source: doc/winntreg.txt @ 228

Last change on this file since 228 was 164, checked in by tim, 15 years ago

reorganized documentation and testing directories

File size: 10.2 KB
RevLine 
[4]1The windows NT registry has 2 different blocks, where one can occur many
2times...
3
4the "regf"-Block
5================
6 
7"regf" is obviosly the abbreviation for "Registry file". "regf" is the
8signature of the header-block which is always 4kb in size, although only
9the first 64 bytes seem to be used and a checksum is calculated over
10the first 0x200 bytes only!
11
12Offset            Size      Contents
130x00000000      D-Word      ID: ASCII-"regf" = 0x66676572
140x00000004      D-Word      ???? //see struct REGF
150x00000008      D-Word      ???? Always the same value as at 0x00000004
160x0000000C      Q-Word      last modify date in WinNT date-format
170x00000014      D-Word      1
180x00000018      D-Word      3
190x0000001C      D-Word      0
200x00000020      D-Word      1
210x00000024      D-Word      Offset of 1st key record
220x00000028      D-Word      Size of the data-blocks (Filesize-4kb)
230x0000002C      D-Word      1
240x000001FC      D-Word      Sum of all D-Words from 0x00000000 to
[100]25                            0x000001FB  //XOR of all words. Nigel
[4]26
27I have analyzed more registry files (from multiple machines running
28NT 4.0 german version) and could not find an explanation for the values
29marked with ???? the rest of the first 4kb page is not important...
30
31the "hbin"-Block
32================
33I dont know what "hbin" stands for, but this block is always a multiple
34of 4kb in size.
35
36Inside these hbin-blocks the different records are placed. The memory-
37management looks like a C-compiler heap management to me...
38
39hbin-Header
40===========
41Offset      Size      Contents
420x0000      D-Word      ID: ASCII-"hbin" = 0x6E696268
430x0004      D-Word      Offset from the 1st hbin-Block
440x0008      D-Word      Offset to the next hbin-Block
450x001C      D-Word      Block-size
46
47The values in 0x0008 and 0x001C should be the same, so I dont know
48if they are correct or swapped...
49
50From offset 0x0020 inside a hbin-block data is stored with the following
51format:
52
53Offset      Size      Contents
540x0000      D-Word      Data-block size    //this size must be a
55multiple of 8. Nigel
560x0004      ????      Data
57 
58If the size field is negative (bit 31 set), the corresponding block
59is free and has a size of -blocksize!
60
61That does not seem to be true. All block lengths seem to be negative!
62(Richard Sharpe)
63
64The data is stored as one record per block. Block size is a multiple
65of 4 and the last block reaches the next hbin-block, leaving no room.
66
67(That also seems incorrect, in that the block size if a multiple of 8.
68That is, the block, including the 4 byte header, is always a multiple of
698 bytes. Richard Sharpe.)
70
71Records in the hbin-blocks
72==========================
73
74nk-Record
75
76      The nk-record can be treated as a kombination of tree-record and
77      key-record of the win 95 registry.
78
79lf-Record
80
81      The lf-record is the counterpart to the RGKN-record (the
82      hash-function)
83
84vk-Record
85
86      The vk-record consists information to a single value.
87
88sk-Record
89
90      sk (? Security Key ?) is the ACL of the registry.
91
92Value-Lists
93
94      The value-lists contain information about which values are inside a
95      sub-key and dont have a header.
96
97Datas
98
99      The datas of the registry are (like the value-list) stored without a
100      header.
101
102All offset-values are relative to the first hbin-block and point to the
103block-size field of the record-entry. to get the file offset, you have to add
104the header size (4kb) and the size field (4 bytes)...
105
106the nk-Record
107=============
108Offset      Size      Contents
1090x0000      Word      ID: ASCII-"nk" = 0x6B6E
1100x0002      Word      for the root-key: 0x2C, otherwise 0x20  //key symbolic links 0x10. Nigel
1110x0004      Q-Word      write-date/time in windows nt notation
[97]1120x000C      D-Word      UNKNOWN // added by TDM
[4]1130x0010      D-Word      Offset of Owner/Parent key
1140x0014      D-Word      number of sub-Keys
[97]1150x0018      D-Word      UNKNOWN // added by TDM
[4]1160x001C      D-Word      Offset of the sub-key lf-Records
[97]1170x0020      D-Word      UNKNOWN // added by TDM
[4]1180x0024      D-Word      number of values
1190x0028      D-Word      Offset of the Value-List
1200x002C      D-Word      Offset of the sk-Record
121
1220x0030      D-Word      Offset of the Class-Name //see NK structure for the use of these fields. Nigel
1230x0044      D-Word      Unused (data-trash)  //some kind of run time index. Does not appear to be important. Nigel
1240x0048      Word      name-length
1250x004A      Word      class-name length
1260x004C      ????      key-name
127
128the Value-List
129==============
130Offset      Size      Contents
1310x0000      D-Word      Offset 1st Value
1320x0004      D-Word      Offset 2nd Value
1330x????      D-Word      Offset nth Value
134
135To determine the number of values, you have to look at the owner-nk-record!
136
137Der vk-Record
138=============
139Offset      Size      Contents
1400x0000      Word      ID: ASCII-"vk" = 0x6B76
1410x0002      Word      name length
1420x0004      D-Word      length of the data   //if top bit is set when offset contains data. Nigel
1430x0008      D-Word      Offset of Data
1440x000C      D-Word      Type of value
1450x0010      Word      Flag
1460x0012      Word      Unused (data-trash)
1470x0014      ????      Name
148
149If bit 0 of the flag-word is set, a name is present, otherwise the value has no name (=default)
150
151If the data-size is lower 5, the data-offset value is used to store the data itself!
152
153The data-types
154==============
155Wert      Beteutung
1560x0001      RegSZ:             character string (in UNICODE!)
1570x0002      ExpandSZ:   string with "%var%" expanding (UNICODE!)
1580x0003      RegBin:           raw-binary value
1590x0004      RegDWord:   Dword
1600x0007      RegMultiSZ:      multiple strings, seperated with 0
161                  (UNICODE!)
162
[100]163The "lf"/"lh"/"ri"-record (hash list header)
[4]164===============
165Offset      Size      Contents
[100]1660x0000      Word      ID: ASCII-"lf" = 0x666C  (or "lh" or "ri")
[4]1670x0002      Word      number of keys
1680x0004      ????      Hash-Records
169
170Hash-Record
171===========
172Offset      Size      Contents
1730x0000      D-Word      Offset of corresponding "nk"-Record
[100]1740x0004      D-Word      ASCII: the first 4 characters of the key-name, padded with 0-s. Case sensitive!
175                        (the hash value may be computed differently for the various header types
176                         "lf"/"lh"/"ri"/etc)
[4]177Keep in mind, that the value at 0x0004 is used for checking the data-consistency! If you change the
178key-name you have to change the hash-value too!
179
180//These hashrecords must be sorted low to high within the lf record. Nigel.
181
182The "sk"-block
183==============
184(due to the complexity of the SAM-info, not clear jet)
185(This is just a self-relative security descriptor in the data. R Sharpe.)
186
187
188Offset      Size      Contents
1890x0000      Word      ID: ASCII-"sk" = 0x6B73
1900x0002      Word      Unused
1910x0004      D-Word      Offset of previous "sk"-Record
1920x0008      D-Word      Offset of next "sk"-Record
1930x000C      D-Word      usage-counter
1940x0010      D-Word      Size of "sk"-record in bytes
195????                                             //standard self
196relative security desciptor. Nigel
197????  ????      Security and auditing settings...
198????
199
200The usage counter counts the number of references to this
201"sk"-record. You can use one "sk"-record for the entire registry!
202
203Windows nt date/time format
204===========================
205The time-format is a 64-bit integer which is incremented every
2060,0000001 seconds by 1 (I dont know how accurate it really is!)
207It starts with 0 at the 1st of january 1601 0:00! All values are
208stored in GMT time! The time-zone is important to get the real
209time!
210
211Common values for win95 and win-nt
212==================================
213Offset values marking an "end of list", are either 0 or -1 (0xFFFFFFFF).
214If a value has no name (length=0, flag(bit 0)=0), it is treated as the
215"Default" entry...
216If a value has no data (length=0), it is displayed as empty.
217
218simplyfied win-3.?? registry:
219=============================
220
221+-----------+
222| next rec. |---+                      +----->+------------+
223| first sub |   |                      |      | Usage cnt. |
224| name      |   |  +-->+------------+  |      | length     |
225| value     |   |  |   | next rec.  |  |      | text       |------->+-------+
226+-----------+   |  |   | name rec.  |--+      +------------+        | xxxxx |
227   +------------+  |   | value rec. |-------->+------------+        +-------+
228   v               |   +------------+         | Usage cnt. |
229+-----------+      |                          | length     |
230| next rec. |      |                          | text       |------->+-------+
231| first sub |------+                          +------------+        | xxxxx |
232| name      |                                                       +-------+
233| value     |
234+-----------+   
235
236Greatly simplyfied structure of the nt-registry:
237================================================
238   
239+---------------------------------------------------------------+
240|                                                               |
241v                                                               |
242+---------+     +---------->+-----------+  +----->+---------+   |
243| "nk"    |     |           | lf-rec.   |  |      | nk-rec. |   |
244| ID      |     |           | # of keys |  |      | parent  |---+
245| Date    |     |           | 1st key   |--+      | ....    |
246| parent  |     |           +-----------+         +---------+
247| suk-keys|-----+
248| values  |--------------------->+----------+
249| SK-rec. |---------------+      | 1. value |--> +----------+
250| class   |--+            |      +----------+    | vk-rec.  |
251+---------+  |            |                      | ....     |
252             v            |                      | data     |--> +-------+
253      +------------+      |                      +----------+    | xxxxx |
254      | Class name |      |                                      +-------+
255      +------------+      |
256                          v
257          +---------+    +---------+
258   +----->| next sk |--->| Next sk |--+
259   |  +---| prev sk |<---| prev sk |  |
260   |  |   | ....    |    | ...     |  |
261   |  |   +---------+    +---------+  |
262   |  |                    ^          |
263   |  |                    |          |
264   |  +--------------------+          |
265   +----------------------------------+
266
267---------------------------------------------------------------------------
268
269Hope this helps....  (Although it was *fun* for me to uncover this things,
270                  it took me several sleepless nights ;)
271
272            B.D.
Note: See TracBrowser for help on using the repository browser.