Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

winntreg.txt@ 253

Last change on this file since 253 was 238, checked in by tim, 14 years ago

moved development documentation back to old location, adjusted build scripts accordingly

misc documentation fixes

File size: 10.2 KB

Line
1	The windows NT registry has 2 different blocks, where one can occur many
2	times...
3
4	the "regf"-Block
5	================
6
7	"regf" is obviosly the abbreviation for "Registry file". "regf" is the
8	signature of the header-block which is always 4kb in size, although only
9	the first 64 bytes seem to be used and a checksum is calculated over
10	the first 0x200 bytes only!
11
12	Offset Size Contents
13	0x00000000 D-Word ID: ASCII-"regf" = 0x66676572
14	0x00000004 D-Word ???? //see struct REGF
15	0x00000008 D-Word ???? Always the same value as at 0x00000004
16	0x0000000C Q-Word last modify date in WinNT date-format
17	0x00000014 D-Word 1
18	0x00000018 D-Word 3
19	0x0000001C D-Word 0
20	0x00000020 D-Word 1
21	0x00000024 D-Word Offset of 1st key record
22	0x00000028 D-Word Size of the data-blocks (Filesize-4kb)
23	0x0000002C D-Word 1
24	0x000001FC D-Word Sum of all D-Words from 0x00000000 to
25	0x000001FB //XOR of all words. Nigel
26
27	I have analyzed more registry files (from multiple machines running
28	NT 4.0 german version) and could not find an explanation for the values
29	marked with ???? the rest of the first 4kb page is not important...
30
31	the "hbin"-Block
32	================
33	I dont know what "hbin" stands for, but this block is always a multiple
34	of 4kb in size.
35
36	Inside these hbin-blocks the different records are placed. The memory-
37	management looks like a C-compiler heap management to me...
38
39	hbin-Header
40	===========
41	Offset Size Contents
42	0x0000 D-Word ID: ASCII-"hbin" = 0x6E696268
43	0x0004 D-Word Offset from the 1st hbin-Block
44	0x0008 D-Word Offset to the next hbin-Block
45	0x001C D-Word Block-size
46
47	The values in 0x0008 and 0x001C should be the same, so I dont know
48	if they are correct or swapped...
49
50	From offset 0x0020 inside a hbin-block data is stored with the following
51	format:
52
53	Offset Size Contents
54	0x0000 D-Word Data-block size //this size must be a
55	multiple of 8. Nigel
56	0x0004 ???? Data
57
58	If the size field is negative (bit 31 set), the corresponding block
59	is free and has a size of -blocksize!
60
61	That does not seem to be true. All block lengths seem to be negative!
62	(Richard Sharpe)
63
64	The data is stored as one record per block. Block size is a multiple
65	of 4 and the last block reaches the next hbin-block, leaving no room.
66
67	(That also seems incorrect, in that the block size if a multiple of 8.
68	That is, the block, including the 4 byte header, is always a multiple of
69	8 bytes. Richard Sharpe.)
70
71	Records in the hbin-blocks
72	==========================
73
74	nk-Record
75
76	The nk-record can be treated as a kombination of tree-record and
77	key-record of the win 95 registry.
78
79	lf-Record
80
81	The lf-record is the counterpart to the RGKN-record (the
82	hash-function)
83
84	vk-Record
85
86	The vk-record consists information to a single value.
87
88	sk-Record
89
90	sk (? Security Key ?) is the ACL of the registry.
91
92	Value-Lists
93
94	The value-lists contain information about which values are inside a
95	sub-key and dont have a header.
96
97	Datas
98
99	The datas of the registry are (like the value-list) stored without a
100	header.
101
102	All offset-values are relative to the first hbin-block and point to the
103	block-size field of the record-entry. to get the file offset, you have to add
104	the header size (4kb) and the size field (4 bytes)...
105
106	the nk-Record
107	=============
108	Offset Size Contents
109	0x0000 Word ID: ASCII-"nk" = 0x6B6E
110	0x0002 Word for the root-key: 0x2C, otherwise 0x20 //key symbolic links 0x10. Nigel
111	0x0004 Q-Word write-date/time in windows nt notation
112	0x000C D-Word UNKNOWN // added by TDM
113	0x0010 D-Word Offset of Owner/Parent key
114	0x0014 D-Word number of sub-Keys
115	0x0018 D-Word UNKNOWN // added by TDM
116	0x001C D-Word Offset of the sub-key lf-Records
117	0x0020 D-Word UNKNOWN // added by TDM
118	0x0024 D-Word number of values
119	0x0028 D-Word Offset of the Value-List
120	0x002C D-Word Offset of the sk-Record
121
122	0x0030 D-Word Offset of the Class-Name //see NK structure for the use of these fields. Nigel
123	0x0044 D-Word Unused (data-trash) //some kind of run time index. Does not appear to be important. Nigel
124	0x0048 Word name-length
125	0x004A Word class-name length
126	0x004C ???? key-name
127
128	the Value-List
129	==============
130	Offset Size Contents
131	0x0000 D-Word Offset 1st Value
132	0x0004 D-Word Offset 2nd Value
133	0x???? D-Word Offset nth Value
134
135	To determine the number of values, you have to look at the owner-nk-record!
136
137	Der vk-Record
138	=============
139	Offset Size Contents
140	0x0000 Word ID: ASCII-"vk" = 0x6B76
141	0x0002 Word name length
142	0x0004 D-Word length of the data //if top bit is set when offset contains data. Nigel
143	0x0008 D-Word Offset of Data
144	0x000C D-Word Type of value
145	0x0010 Word Flag
146	0x0012 Word Unused (data-trash)
147	0x0014 ???? Name
148
149	If bit 0 of the flag-word is set, a name is present, otherwise the value has no name (=default)
150
151	If the data-size is lower 5, the data-offset value is used to store the data itself!
152
153	The data-types
154	==============
155	Wert Beteutung
156	0x0001 RegSZ: character string (in UNICODE!)
157	0x0002 ExpandSZ: string with "%var%" expanding (UNICODE!)
158	0x0003 RegBin: raw-binary value
159	0x0004 RegDWord: Dword
160	0x0007 RegMultiSZ: multiple strings, seperated with 0
161	(UNICODE!)
162
163	The "lf"/"lh"/"ri"-record (hash list header)
164	===============
165	Offset Size Contents
166	0x0000 Word ID: ASCII-"lf" = 0x666C (or "lh" or "ri")
167	0x0002 Word number of keys
168	0x0004 ???? Hash-Records
169
170	Hash-Record
171	===========
172	Offset Size Contents
173	0x0000 D-Word Offset of corresponding "nk"-Record
174	0x0004 D-Word ASCII: the first 4 characters of the key-name, padded with 0-s. Case sensitive!
175	(the hash value may be computed differently for the various header types
176	"lf"/"lh"/"ri"/etc)
177	Keep in mind, that the value at 0x0004 is used for checking the data-consistency! If you change the
178	key-name you have to change the hash-value too!
179
180	//These hashrecords must be sorted low to high within the lf record. Nigel.
181
182	The "sk"-block
183	==============
184	(due to the complexity of the SAM-info, not clear jet)
185	(This is just a self-relative security descriptor in the data. R Sharpe.)
186
187
188	Offset Size Contents
189	0x0000 Word ID: ASCII-"sk" = 0x6B73
190	0x0002 Word Unused
191	0x0004 D-Word Offset of previous "sk"-Record
192	0x0008 D-Word Offset of next "sk"-Record
193	0x000C D-Word usage-counter
194	0x0010 D-Word Size of "sk"-record in bytes
195	???? //standard self
196	relative security desciptor. Nigel
197	???? ???? Security and auditing settings...
198	????
199
200	The usage counter counts the number of references to this
201	"sk"-record. You can use one "sk"-record for the entire registry!
202
203	Windows nt date/time format
204	===========================
205	The time-format is a 64-bit integer which is incremented every
206	0,0000001 seconds by 1 (I dont know how accurate it really is!)
207	It starts with 0 at the 1st of january 1601 0:00! All values are
208	stored in GMT time! The time-zone is important to get the real
209	time!
210
211	Common values for win95 and win-nt
212	==================================
213	Offset values marking an "end of list", are either 0 or -1 (0xFFFFFFFF).
214	If a value has no name (length=0, flag(bit 0)=0), it is treated as the
215	"Default" entry...
216	If a value has no data (length=0), it is displayed as empty.
217
218	simplyfied win-3.?? registry:
219	=============================
220
221	+-----------+
222	\| next rec. \|---+ +----->+------------+
223	\| first sub \| \| \| \| Usage cnt. \|
224	\| name \| \| +-->+------------+ \| \| length \|
225	\| value \| \| \| \| next rec. \| \| \| text \|------->+-------+
226	+-----------+ \| \| \| name rec. \|--+ +------------+ \| xxxxx \|
227	+------------+ \| \| value rec. \|-------->+------------+ +-------+
228	v \| +------------+ \| Usage cnt. \|
229	+-----------+ \| \| length \|
230	\| next rec. \| \| \| text \|------->+-------+
231	\| first sub \|------+ +------------+ \| xxxxx \|
232	\| name \| +-------+
233	\| value \|
234	+-----------+
235
236	Greatly simplyfied structure of the nt-registry:
237	================================================
238
239	+---------------------------------------------------------------+
240	\| \|
241	v \|
242	+---------+ +---------->+-----------+ +----->+---------+ \|
243	\| "nk" \| \| \| lf-rec. \| \| \| nk-rec. \| \|
244	\| ID \| \| \| # of keys \| \| \| parent \|---+
245	\| Date \| \| \| 1st key \|--+ \| .... \|
246	\| parent \| \| +-----------+ +---------+
247	\| suk-keys\|-----+
248	\| values \|--------------------->+----------+
249	\| SK-rec. \|---------------+ \| 1. value \|--> +----------+
250	\| class \|--+ \| +----------+ \| vk-rec. \|
251	+---------+ \| \| \| .... \|
252	v \| \| data \|--> +-------+
253	+------------+ \| +----------+ \| xxxxx \|
254	\| Class name \| \| +-------+
255	+------------+ \|
256	v
257	+---------+ +---------+
258	+----->\| next sk \|--->\| Next sk \|--+
259	\| +---\| prev sk \|<---\| prev sk \| \|
260	\| \| \| .... \| \| ... \| \|
261	\| \| +---------+ +---------+ \|
262	\| \| ^ \|
263	\| \| \| \|
264	\| +--------------------+ \|
265	+----------------------------------+
266
267	---------------------------------------------------------------------------
268
269	Hope this helps.... (Although it was fun for me to uncover this things,
270	it took me several sleepless nights ;)
271
272	B.D.

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/doc/devel/winntreg.txt@ 253

Download in other formats: