| 1 | - The Windows NT Registry File Format |
|---|
| 2 | (A work in progress to support this tool.) |
|---|
| 3 | http://sentinelchicken.com/research/registry_format/ |
|---|
| 4 | |
|---|
| 5 | - Recovering Deleted Data From the Windows Registry |
|---|
| 6 | (The research that is implemented as a PoC in reglookup-recover.) |
|---|
| 7 | http://sentinelchicken.com/research/registry_recovery/ |
|---|
| 8 | |
|---|
| 9 | - Petter Nordahl-Hagen. Windows NT registry file format description. |
|---|
| 10 | (The file 'winntreg.txt' included in this distribution is derived from this.) |
|---|
| 11 | http://home.eunet.no/~pnordahl/ntpasswd/WinReg.txt |
|---|
| 12 | |
|---|
| 13 | - Nigel Williams. Much of the same information as provided in 'winntreg.txt', |
|---|
| 14 | but with some code: |
|---|
| 15 | http://www.wednesday.demon.co.uk/dosreg.html |
|---|
| 16 | |
|---|
| 17 | - Some useful information on how Windows reads from and writes to registry |
|---|
| 18 | hives: |
|---|
| 19 | http://www.microsoft.com/technet/archive/winntas/tips/winntmag/inreg.mspx |
|---|
| 20 | |
|---|
| 21 | - Registry key, value, and depth limits: |
|---|
| 22 | http://msdn2.microsoft.com/en-us/library/ms724872.aspx |
|---|
| 23 | |
|---|
| 24 | - Misc references for windows registry permissions and ownership: |
|---|
| 25 | http://msdn2.microsoft.com/en-gb/library/ms724878.aspx |
|---|
| 26 | http://technet2.microsoft.com/WindowsServer/en/library/86cf2457-4f17-43f8-a2ab-7f4e2e5659091033.mspx?mfr=true |
|---|
| 27 | http://msdn2.microsoft.com/en-gb/library/aa374892.aspx |
|---|
| 28 | |
|---|
| 29 | - ACL/ACE flags information |
|---|
| 30 | http://support.microsoft.com/kb/220167 |
|---|
| 31 | http://msdn2.microsoft.com/en-us/library/aa772242.aspx |
|---|
| 32 | |
|---|
| 33 | - Info on SAM hive, syskey, and hash extraction (with tools bkhive and samdump2): |
|---|
| 34 | http://www.studenti.unina.it/~ncuomo/syskey/ |
|---|
