winReg.txt

1. Agreement:
2. ==========
3.  
4. The author of this document will not be responsible for any damage and/or
5. license violation that may occur. The information within this document is
6. provided "as is" without warranty of any kind...
7. This information was "collected" during sleepless nights, and is NOT
8. officially released by Microsoft! It shall give you a peek at the Windows(tm)
9. internals to give you a chance to recover from corrupted data.
10.  
11. The author has nothing to do with Microsoft, except that he uses their
12. products...
13.  
14. If you don't agree with this, stop reading this document, and delete it at
15. once!
16.  
17.  
18. History:
19. ========
20.  
21. What is the registry? Where did it came from? Two questions, which I will try to
22. answer here. The registry is a database (at least microsoft thinks so:)
23. which contains configuration information about the system.
24. It mainly is a memory dump which is saved to one or more files on the windows
25. host drive. It is loaded every system-boot and remains resident until
26. shutdown. Since parts of it are not used during normal operation it will be
27. swapped out very soon. The registry appeared with windows 3.?? (sorry, I can't
28. remember any earlier version :-), where it was used for file associations and
29. the "OLE" functions (the conection between ole-id's and the applications).
30. This is a critical information and since the registry has (almost) NO
31. CHECKSUM information (!), it sometimes gets corrupted. This is the main
32. reason for this doc.
33.  
34. Using windows 3.x, almost every configuration was done using good old ".INI"-
35. files, which were readable but slow and limited in size (64k). In windows 95
36. (and NT), the registry was used instead of these files. So, to edit a
37. particular setting, you would have to run the application which manages these
38. settings. :( but what if this app won't start? MS included a tool named
39. REGEDIT in windows 3.?? and 95, and a REGEDT32 in windows NT. You can use
40. these apps to edit ALL contents of the registry (in windows NT the registry
41. supports security, as well as it provides the security for the whole system!)
42.  
43. An application can open a "key", write values (variables) to it and fill them
44. with data. Each key represents also a value called "default" and can contain
45. any number of sub-keys. This will form a tree-structure as you can see at
46. the left half of REGEDIT. (note: REGEDIT from windows 3.?? has to be started
47. with /V or /Y, I can't remember now)
48.  
49.  
50. Where can I find the registry???
51. ================================
52.  
53. That differs for each windows-version:
54.  
55. Version File(s) Contents
56. 3.1x REG.DAT Complete windows 3.?? Registry
57.  
58. 95 SYSTEM.DAT System-values (HKEY_LOCAL_MACHINE)
59. USER.DAT User-values (HKEY_USERS)
60.  
61. NT SYSTEM32\CONFIG\SAM SAM-part of the registry (=NT Security)
62. SYSTEM32\CONFIG\SOFTWARE Software-Specific part
63. (HKEY_LOCAL_MACHINE\SOFTWARE)
64. SYSTEM32\CONFIG\SYSTEM System-specific part
65. (HKEY_LOCAL_MACHINE\System)
66. PROFILES\%USERNAME%\NTUSER.DAT User-Specific part
67. (HKEY_CURRENT_USER\{S-1-xxx...})
68. PROFILES\%USERNAME%\NTUSER.MAN like NTUSER.DAT but a
69. MANDATORY-profile
70.  
71. If you are using a ROAMING-profile with windows NT, NTUSER.xxx can be on
72. a network-share as well...
73.  
74.  
75.  
76. Terms
77. =====
78.  
79. The registry consists of the following elements:
80.  
81. Hive: strating point of the structure. The name of an hive starts
82. with the "HKEY_"-prefix. Can be seen as a "drive" in a file
83. system.
84.  
85. Hive name Beschreibung 3.1 95 NT4
86. HKEY_CLASSES_ROOT Points to the "class" key in
87. the "HKEY_LOCAL_MACHINE" hive,
88. the only hive in windows 3.?? X X X
89.  
90. HKEY_CURRENT_USER Information and settings valid
91. for the currently logged in
92. user. (Points to the correct X X
93. key under "HKEY_USERS")
94.  
95. HKEY_CURRENT_CONFIG Settings for the currently
96. active hardware profile.
97. Points to "HKEY_LOCAL_MACHINE\ X X
98. CONTROL\CONTROLSETxxx
99.  
100. HKEY_USERS Contains all currently active
101. user settings. Since NT is a
102. single user system, there
103. will be only one key (the S-ID X X
104. of the active user), and a
105. ".DEFUALT" key (The settings
106. for the CTRL-ALT-DEL environment)
107.  
108. HKEY_LOCALMACHINE All local settings X X
109.  
110. HKEY_DYN_DATA As the name says, here you'll find X
111. dynamic data (CPU-usage,...)
112.  
113.  
114. Key: A key to the registry can be seen as a directory in a file
115. system.
116. Value: can be seen as the registrys "file"
117. Data: is the actual setting, can be seen as the contents of a
118. file
119.  
120.  
121. Windows 3.x
122. ===========
123.  
124. This registry is the easiest one. It consists of 3 blocks, which are not
125. "signed" at all:
126.  
127. Block Position Size
128. Header 0 32 Bytes
129. Navigation-Info 0x00000020 ???
130. Data-Block ??? ???
131.  
132. The "???" marked values can be read from the header.
133.  
134. Header
135. ======
136.  
137. Offset Size Description
138. 0x0000 8 Byte ASCII-Text: "SHCC3.10"
139. 0x0008 D-Word ?
140. 0x000C D-Word ? (always equal the D-Word at 0x0008)
141. 0x0010 D-Word Number of entrys in the navigation-block
142. 0x0014 D-Word Offset of the data-block
143. 0x0018 D-Word Size of the data-block
144. 0x001C Word ?
145. 0x001E Word ?
146.  
147. Values marked "?" are not important for a read-access, and therefore unknown
148. to me...
149.  
150. Navigation-Block
151. ================
152.  
153. This is where chaos rules! It consists of two different, 8 byte long blocks:
154.  
155. * Navigation-Info-Record,
156. * Text-Info-Record
157.  
158. The first record in the navigation block is a navigation info record.
159.  
160. Navigation-Info-Record
161.  
162. Offset Size Contents
163. 0x00 Word Next Key (same level)
164. 0x02 Word First Sub-Key (one level deeper)
165. 0x04 Word Text-Info-Record Key-Namens
166. 0x06 Word Text-Info-Record Key-Value (default)
167.  
168. The values are the locical number of the block inside the file:
169.  
170. offset=blocksize*blocknumber+headersize
171.  
172. since 2 of this values are constant:
173.  
174. offset=8*blocknumber+0x20
175.  
176.  
177. Text-Info-Record
178. ================
179.  
180.  
181. Offset Size Contents
182. 0x00 Word ?
183. 0x02 Word number of references to this text
184. 0x04 Word Text-length
185. 0x06 Word Offset of the text-string inside the data-block
186.  
187. To get the text-offset inside the file you have to add this offset to the
188. data-offset inside the header.
189.  
190. Data-Block
191. ==========
192.  
193. The data-block only consists of a collection of text-strings. Right in front
194. of every text is a word which may or may not have a meaning. The offset in
195. the text-info record points directly to the text, the text-size has to be
196. defined in the text-info record too.
197.  
198.  
199. Windows 95
200. ==========
201.  
202. the Windows95-Registry Files:
203.  
204. inside the windows-directory (default: C:\WINDOWS) are 2 files which are
205. loaded to form the registry:
206.  
207. SYSTEM.DAT
208.  
209. and
210.  
211. USER.DAT
212.  
213. This files are mapped to the following hives:
214.  
215. HKEY_LOCAL_MACHINE in SYSTEM.DAT
216.  
217. and
218.  
219. HKEY_USERS in USER.DAT
220.  
221.  
222.  
223. The file structure:
224. ===================
225.  
226.  
227. Both files have the same structure. Each of them consists of 3 blocks where
228. 1 of these blocks can be repeated.
229. Every block has a 4 byte long signature to help identify its contents.
230.  
231. ID Block-contents Max. size
232. CREG Header 32 Bytes @ Offset 0
233. RGKN Directory information
234. (Tree-structure) ??? @ Offset 32
235. RGDB The real data
236. (Values and data) max. 65535 Bytes an Offset ??
237.  
238. these blocks are "sticked together" with no space between them, but always
239. a multiple of 16 in size.
240.  
241. the CREG-Block
242. ==============
243.  
244. Offset Size Inhalt
245. 0x00000000 D-Word ASCII-"CREG" = 0x47455243
246. 0x00000008 D-Word Offset of 1st RGDB-block
247. 0x00000010 D-Word # of RGDB-blocks
248.  
249. all other values are not needed to read the registry...
250.  
251.  
252. the RGKN-Block
253. ==============
254.  
255. I assume that RGKN stands for ReGistry-Key-Navigation. This block contains
256. the information needed to built the tree-structure of the registry. This
257. block will be larger then 65536 bytes (0xFFFF)!
258.  
259. All offset-values are RELATIVE to the RGKN-block!
260.  
261. Offset Size Contents
262. 0x00000000 D-Word ASCII-"RGKN" = 0x4E4B4752
263. 0x00000004 D-Word Size of the RGKN-block in bytes
264. 0x00000008 D-Word Rel. Offset of the root-record
265. 0x00000020 ???? Tree-Records (often the 1st Record)
266.  
267. the Tree-Record
268. ===============
269.  
270. The tree-record is a "complete" registry-key. It contains the "hash"-info
271. for the real data stored in this key.
272.  
273. Offset Size Contents
274. 0x0000 D-Word Always 0
275. 0x0004 D-Word Hash of the key-name
276. 0x0008 D-Word Always -1 (0xFFFFFFFF)
277. 0x000C D-Word Offset of the owner (parent)-records
278. 0x0010 D-Word Offset of the 1st sub-sey record
279. 0x0014 D-Word Offset of the next record in this level
280. 0x0018 D-Word ID-number of the real key
281.  
282. the 1st entry in a "usual" registry file is a nul-entry with subkeys: the
283. hive itself. It looks the same like other keys. Even the ID-number can
284. be any value.
285.  
286. The "hash"-value is a value representing the key's name. Windows will not
287. search for the name, but for a matching hash-value. if it finds one, it
288. will compare the actual string info, otherwise continue with the next key.
289.  
290. End of list-pointers are filled with -1 (0xFFFFFFFF)
291.  
292.  
293. The ID-field has the following format:
294.  
295. Bits 31..16: Number of the corresponding RGDB-blocks
296. Bits 15..0: continuous number inside this RGDB-block.
297.  
298.  
299.  
300. The hash-method:
301. ================
302.  
303. you are looking for the key: Software\Microsoft
304.  
305. first you take the first part of the string and convert it to upper case
306.  
307. SOFTWARE
308.  
309. The "\" is used as a seperator only and has no meaning here.
310. Next you initialize a D-Word with 0 and add all ASCII-values of the string
311. which are smaller than 0x80 (128) to this D-Word.
312.  
313. SOFTWARE = 0x0000026B
314.  
315. Now you can start looking for this hash-value in the tree-record.
316. If you want to modify key names, also modify the hash-values, since they
317. cannot be found again (although they would be displayed in REGEDIT)
318.  
319. the RGDB-Block
320. ==============
321.  
322. Header:
323.  
324. Offset Size Contents
325. 0x0000 D-Word ASCII-"RGDB" = 0x42444752
326. 0x0004 D-Word Size of this RGDB-block
327. 0x0020 ???? RGDB Records
328.  
329.  
330. RGDB-Record (Key-Information)
331. =============================
332.  
333. Offset Size Contents
334. 0x0000 D-Word record length in bytes
335. 0x0004 D-Word ID-number
336. 0x0008 D-Word ??? Size ???
337. 0x000C Word text length of key name
338. 0x000E Word Number of values inside this key
339. 0x0010 D-Word always 0
340. 0x0014 ???? Key-name
341. 0x???? ???? Values
342.  
343. The first size (record length) can be used to find the next record.
344. The second size value is only correct if the key has at least one value,
345. otherwise it is a little lower.
346.  
347. The key-name is not 0-terminated, its length is defined by the key-
348. text length field. The values are stored as records.
349.  
350.  
351. Value-Record
352. ============
353.  
354. Offset Size Contents
355. 0x0000 D-Word Type of data
356. 0x0004 D-Word always 0
357. 0x0008 Word length of value-name
358. 0x000A Word length of value-data
359. 0x000C ???? value-name
360. 0x???? ???? data
361.  
362. Data-Types
363. ==========
364.  
365. value Contents
366. 0x00000001 RegSZ - 0-terminated string (sometimes without the 0!)
367. 0x00000003 RegBin - binary value (a simple data-block)
368. 0x00000004 RegDWord - D-Word (always 4 bytes in size)
369.  
370.  
371.  
372. Windows NT (Version 4.0)
373. ========================
374.  
375. Whoever thought that the registry of windows 95 and windows nt are similar
376. will be surprised! They only look much the same, but have completely other
377. structures!
378. Since the RGDB-blocks in the windows 95 registry are not larger than
379. 0xFFFF, we can see that it is optimized for a 16-bit OS...
380. Windows NT stores its registry in a page-oriented format with blocks
381. of 4kb (4096 = 0x1000 bytes)
382.  
383. The windows NT registry has 2 different blocks, where one can occure many
384. times...
385.  
386. the "regf"-Block
387. ================
388.  
389. "regf" is obviosly the abbreviation for "Registry file". "regf" is the
390. signature of the header-block which is always 4kb in size, although only
391. the first 64 bytes seem to be used and a checksum is calculated over
392. the first 0x200 bytes only!
393.  
394. Offset Size Contents
395. 0x00000000 D-Word ID: ASCII-"regf" = 0x66676572
396. 0x00000004 D-Word ????
397. 0x00000008 D-Word ???? Always the same value as at 0x00000004
398. 0x0000000C Q-Word last modify date in WinNT date-format
399. 0x00000014 D-Word 1
400. 0x00000018 D-Word 3
401. 0x0000001C D-Word 0
402. 0x00000020 D-Word 1
403. 0x00000024 D-Word Offset of 1st key record
404. 0x00000028 D-Word Size of the data-blocks (Filesize-4kb)
405. 0x0000002C D-Word 1
406. 0x000001FC D-Word Sum of all D-Words from 0x00000000 to 0x000001FB
407.  
408. I have analyzed more registry files (from multiple machines running
409. NT 4.0 german version) and could not find an explanation for the values
410. marked with ???? the rest of the first 4kb page is not important...
411.  
412.  
413. the "hbin"-Block
414. ================
415.  
416. I don't know what "hbin" stands for, but this block is always a multiple
417. of 4kb in size.
418.  
419. Inside these hbin-blocks the different records are placed. The memory-
420. management looks like a C-compiler heap management to me...
421.  
422.  
423. hbin-Header
424. ===========
425.  
426. Offset Size Contents
427. 0x0000 D-Word ID: ASCII-"hbin" = 0x6E696268
428. 0x0004 D-Word Offset from the 1st hbin-Block
429. 0x0008 D-Word Offset to the next hbin-Block
430. 0x001C D-Word Block-size
431.  
432. The values in 0x0008 and 0x001C should be the same, so I don't know
433. if they are correct or swapped...
434.  
435. From offset 0x0020 inside a hbin-block data is stored with the following
436. format:
437.  
438.  
439. Offset Size Contents
440. 0x0000 D-Word Data-block size
441. 0x0004 ???? Data
442.  
443. If the size field is negative (bit 31 set), the corresponding block
444. is free and has a size of -blocksize!
445. The data is stored as one record per block. Block size is a multiple
446. of 4 and the last block reaches the next hbin-block, leaving no room.
447.  
448.  
449. Records in the hbin-blocks
450. ==========================
451.  
452.  
453. nk-Record
454.  
455. The nk-record can be treated as a kombination of tree-record and
456. key-record of the win 95 registry.
457.  
458. lf-Record
459.  
460. The lf-record is the counterpart to the RGKN-record (the hash-function)
461.  
462. vk-Record
463.  
464. The vk-record consists information to a single value.
465.  
466. sk-Record
467.  
468. sk (? Security Key ?) is the ACL of the registry.
469.  
470. Value-Lists
471.  
472. The value-lists contain information about which values are inside a
473. sub-key and don't have a header.
474.  
475. Datas
476.  
477. The datas of the registry are (like the value-list) stored without a
478. header.
479.  
480.  
481. All offset-values are relative to the first hbin-block and point to the block-
482. size field of the record-entry. to get the file offset, you have to add
483. the header size (4kb) and the size field (4 bytes)...
484.  
485. the nk-Record
486. =============
487.  
488. Offset Size Contents
489. 0x0000 Word ID: ASCII-"nk" = 0x6B6E
490. 0x0002 Word for the root-key: 0x2C, otherwise 0x20
491. 0x0004 Q-Word write-date/time in windows nt notation
492. 0x0010 D-Word Offset of Owner/Parent key
493. 0x0014 D-Word number of sub-Keys
494. 0x001C D-Word Offset of the sub-key lf-Records
495. 0x0024 D-Word number of values
496. 0x0028 D-Word Offset of the Value-List
497. 0x002C D-Word Offset of the sk-Record
498. 0x0030 D-Word Offset of the Class-Name
499. 0x0044 D-Word Unused (data-trash)
500. 0x0048 Word name-length
501. 0x004A Word class-name length
502. 0x004C ???? key-name
503.  
504. the Value-List
505. ==============
506.  
507. Offset Size Contents
508. 0x0000 D-Word Offset 1st Value
509. 0x0004 D-Word Offset 2nd Value
510. 0x???? D-Word Offset nth Value
511.  
512. To determine the number of values, you have to look at the
513. owner-nk-record!
514.  
515. Der vk-Record
516. =============
517.  
518. Offset Size Contents
519. 0x0000 Word ID: ASCII-"vk" = 0x6B76
520. 0x0002 Word name length
521. 0x0004 D-Word length of the data
522. 0x0008 D-Word Offset of Data
523. 0x000C D-Word Type of value
524. 0x0010 Word Flag
525. 0x0012 Word Unused (data-trash)
526. 0x0014 ???? Name
527.  
528. If bit 0 of the flag-word is set, a name is present, otherwise the
529. value has no name (=default)
530. If the data-size is lower 5, the data-offset value is used to store
531. the data itself!
532.  
533.  
534. The data-types
535. ==============
536.  
537. Wert Beteutung
538. 0x0001 RegSZ: character string (in UNICODE!)
539. 0x0002 ExpandSZ: string with "%var%" expanding (UNICODE!)
540. 0x0003 RegBin: raw-binary value
541. 0x0004 RegDWord: Dword
542. 0x0007 RegMultiSZ: multiple strings, seperated with 0
543. (UNICODE!)
544.  
545. The "lf"-record
546. ===============
547.  
548. Offset Size Contents
549. 0x0000 Word ID: ASCII-"lf" = 0x666C
550. 0x0002 Word number of keys
551. 0x0004 ???? Hash-Records
552.  
553. Hash-Record
554. ===========
555.  
556. Offset Size Contents
557. 0x0000 D-Word Offset of corresponding "nk"-Record
558. 0x0004 D-Word ASCII: the first 4 characters of the key-name,
559. padded with 0's. Case sensitiv!
560.  
561. Keep in mind, that the value at 0x0004 is used for checking the
562. data-consistency! If you change the key-name you have to change the
563. hash-value too!
564.  
565. The "sk"-block
566. ==============
567.  
568. (due to the complexity of the SAM-info, not clear jet)
569.  
570. Offset Size Contents
571. 0x0000 Word ID: ASCII-"sk" = 0x6B73
572. 0x0002 Word Unused
573. 0x0004 D-Word Offset of previous "sk"-Record
574. 0x0008 D-Word Offset of next "sk"-Record
575. 0x000C D-Word usage-counter
576. 0x0010 D-Word Size of "sk"-record in bytes
577. ????
578. ???? ???? Security and auditing settings...
579. ????
580.  
581. The usage counter counts the number of references to this
582. "sk"-record. You can use one "sk"-record for the entire registry!
583.  
584.  
585. Windows nt date/time format
586. ===========================
587.  
588. The time-format is a 64-bit integer which is incremented every
589. 0,0000001 seconds by 1 (I don't know how accurate it realy is!)
590. It starts with 0 at the 1st of january 1601 0:00! All values are
591. stored in GMT time! The time-zone is important to get the real
592. time!
593.  
594.  
595.  
596. Common values for win95 and win-nt
597. ==================================
598.  
599. Offset values marking an "end of list", are either 0 or -1 (0xFFFFFFFF).
600. If a value has no name (length=0, flag(bit 0)=0), it is treated as the
601. "Default" entry...
602. If a value has no data (length=0), it is displayed as empty.
603.  
604.  
605.  
606. simplyfied win-3.?? registry:
607. =============================
608.  
609.  
610.  
611. +-----------+
612. | next rec. |---+ +-----> +------------+
613. | first sub | | | | Usage cnt. |
614. | name | | +--> +------------+ | | length |
615. | value | | | | next rec. | | | text |-------> +-------+
616. +-----------+ | | | name rec. |--+ +------------+ | xxxxx |
617. +------------+ | | value rec. |--------> +------------+ +-------+
618. v | +------------+ | Usage cnt. |
619. +-----------+ | | length |
620. | next rec. | | | text |-------> +-------+
621. | first sub |------+ +------------+ | xxxxx |
622. | name | +-------+
623. | value |
624. +-----------+
625.  
626.  
627.  
628. Greatly simplyfied structure of the nt-registry:
629. ================================================
630.  
631.  
632. +-------------------------------------------------------------------------+
633. v |
634. +---------------+ +-------------> +-----------+ +------> +---------+ |
635. | "nk" | | | lf-rec. | | | nk-rec. | |
636. | ID | | | # of keys | | | parent |---+
637. | Date | | | 1st key |--+ | .... |
638. | parent | | +-----------+ +---------+
639. | suk-keys |-------+
640. | values |---------------------> +----------+
641. | SK-rec. |---------------+ | 1. value |--> +----------+
642. | class |--+ | +----------+ | vk-rec. |
643. +---------------+ | | | .... |
644. v | | data |--> +-------+
645. +------------+ | +----------+ | xxxxx |
646. | Class name | | +-------+
647. +------------+ |
648. v
649. +---------+ +---------+
650. +-----> | next sk |---> | Next sk |--+
651. | +---| prev sk | <---| prev sk | |
652. | | | .... | | ... | |
653. | | +---------+ +---------+ |
654. | | ^ |
655. | +--------------------+ |
656. +------------------------------------+
657.  
658. --------------------------------------------------------------------------------
659.  
660. Hope this helps.... (Although it was "fun" for me to uncover this things,
661. it took me several sleepless nights ;)
662.  
663. B.D.