Context Navigation

source: releases/0.4.0/doc/devel/winntreg.txt @ 133

Last change on this file since 133 was 26, checked in by tim, 19 years ago

Moved developer documentation under doc/devel

Fixed a bug with man page installation & moved more of installation out
into sub-directory Makefiles.

File size: 9.9 KB

Line
1	The windows NT registry has 2 different blocks, where one can occur many
2	times...
3
4	the "regf"-Block
5	================
6
7	"regf" is obviosly the abbreviation for "Registry file". "regf" is the
8	signature of the header-block which is always 4kb in size, although only
9	the first 64 bytes seem to be used and a checksum is calculated over
10	the first 0x200 bytes only!
11
12	Offset Size Contents
13	0x00000000 D-Word ID: ASCII-"regf" = 0x66676572
14	0x00000004 D-Word ???? //see struct REGF
15	0x00000008 D-Word ???? Always the same value as at 0x00000004
16	0x0000000C Q-Word last modify date in WinNT date-format
17	0x00000014 D-Word 1
18	0x00000018 D-Word 3
19	0x0000001C D-Word 0
20	0x00000020 D-Word 1
21	0x00000024 D-Word Offset of 1st key record
22	0x00000028 D-Word Size of the data-blocks (Filesize-4kb)
23	0x0000002C D-Word 1
24	0x000001FC D-Word Sum of all D-Words from 0x00000000 to
25	0x000001FB //XOR of all words. Nigel
26
27	I have analyzed more registry files (from multiple machines running
28	NT 4.0 german version) and could not find an explanation for the values
29	marked with ???? the rest of the first 4kb page is not important...
30
31	the "hbin"-Block
32	================
33	I dont know what "hbin" stands for, but this block is always a multiple
34	of 4kb in size.
35
36	Inside these hbin-blocks the different records are placed. The memory-
37	management looks like a C-compiler heap management to me...
38
39	hbin-Header
40	===========
41	Offset Size Contents
42	0x0000 D-Word ID: ASCII-"hbin" = 0x6E696268
43	0x0004 D-Word Offset from the 1st hbin-Block
44	0x0008 D-Word Offset to the next hbin-Block
45	0x001C D-Word Block-size
46
47	The values in 0x0008 and 0x001C should be the same, so I dont know
48	if they are correct or swapped...
49
50	From offset 0x0020 inside a hbin-block data is stored with the following
51	format:
52
53	Offset Size Contents
54	0x0000 D-Word Data-block size //this size must be a
55	multiple of 8. Nigel
56	0x0004 ???? Data
57
58	If the size field is negative (bit 31 set), the corresponding block
59	is free and has a size of -blocksize!
60
61	That does not seem to be true. All block lengths seem to be negative!
62	(Richard Sharpe)
63
64	The data is stored as one record per block. Block size is a multiple
65	of 4 and the last block reaches the next hbin-block, leaving no room.
66
67	(That also seems incorrect, in that the block size if a multiple of 8.
68	That is, the block, including the 4 byte header, is always a multiple of
69	8 bytes. Richard Sharpe.)
70
71	Records in the hbin-blocks
72	==========================
73
74	nk-Record
75
76	The nk-record can be treated as a kombination of tree-record and
77	key-record of the win 95 registry.
78
79	lf-Record
80
81	The lf-record is the counterpart to the RGKN-record (the
82	hash-function)
83
84	vk-Record
85
86	The vk-record consists information to a single value.
87
88	sk-Record
89
90	sk (? Security Key ?) is the ACL of the registry.
91
92	Value-Lists
93
94	The value-lists contain information about which values are inside a
95	sub-key and dont have a header.
96
97	Datas
98
99	The datas of the registry are (like the value-list) stored without a
100	header.
101
102	All offset-values are relative to the first hbin-block and point to the
103	block-size field of the record-entry. to get the file offset, you have to add
104	the header size (4kb) and the size field (4 bytes)...
105
106	the nk-Record
107	=============
108	Offset Size Contents
109	0x0000 Word ID: ASCII-"nk" = 0x6B6E
110	0x0002 Word for the root-key: 0x2C, otherwise 0x20 //key symbolic links 0x10. Nigel
111	0x0004 Q-Word write-date/time in windows nt notation
112	0x0010 D-Word Offset of Owner/Parent key
113	0x0014 D-Word number of sub-Keys
114	0x001C D-Word Offset of the sub-key lf-Records
115	0x0024 D-Word number of values
116	0x0028 D-Word Offset of the Value-List
117	0x002C D-Word Offset of the sk-Record
118
119	0x0030 D-Word Offset of the Class-Name //see NK structure for the use of these fields. Nigel
120	0x0044 D-Word Unused (data-trash) //some kind of run time index. Does not appear to be important. Nigel
121	0x0048 Word name-length
122	0x004A Word class-name length
123	0x004C ???? key-name
124
125	the Value-List
126	==============
127	Offset Size Contents
128	0x0000 D-Word Offset 1st Value
129	0x0004 D-Word Offset 2nd Value
130	0x???? D-Word Offset nth Value
131
132	To determine the number of values, you have to look at the owner-nk-record!
133
134	Der vk-Record
135	=============
136	Offset Size Contents
137	0x0000 Word ID: ASCII-"vk" = 0x6B76
138	0x0002 Word name length
139	0x0004 D-Word length of the data //if top bit is set when offset contains data. Nigel
140	0x0008 D-Word Offset of Data
141	0x000C D-Word Type of value
142	0x0010 Word Flag
143	0x0012 Word Unused (data-trash)
144	0x0014 ???? Name
145
146	If bit 0 of the flag-word is set, a name is present, otherwise the value has no name (=default)
147
148	If the data-size is lower 5, the data-offset value is used to store the data itself!
149
150	The data-types
151	==============
152	Wert Beteutung
153	0x0001 RegSZ: character string (in UNICODE!)
154	0x0002 ExpandSZ: string with "%var%" expanding (UNICODE!)
155	0x0003 RegBin: raw-binary value
156	0x0004 RegDWord: Dword
157	0x0007 RegMultiSZ: multiple strings, seperated with 0
158	(UNICODE!)
159
160	The "lf"-record
161	===============
162	Offset Size Contents
163	0x0000 Word ID: ASCII-"lf" = 0x666C
164	0x0002 Word number of keys
165	0x0004 ???? Hash-Records
166
167	Hash-Record
168	===========
169	Offset Size Contents
170	0x0000 D-Word Offset of corresponding "nk"-Record
171	0x0004 D-Word ASCII: the first 4 characters of the key-name, padded with 0-s. Case sensitiv!
172
173	Keep in mind, that the value at 0x0004 is used for checking the data-consistency! If you change the
174	key-name you have to change the hash-value too!
175
176	//These hashrecords must be sorted low to high within the lf record. Nigel.
177
178	The "sk"-block
179	==============
180	(due to the complexity of the SAM-info, not clear jet)
181	(This is just a self-relative security descriptor in the data. R Sharpe.)
182
183
184	Offset Size Contents
185	0x0000 Word ID: ASCII-"sk" = 0x6B73
186	0x0002 Word Unused
187	0x0004 D-Word Offset of previous "sk"-Record
188	0x0008 D-Word Offset of next "sk"-Record
189	0x000C D-Word usage-counter
190	0x0010 D-Word Size of "sk"-record in bytes
191	???? //standard self
192	relative security desciptor. Nigel
193	???? ???? Security and auditing settings...
194	????
195
196	The usage counter counts the number of references to this
197	"sk"-record. You can use one "sk"-record for the entire registry!
198
199	Windows nt date/time format
200	===========================
201	The time-format is a 64-bit integer which is incremented every
202	0,0000001 seconds by 1 (I dont know how accurate it really is!)
203	It starts with 0 at the 1st of january 1601 0:00! All values are
204	stored in GMT time! The time-zone is important to get the real
205	time!
206
207	Common values for win95 and win-nt
208	==================================
209	Offset values marking an "end of list", are either 0 or -1 (0xFFFFFFFF).
210	If a value has no name (length=0, flag(bit 0)=0), it is treated as the
211	"Default" entry...
212	If a value has no data (length=0), it is displayed as empty.
213
214	simplyfied win-3.?? registry:
215	=============================
216
217	+-----------+
218	\| next rec. \|---+ +----->+------------+
219	\| first sub \| \| \| \| Usage cnt. \|
220	\| name \| \| +-->+------------+ \| \| length \|
221	\| value \| \| \| \| next rec. \| \| \| text \|------->+-------+
222	+-----------+ \| \| \| name rec. \|--+ +------------+ \| xxxxx \|
223	+------------+ \| \| value rec. \|-------->+------------+ +-------+
224	v \| +------------+ \| Usage cnt. \|
225	+-----------+ \| \| length \|
226	\| next rec. \| \| \| text \|------->+-------+
227	\| first sub \|------+ +------------+ \| xxxxx \|
228	\| name \| +-------+
229	\| value \|
230	+-----------+
231
232	Greatly simplyfied structure of the nt-registry:
233	================================================
234
235	+---------------------------------------------------------------+
236	\| \|
237	v \|
238	+---------+ +---------->+-----------+ +----->+---------+ \|
239	\| "nk" \| \| \| lf-rec. \| \| \| nk-rec. \| \|
240	\| ID \| \| \| # of keys \| \| \| parent \|---+
241	\| Date \| \| \| 1st key \|--+ \| .... \|
242	\| parent \| \| +-----------+ +---------+
243	\| suk-keys\|-----+
244	\| values \|--------------------->+----------+
245	\| SK-rec. \|---------------+ \| 1. value \|--> +----------+
246	\| class \|--+ \| +----------+ \| vk-rec. \|
247	+---------+ \| \| \| .... \|
248	v \| \| data \|--> +-------+
249	+------------+ \| +----------+ \| xxxxx \|
250	\| Class name \| \| +-------+
251	+------------+ \|
252	v
253	+---------+ +---------+
254	+----->\| next sk \|--->\| Next sk \|--+
255	\| +---\| prev sk \|<---\| prev sk \| \|
256	\| \| \| .... \| \| ... \| \|
257	\| \| +---------+ +---------+ \|
258	\| \| ^ \|
259	\| \| \| \|
260	\| +--------------------+ \|
261	+----------------------------------+
262
263	---------------------------------------------------------------------------
264
265	Hope this helps.... (Although it was fun for me to uncover this things,
266	it took me several sleepless nights ;)
267
268	B.D.

Note: See TracBrowser for help on using the repository browser.

Download in other formats: