. When reached, new operations wait for a slot under the same RequestTimeoutMs deadline. | Caller waits; ETIMEDOUT if no slot becomes available before the deadline. |
§11.4.7 Watch limits
| Full path | Default | Min | Max | Unit | Description | Errno on violation |
|---|---|---|---|---|---|---|
Machine\System\Registry\NotificationQueueSize |
256 | 16 | 65536 | events | Maximum queued events per armed watch before overflow. When exceeded, oldest events are dropped and OVERFLOW is inserted. | OVERFLOW event delivered to watcher. |
Machine\System\Registry\MaxSubtreeWatchDepth |
0 | 0 | 4096 | levels | Maximum depth from the watched key to descendant keys for subtree watch event delivery. 0 means unlimited (all descendants). Events for changes deeper than this limit are silently dropped. | Events silently not delivered for changes beyond the depth limit. |
Machine\System\Registry\MaxTransactionWatchEventBurst |
4096 | 256 | 65536 | events | Maximum watch events generated per-watcher from a single transaction commit. When exceeded, LCS stops generating individual events and inserts a single OVERFLOW instead. | OVERFLOW event delivered to watcher. |
§11.4.8 Private hive and layer credential limits
| Full path | Default | Min | Max | Unit | Description | Errno on violation |
|---|---|---|---|---|---|---|
Machine\System\Registry\MaxScopeGUIDsPerToken |
8 | 1 | 256 | GUIDs | Maximum private hive scope GUIDs a thread's credentials can carry. Bounds per-syscall routing iteration cost. | Error at credential attachment time (KACS concern). |
Machine\System\Registry\MaxPrivateLayersPerToken |
16 | 1 | 256 | layers | Maximum private layer names a thread's credentials can carry. Bounds per-resolution is_active() iteration cost. | Error at credential attachment time (KACS concern). |
§11.4.9 Notes
-
All parameters are read from
Machine\System\Registry\via the self-watch mechanism. Changes take effect for new operations after the self-watch callback completes. In-flight operations use the value active when they started. -
Invalid values (out of range, wrong type) are silently ignored. LCS retains the previous known-good value and emits an audit event.
-
Values are never clamped. The registry shows what was written; the audit log shows what LCS is actually using.
-
The SD on
Machine\System\Registry\controls who can modify these parameters. By default: SYSTEM and Administrators have KEY_ALL_ACCESS, Authenticated Users have KEY_READ. Domain policy via Group Policy at higher precedence layers provides additional protection.
Peios Learn
Built with Trail