Context Navigation

source: trunk/doc/devel/winntreg.txt @ 45

Last change on this file since 45 was 26, checked in by tim, 19 years ago

Moved developer documentation under doc/devel

Fixed a bug with man page installation & moved more of installation out
into sub-directory Makefiles.

File size: 9.9 KB

Rev	Line
[4]	1	The windows NT registry has 2 different blocks, where one can occur many
	2	times...
	3
	4	the "regf"-Block
	5	================
	6
	7	"regf" is obviosly the abbreviation for "Registry file". "regf" is the
	8	signature of the header-block which is always 4kb in size, although only
	9	the first 64 bytes seem to be used and a checksum is calculated over
	10	the first 0x200 bytes only!
	11
	12	Offset Size Contents
	13	0x00000000 D-Word ID: ASCII-"regf" = 0x66676572
	14	0x00000004 D-Word ???? //see struct REGF
	15	0x00000008 D-Word ???? Always the same value as at 0x00000004
	16	0x0000000C Q-Word last modify date in WinNT date-format
	17	0x00000014 D-Word 1
	18	0x00000018 D-Word 3
	19	0x0000001C D-Word 0
	20	0x00000020 D-Word 1
	21	0x00000024 D-Word Offset of 1st key record
	22	0x00000028 D-Word Size of the data-blocks (Filesize-4kb)
	23	0x0000002C D-Word 1
	24	0x000001FC D-Word Sum of all D-Words from 0x00000000 to
	25	0x000001FB //XOR of all words. Nigel
	26
	27	I have analyzed more registry files (from multiple machines running
	28	NT 4.0 german version) and could not find an explanation for the values
	29	marked with ???? the rest of the first 4kb page is not important...
	30
	31	the "hbin"-Block
	32	================
	33	I dont know what "hbin" stands for, but this block is always a multiple
	34	of 4kb in size.
	35
	36	Inside these hbin-blocks the different records are placed. The memory-
	37	management looks like a C-compiler heap management to me...
	38
	39	hbin-Header
	40	===========
	41	Offset Size Contents
	42	0x0000 D-Word ID: ASCII-"hbin" = 0x6E696268
	43	0x0004 D-Word Offset from the 1st hbin-Block
	44	0x0008 D-Word Offset to the next hbin-Block
	45	0x001C D-Word Block-size
	46
	47	The values in 0x0008 and 0x001C should be the same, so I dont know
	48	if they are correct or swapped...
	49
	50	From offset 0x0020 inside a hbin-block data is stored with the following
	51	format:
	52
	53	Offset Size Contents
	54	0x0000 D-Word Data-block size //this size must be a
	55	multiple of 8. Nigel
	56	0x0004 ???? Data
	57
	58	If the size field is negative (bit 31 set), the corresponding block
	59	is free and has a size of -blocksize!
	60
	61	That does not seem to be true. All block lengths seem to be negative!
	62	(Richard Sharpe)
	63
	64	The data is stored as one record per block. Block size is a multiple
	65	of 4 and the last block reaches the next hbin-block, leaving no room.
	66
	67	(That also seems incorrect, in that the block size if a multiple of 8.
	68	That is, the block, including the 4 byte header, is always a multiple of
	69	8 bytes. Richard Sharpe.)
	70
	71	Records in the hbin-blocks
	72	==========================
	73
	74	nk-Record
	75
	76	The nk-record can be treated as a kombination of tree-record and
	77	key-record of the win 95 registry.
	78
	79	lf-Record
	80
	81	The lf-record is the counterpart to the RGKN-record (the
	82	hash-function)
	83
	84	vk-Record
	85
	86	The vk-record consists information to a single value.
	87
	88	sk-Record
	89
	90	sk (? Security Key ?) is the ACL of the registry.
	91
	92	Value-Lists
	93
	94	The value-lists contain information about which values are inside a
	95	sub-key and dont have a header.
	96
	97	Datas
	98
	99	The datas of the registry are (like the value-list) stored without a
	100	header.
	101
	102	All offset-values are relative to the first hbin-block and point to the
	103	block-size field of the record-entry. to get the file offset, you have to add
	104	the header size (4kb) and the size field (4 bytes)...
	105
	106	the nk-Record
	107	=============
	108	Offset Size Contents
	109	0x0000 Word ID: ASCII-"nk" = 0x6B6E
	110	0x0002 Word for the root-key: 0x2C, otherwise 0x20 //key symbolic links 0x10. Nigel
	111	0x0004 Q-Word write-date/time in windows nt notation
	112	0x0010 D-Word Offset of Owner/Parent key
	113	0x0014 D-Word number of sub-Keys
	114	0x001C D-Word Offset of the sub-key lf-Records
	115	0x0024 D-Word number of values
	116	0x0028 D-Word Offset of the Value-List
	117	0x002C D-Word Offset of the sk-Record
	118
	119	0x0030 D-Word Offset of the Class-Name //see NK structure for the use of these fields. Nigel
	120	0x0044 D-Word Unused (data-trash) //some kind of run time index. Does not appear to be important. Nigel
	121	0x0048 Word name-length
	122	0x004A Word class-name length
	123	0x004C ???? key-name
	124
	125	the Value-List
	126	==============
	127	Offset Size Contents
	128	0x0000 D-Word Offset 1st Value
	129	0x0004 D-Word Offset 2nd Value
	130	0x???? D-Word Offset nth Value
	131
	132	To determine the number of values, you have to look at the owner-nk-record!
	133
	134	Der vk-Record
	135	=============
	136	Offset Size Contents
	137	0x0000 Word ID: ASCII-"vk" = 0x6B76
	138	0x0002 Word name length
	139	0x0004 D-Word length of the data //if top bit is set when offset contains data. Nigel
	140	0x0008 D-Word Offset of Data
	141	0x000C D-Word Type of value
	142	0x0010 Word Flag
	143	0x0012 Word Unused (data-trash)
	144	0x0014 ???? Name
	145
	146	If bit 0 of the flag-word is set, a name is present, otherwise the value has no name (=default)
	147
	148	If the data-size is lower 5, the data-offset value is used to store the data itself!
	149
	150	The data-types
	151	==============
	152	Wert Beteutung
	153	0x0001 RegSZ: character string (in UNICODE!)
	154	0x0002 ExpandSZ: string with "%var%" expanding (UNICODE!)
	155	0x0003 RegBin: raw-binary value
	156	0x0004 RegDWord: Dword
	157	0x0007 RegMultiSZ: multiple strings, seperated with 0
	158	(UNICODE!)
	159
	160	The "lf"-record
	161	===============
	162	Offset Size Contents
	163	0x0000 Word ID: ASCII-"lf" = 0x666C
	164	0x0002 Word number of keys
	165	0x0004 ???? Hash-Records
	166
	167	Hash-Record
	168	===========
	169	Offset Size Contents
	170	0x0000 D-Word Offset of corresponding "nk"-Record
	171	0x0004 D-Word ASCII: the first 4 characters of the key-name, padded with 0-s. Case sensitiv!
	172
	173	Keep in mind, that the value at 0x0004 is used for checking the data-consistency! If you change the
	174	key-name you have to change the hash-value too!
	175
	176	//These hashrecords must be sorted low to high within the lf record. Nigel.
	177
	178	The "sk"-block
	179	==============
	180	(due to the complexity of the SAM-info, not clear jet)
	181	(This is just a self-relative security descriptor in the data. R Sharpe.)
	182
	183
	184	Offset Size Contents
	185	0x0000 Word ID: ASCII-"sk" = 0x6B73
	186	0x0002 Word Unused
	187	0x0004 D-Word Offset of previous "sk"-Record
	188	0x0008 D-Word Offset of next "sk"-Record
	189	0x000C D-Word usage-counter
	190	0x0010 D-Word Size of "sk"-record in bytes
	191	???? //standard self
	192	relative security desciptor. Nigel
	193	???? ???? Security and auditing settings...
	194	????
	195
	196	The usage counter counts the number of references to this
	197	"sk"-record. You can use one "sk"-record for the entire registry!
	198
	199	Windows nt date/time format
	200	===========================
	201	The time-format is a 64-bit integer which is incremented every
	202	0,0000001 seconds by 1 (I dont know how accurate it really is!)
	203	It starts with 0 at the 1st of january 1601 0:00! All values are
	204	stored in GMT time! The time-zone is important to get the real
	205	time!
	206
	207	Common values for win95 and win-nt
	208	==================================
	209	Offset values marking an "end of list", are either 0 or -1 (0xFFFFFFFF).
	210	If a value has no name (length=0, flag(bit 0)=0), it is treated as the
	211	"Default" entry...
	212	If a value has no data (length=0), it is displayed as empty.
	213
	214	simplyfied win-3.?? registry:
	215	=============================
	216
	217	+-----------+
	218	\| next rec. \|---+ +----->+------------+
	219	\| first sub \| \| \| \| Usage cnt. \|
	220	\| name \| \| +-->+------------+ \| \| length \|
	221	\| value \| \| \| \| next rec. \| \| \| text \|------->+-------+
	222	+-----------+ \| \| \| name rec. \|--+ +------------+ \| xxxxx \|
	223	+------------+ \| \| value rec. \|-------->+------------+ +-------+
	224	v \| +------------+ \| Usage cnt. \|
	225	+-----------+ \| \| length \|
	226	\| next rec. \| \| \| text \|------->+-------+
	227	\| first sub \|------+ +------------+ \| xxxxx \|
	228	\| name \| +-------+
	229	\| value \|
	230	+-----------+
	231
	232	Greatly simplyfied structure of the nt-registry:
	233	================================================
	234
	235	+---------------------------------------------------------------+
	236	\| \|
	237	v \|
	238	+---------+ +---------->+-----------+ +----->+---------+ \|
	239	\| "nk" \| \| \| lf-rec. \| \| \| nk-rec. \| \|
	240	\| ID \| \| \| # of keys \| \| \| parent \|---+
	241	\| Date \| \| \| 1st key \|--+ \| .... \|
	242	\| parent \| \| +-----------+ +---------+
	243	\| suk-keys\|-----+
	244	\| values \|--------------------->+----------+
	245	\| SK-rec. \|---------------+ \| 1. value \|--> +----------+
	246	\| class \|--+ \| +----------+ \| vk-rec. \|
	247	+---------+ \| \| \| .... \|
	248	v \| \| data \|--> +-------+
	249	+------------+ \| +----------+ \| xxxxx \|
	250	\| Class name \| \| +-------+
	251	+------------+ \|
	252	v
	253	+---------+ +---------+
	254	+----->\| next sk \|--->\| Next sk \|--+
	255	\| +---\| prev sk \|<---\| prev sk \| \|
	256	\| \| \| .... \| \| ... \| \|
	257	\| \| +---------+ +---------+ \|
	258	\| \| ^ \|
	259	\| \| \| \|
	260	\| +--------------------+ \|
	261	+----------------------------------+
	262
	263	---------------------------------------------------------------------------
	264
	265	Hope this helps.... (Although it was fun for me to uncover this things,
	266	it took me several sleepless nights ;)
	267
	268	B.D.

Note: See TracBrowser for help on using the repository browser.

Download in other formats: