source: trunk/doc/devel/winntreg.txt@ 277

Last change on this file since 277 was 238, checked in by tim, 14 years ago

moved development documentation back to old location, adjusted build scripts accordingly

misc documentation fixes
File size: 10.2 KB
RevLine 
[4]1The windows NT registry has 2 different blocks, where one can occur many
2times...
3
4the "regf"-Block
5================
6
7"regf" is obviosly the abbreviation for "Registry file". "regf" is the
8signature of the header-block which is always 4kb in size, although only
9the first 64 bytes seem to be used and a checksum is calculated over
10the first 0x200 bytes only!
11
12Offset Size Contents
130x00000000 D-Word ID: ASCII-"regf" = 0x66676572
140x00000004 D-Word ???? //see struct REGF
150x00000008 D-Word ???? Always the same value as at 0x00000004
160x0000000C Q-Word last modify date in WinNT date-format
170x00000014 D-Word 1
180x00000018 D-Word 3
190x0000001C D-Word 0
200x00000020 D-Word 1
210x00000024 D-Word Offset of 1st key record
220x00000028 D-Word Size of the data-blocks (Filesize-4kb)
230x0000002C D-Word 1
240x000001FC D-Word Sum of all D-Words from 0x00000000 to
[100]25 0x000001FB //XOR of all words. Nigel
[4]26
27I have analyzed more registry files (from multiple machines running
28NT 4.0 german version) and could not find an explanation for the values
29marked with ???? the rest of the first 4kb page is not important...
30
31the "hbin"-Block
32================
33I dont know what "hbin" stands for, but this block is always a multiple
34of 4kb in size.
35
36Inside these hbin-blocks the different records are placed. The memory-
37management looks like a C-compiler heap management to me...
38
39hbin-Header
40===========
41Offset Size Contents
420x0000 D-Word ID: ASCII-"hbin" = 0x6E696268
430x0004 D-Word Offset from the 1st hbin-Block
440x0008 D-Word Offset to the next hbin-Block
450x001C D-Word Block-size
46
47The values in 0x0008 and 0x001C should be the same, so I dont know
48if they are correct or swapped...
49
50From offset 0x0020 inside a hbin-block data is stored with the following
51format:
52
53Offset Size Contents
540x0000 D-Word Data-block size //this size must be a
55multiple of 8. Nigel
560x0004 ???? Data
57
58If the size field is negative (bit 31 set), the corresponding block
59is free and has a size of -blocksize!
60
61That does not seem to be true. All block lengths seem to be negative!
62(Richard Sharpe)
63
64The data is stored as one record per block. Block size is a multiple
65of 4 and the last block reaches the next hbin-block, leaving no room.
66
67(That also seems incorrect, in that the block size if a multiple of 8.
68That is, the block, including the 4 byte header, is always a multiple of
698 bytes. Richard Sharpe.)
70
71Records in the hbin-blocks
72==========================
73
74nk-Record
75
76 The nk-record can be treated as a kombination of tree-record and
77 key-record of the win 95 registry.
78
79lf-Record
80
81 The lf-record is the counterpart to the RGKN-record (the
82 hash-function)
83
84vk-Record
85
86 The vk-record consists information to a single value.
87
88sk-Record
89
90 sk (? Security Key ?) is the ACL of the registry.
91
92Value-Lists
93
94 The value-lists contain information about which values are inside a
95 sub-key and dont have a header.
96
97Datas
98
99 The datas of the registry are (like the value-list) stored without a
100 header.
101
102All offset-values are relative to the first hbin-block and point to the
103block-size field of the record-entry. to get the file offset, you have to add
104the header size (4kb) and the size field (4 bytes)...
105
106the nk-Record
107=============
108Offset Size Contents
1090x0000 Word ID: ASCII-"nk" = 0x6B6E
1100x0002 Word for the root-key: 0x2C, otherwise 0x20 //key symbolic links 0x10. Nigel
1110x0004 Q-Word write-date/time in windows nt notation
[97]1120x000C D-Word UNKNOWN // added by TDM
[4]1130x0010 D-Word Offset of Owner/Parent key
1140x0014 D-Word number of sub-Keys
[97]1150x0018 D-Word UNKNOWN // added by TDM
[4]1160x001C D-Word Offset of the sub-key lf-Records
[97]1170x0020 D-Word UNKNOWN // added by TDM
[4]1180x0024 D-Word number of values
1190x0028 D-Word Offset of the Value-List
1200x002C D-Word Offset of the sk-Record
121
1220x0030 D-Word Offset of the Class-Name //see NK structure for the use of these fields. Nigel
1230x0044 D-Word Unused (data-trash) //some kind of run time index. Does not appear to be important. Nigel
1240x0048 Word name-length
1250x004A Word class-name length
1260x004C ???? key-name
127
128the Value-List
129==============
130Offset Size Contents
1310x0000 D-Word Offset 1st Value
1320x0004 D-Word Offset 2nd Value
1330x???? D-Word Offset nth Value
134
135To determine the number of values, you have to look at the owner-nk-record!
136
137Der vk-Record
138=============
139Offset Size Contents
1400x0000 Word ID: ASCII-"vk" = 0x6B76
1410x0002 Word name length
1420x0004 D-Word length of the data //if top bit is set when offset contains data. Nigel
1430x0008 D-Word Offset of Data
1440x000C D-Word Type of value
1450x0010 Word Flag
1460x0012 Word Unused (data-trash)
1470x0014 ???? Name
148
149If bit 0 of the flag-word is set, a name is present, otherwise the value has no name (=default)
150
151If the data-size is lower 5, the data-offset value is used to store the data itself!
152
153The data-types
154==============
155Wert Beteutung
1560x0001 RegSZ: character string (in UNICODE!)
1570x0002 ExpandSZ: string with "%var%" expanding (UNICODE!)
1580x0003 RegBin: raw-binary value
1590x0004 RegDWord: Dword
1600x0007 RegMultiSZ: multiple strings, seperated with 0
161 (UNICODE!)
162
[100]163The "lf"/"lh"/"ri"-record (hash list header)
[4]164===============
165Offset Size Contents
[100]1660x0000 Word ID: ASCII-"lf" = 0x666C (or "lh" or "ri")
[4]1670x0002 Word number of keys
1680x0004 ???? Hash-Records
169
170Hash-Record
171===========
172Offset Size Contents
1730x0000 D-Word Offset of corresponding "nk"-Record
[100]1740x0004 D-Word ASCII: the first 4 characters of the key-name, padded with 0-s. Case sensitive!
175 (the hash value may be computed differently for the various header types
176 "lf"/"lh"/"ri"/etc)
[4]177Keep in mind, that the value at 0x0004 is used for checking the data-consistency! If you change the
178key-name you have to change the hash-value too!
179
180//These hashrecords must be sorted low to high within the lf record. Nigel.
181
182The "sk"-block
183==============
184(due to the complexity of the SAM-info, not clear jet)
185(This is just a self-relative security descriptor in the data. R Sharpe.)
186
187
188Offset Size Contents
1890x0000 Word ID: ASCII-"sk" = 0x6B73
1900x0002 Word Unused
1910x0004 D-Word Offset of previous "sk"-Record
1920x0008 D-Word Offset of next "sk"-Record
1930x000C D-Word usage-counter
1940x0010 D-Word Size of "sk"-record in bytes
195???? //standard self
196relative security desciptor. Nigel
197???? ???? Security and auditing settings...
198????
199
200The usage counter counts the number of references to this
201"sk"-record. You can use one "sk"-record for the entire registry!
202
203Windows nt date/time format
204===========================
205The time-format is a 64-bit integer which is incremented every
2060,0000001 seconds by 1 (I dont know how accurate it really is!)
207It starts with 0 at the 1st of january 1601 0:00! All values are
208stored in GMT time! The time-zone is important to get the real
209time!
210
211Common values for win95 and win-nt
212==================================
213Offset values marking an "end of list", are either 0 or -1 (0xFFFFFFFF).
214If a value has no name (length=0, flag(bit 0)=0), it is treated as the
215"Default" entry...
216If a value has no data (length=0), it is displayed as empty.
217
218simplyfied win-3.?? registry:
219=============================
220
221+-----------+
222| next rec. |---+ +----->+------------+
223| first sub | | | | Usage cnt. |
224| name | | +-->+------------+ | | length |
225| value | | | | next rec. | | | text |------->+-------+
226+-----------+ | | | name rec. |--+ +------------+ | xxxxx |
227 +------------+ | | value rec. |-------->+------------+ +-------+
228 v | +------------+ | Usage cnt. |
229+-----------+ | | length |
230| next rec. | | | text |------->+-------+
231| first sub |------+ +------------+ | xxxxx |
232| name | +-------+
233| value |
234+-----------+
235
236Greatly simplyfied structure of the nt-registry:
237================================================
238
239+---------------------------------------------------------------+
240| |
241v |
242+---------+ +---------->+-----------+ +----->+---------+ |
243| "nk" | | | lf-rec. | | | nk-rec. | |
244| ID | | | # of keys | | | parent |---+
245| Date | | | 1st key |--+ | .... |
246| parent | | +-----------+ +---------+
247| suk-keys|-----+
248| values |--------------------->+----------+
249| SK-rec. |---------------+ | 1. value |--> +----------+
250| class |--+ | +----------+ | vk-rec. |
251+---------+ | | | .... |
252 v | | data |--> +-------+
253 +------------+ | +----------+ | xxxxx |
254 | Class name | | +-------+
255 +------------+ |
256 v
257 +---------+ +---------+
258 +----->| next sk |--->| Next sk |--+
259 | +---| prev sk |<---| prev sk | |
260 | | | .... | | ... | |
261 | | +---------+ +---------+ |
262 | | ^ |
263 | | | |
264 | +--------------------+ |
265 +----------------------------------+
266
267---------------------------------------------------------------------------
268
269Hope this helps.... (Although it was *fun* for me to uncover this things,
270 it took me several sleepless nights ;)
271
272 B.D.
Note: See TracBrowser for help on using the repository browser.