Advertisement
opexxx

winReg.txt

Jan 22nd, 2015
331
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 20.45 KB | None | 0 0
  1. Agreement:
  2. ==========
  3.  
  4. The author of this document will not be responsible for any damage and/or
  5. license violation that may occur. The information within this document is
  6. provided "as is" without warranty of any kind...
  7. This information was "collected" during sleepless nights, and is NOT
  8. officially released by Microsoft! It shall give you a peek at the Windows(tm)
  9. internals to give you a chance to recover from corrupted data.
  10.  
  11. The author has nothing to do with Microsoft, except that he uses their
  12. products...
  13.  
  14. If you don't agree with this, stop reading this document, and delete it at
  15. once!
  16.  
  17.  
  18. History:
  19. ========
  20.  
  21. What is the registry? Where did it came from? Two questions, which I will try to
  22. answer here. The registry is a database (at least microsoft thinks so:)
  23. which contains configuration information about the system.
  24. It mainly is a memory dump which is saved to one or more files on the windows
  25. host drive. It is loaded every system-boot and remains resident until
  26. shutdown. Since parts of it are not used during normal operation it will be
  27. swapped out very soon. The registry appeared with windows 3.?? (sorry, I can't
  28. remember any earlier version :-), where it was used for file associations and
  29. the "OLE" functions (the conection between ole-id's and the applications).
  30. This is a critical information and since the registry has (almost) NO
  31. CHECKSUM information (!), it sometimes gets corrupted. This is the main
  32. reason for this doc.
  33.  
  34. Using windows 3.x, almost every configuration was done using good old ".INI"-
  35. files, which were readable but slow and limited in size (64k). In windows 95
  36. (and NT), the registry was used instead of these files. So, to edit a
  37. particular setting, you would have to run the application which manages these
  38. settings. :( but what if this app won't start? MS included a tool named
  39. REGEDIT in windows 3.?? and 95, and a REGEDT32 in windows NT. You can use
  40. these apps to edit ALL contents of the registry (in windows NT the registry
  41. supports security, as well as it provides the security for the whole system!)
  42.  
  43. An application can open a "key", write values (variables) to it and fill them
  44. with data. Each key represents also a value called "default" and can contain
  45. any number of sub-keys. This will form a tree-structure as you can see at
  46. the left half of REGEDIT. (note: REGEDIT from windows 3.?? has to be started
  47. with /V or /Y, I can't remember now)
  48.  
  49.  
  50. Where can I find the registry???
  51. ================================
  52.  
  53. That differs for each windows-version:
  54.  
  55. Version File(s) Contents
  56. 3.1x REG.DAT Complete windows 3.?? Registry
  57.  
  58. 95 SYSTEM.DAT System-values (HKEY_LOCAL_MACHINE)
  59. USER.DAT User-values (HKEY_USERS)
  60.  
  61. NT SYSTEM32\CONFIG\SAM SAM-part of the registry (=NT Security)
  62. SYSTEM32\CONFIG\SOFTWARE Software-Specific part
  63. (HKEY_LOCAL_MACHINE\SOFTWARE)
  64. SYSTEM32\CONFIG\SYSTEM System-specific part
  65. (HKEY_LOCAL_MACHINE\System)
  66. PROFILES\%USERNAME%\NTUSER.DAT User-Specific part
  67. (HKEY_CURRENT_USER\{S-1-xxx...})
  68. PROFILES\%USERNAME%\NTUSER.MAN like NTUSER.DAT but a
  69. MANDATORY-profile
  70.  
  71. If you are using a ROAMING-profile with windows NT, NTUSER.xxx can be on
  72. a network-share as well...
  73.  
  74.  
  75.  
  76. Terms
  77. =====
  78.  
  79. The registry consists of the following elements:
  80.  
  81. Hive: strating point of the structure. The name of an hive starts
  82. with the "HKEY_"-prefix. Can be seen as a "drive" in a file
  83. system.
  84.  
  85. Hive name Beschreibung 3.1 95 NT4
  86. HKEY_CLASSES_ROOT Points to the "class" key in
  87. the "HKEY_LOCAL_MACHINE" hive,
  88. the only hive in windows 3.?? X X X
  89.  
  90. HKEY_CURRENT_USER Information and settings valid
  91. for the currently logged in
  92. user. (Points to the correct X X
  93. key under "HKEY_USERS")
  94.  
  95. HKEY_CURRENT_CONFIG Settings for the currently
  96. active hardware profile.
  97. Points to "HKEY_LOCAL_MACHINE\ X X
  98. CONTROL\CONTROLSETxxx
  99.  
  100. HKEY_USERS Contains all currently active
  101. user settings. Since NT is a
  102. single user system, there
  103. will be only one key (the S-ID X X
  104. of the active user), and a
  105. ".DEFUALT" key (The settings
  106. for the CTRL-ALT-DEL environment)
  107.  
  108. HKEY_LOCALMACHINE All local settings X X
  109.  
  110. HKEY_DYN_DATA As the name says, here you'll find X
  111. dynamic data (CPU-usage,...)
  112.  
  113.  
  114. Key: A key to the registry can be seen as a directory in a file
  115. system.
  116. Value: can be seen as the registrys "file"
  117. Data: is the actual setting, can be seen as the contents of a
  118. file
  119.  
  120.  
  121. Windows 3.x
  122. ===========
  123.  
  124. This registry is the easiest one. It consists of 3 blocks, which are not
  125. "signed" at all:
  126.  
  127. Block Position Size
  128. Header 0 32 Bytes
  129. Navigation-Info 0x00000020 ???
  130. Data-Block ??? ???
  131.  
  132. The "???" marked values can be read from the header.
  133.  
  134. Header
  135. ======
  136.  
  137. Offset Size Description
  138. 0x0000 8 Byte ASCII-Text: "SHCC3.10"
  139. 0x0008 D-Word ?
  140. 0x000C D-Word ? (always equal the D-Word at 0x0008)
  141. 0x0010 D-Word Number of entrys in the navigation-block
  142. 0x0014 D-Word Offset of the data-block
  143. 0x0018 D-Word Size of the data-block
  144. 0x001C Word ?
  145. 0x001E Word ?
  146.  
  147. Values marked "?" are not important for a read-access, and therefore unknown
  148. to me...
  149.  
  150. Navigation-Block
  151. ================
  152.  
  153. This is where chaos rules! It consists of two different, 8 byte long blocks:
  154.  
  155. * Navigation-Info-Record,
  156. * Text-Info-Record
  157.  
  158. The first record in the navigation block is a navigation info record.
  159.  
  160. Navigation-Info-Record
  161.  
  162. Offset Size Contents
  163. 0x00 Word Next Key (same level)
  164. 0x02 Word First Sub-Key (one level deeper)
  165. 0x04 Word Text-Info-Record Key-Namens
  166. 0x06 Word Text-Info-Record Key-Value (default)
  167.  
  168. The values are the locical number of the block inside the file:
  169.  
  170. offset=blocksize*blocknumber+headersize
  171.  
  172. since 2 of this values are constant:
  173.  
  174. offset=8*blocknumber+0x20
  175.  
  176.  
  177. Text-Info-Record
  178. ================
  179.  
  180.  
  181. Offset Size Contents
  182. 0x00 Word ?
  183. 0x02 Word number of references to this text
  184. 0x04 Word Text-length
  185. 0x06 Word Offset of the text-string inside the data-block
  186.  
  187. To get the text-offset inside the file you have to add this offset to the
  188. data-offset inside the header.
  189.  
  190. Data-Block
  191. ==========
  192.  
  193. The data-block only consists of a collection of text-strings. Right in front
  194. of every text is a word which may or may not have a meaning. The offset in
  195. the text-info record points directly to the text, the text-size has to be
  196. defined in the text-info record too.
  197.  
  198.  
  199. Windows 95
  200. ==========
  201.  
  202. the Windows95-Registry Files:
  203.  
  204. inside the windows-directory (default: C:\WINDOWS) are 2 files which are
  205. loaded to form the registry:
  206.  
  207. SYSTEM.DAT
  208.  
  209. and
  210.  
  211. USER.DAT
  212.  
  213. This files are mapped to the following hives:
  214.  
  215. HKEY_LOCAL_MACHINE in SYSTEM.DAT
  216.  
  217. and
  218.  
  219. HKEY_USERS in USER.DAT
  220.  
  221.  
  222.  
  223. The file structure:
  224. ===================
  225.  
  226.  
  227. Both files have the same structure. Each of them consists of 3 blocks where
  228. 1 of these blocks can be repeated.
  229. Every block has a 4 byte long signature to help identify its contents.
  230.  
  231. ID Block-contents Max. size
  232. CREG Header 32 Bytes @ Offset 0
  233. RGKN Directory information
  234. (Tree-structure) ??? @ Offset 32
  235. RGDB The real data
  236. (Values and data) max. 65535 Bytes an Offset ??
  237.  
  238. these blocks are "sticked together" with no space between them, but always
  239. a multiple of 16 in size.
  240.  
  241. the CREG-Block
  242. ==============
  243.  
  244. Offset Size Inhalt
  245. 0x00000000 D-Word ASCII-"CREG" = 0x47455243
  246. 0x00000008 D-Word Offset of 1st RGDB-block
  247. 0x00000010 D-Word # of RGDB-blocks
  248.  
  249. all other values are not needed to read the registry...
  250.  
  251.  
  252. the RGKN-Block
  253. ==============
  254.  
  255. I assume that RGKN stands for ReGistry-Key-Navigation. This block contains
  256. the information needed to built the tree-structure of the registry. This
  257. block will be larger then 65536 bytes (0xFFFF)!
  258.  
  259. All offset-values are RELATIVE to the RGKN-block!
  260.  
  261. Offset Size Contents
  262. 0x00000000 D-Word ASCII-"RGKN" = 0x4E4B4752
  263. 0x00000004 D-Word Size of the RGKN-block in bytes
  264. 0x00000008 D-Word Rel. Offset of the root-record
  265. 0x00000020 ???? Tree-Records (often the 1st Record)
  266.  
  267. the Tree-Record
  268. ===============
  269.  
  270. The tree-record is a "complete" registry-key. It contains the "hash"-info
  271. for the real data stored in this key.
  272.  
  273. Offset Size Contents
  274. 0x0000 D-Word Always 0
  275. 0x0004 D-Word Hash of the key-name
  276. 0x0008 D-Word Always -1 (0xFFFFFFFF)
  277. 0x000C D-Word Offset of the owner (parent)-records
  278. 0x0010 D-Word Offset of the 1st sub-sey record
  279. 0x0014 D-Word Offset of the next record in this level
  280. 0x0018 D-Word ID-number of the real key
  281.  
  282. the 1st entry in a "usual" registry file is a nul-entry with subkeys: the
  283. hive itself. It looks the same like other keys. Even the ID-number can
  284. be any value.
  285.  
  286. The "hash"-value is a value representing the key's name. Windows will not
  287. search for the name, but for a matching hash-value. if it finds one, it
  288. will compare the actual string info, otherwise continue with the next key.
  289.  
  290. End of list-pointers are filled with -1 (0xFFFFFFFF)
  291.  
  292.  
  293. The ID-field has the following format:
  294.  
  295. Bits 31..16: Number of the corresponding RGDB-blocks
  296. Bits 15..0: continuous number inside this RGDB-block.
  297.  
  298.  
  299.  
  300. The hash-method:
  301. ================
  302.  
  303. you are looking for the key: Software\Microsoft
  304.  
  305. first you take the first part of the string and convert it to upper case
  306.  
  307. SOFTWARE
  308.  
  309. The "\" is used as a seperator only and has no meaning here.
  310. Next you initialize a D-Word with 0 and add all ASCII-values of the string
  311. which are smaller than 0x80 (128) to this D-Word.
  312.  
  313. SOFTWARE = 0x0000026B
  314.  
  315. Now you can start looking for this hash-value in the tree-record.
  316. If you want to modify key names, also modify the hash-values, since they
  317. cannot be found again (although they would be displayed in REGEDIT)
  318.  
  319. the RGDB-Block
  320. ==============
  321.  
  322. Header:
  323.  
  324. Offset Size Contents
  325. 0x0000 D-Word ASCII-"RGDB" = 0x42444752
  326. 0x0004 D-Word Size of this RGDB-block
  327. 0x0020 ???? RGDB Records
  328.  
  329.  
  330. RGDB-Record (Key-Information)
  331. =============================
  332.  
  333. Offset Size Contents
  334. 0x0000 D-Word record length in bytes
  335. 0x0004 D-Word ID-number
  336. 0x0008 D-Word ??? Size ???
  337. 0x000C Word text length of key name
  338. 0x000E Word Number of values inside this key
  339. 0x0010 D-Word always 0
  340. 0x0014 ???? Key-name
  341. 0x???? ???? Values
  342.  
  343. The first size (record length) can be used to find the next record.
  344. The second size value is only correct if the key has at least one value,
  345. otherwise it is a little lower.
  346.  
  347. The key-name is not 0-terminated, its length is defined by the key-
  348. text length field. The values are stored as records.
  349.  
  350.  
  351. Value-Record
  352. ============
  353.  
  354. Offset Size Contents
  355. 0x0000 D-Word Type of data
  356. 0x0004 D-Word always 0
  357. 0x0008 Word length of value-name
  358. 0x000A Word length of value-data
  359. 0x000C ???? value-name
  360. 0x???? ???? data
  361.  
  362. Data-Types
  363. ==========
  364.  
  365. value Contents
  366. 0x00000001 RegSZ - 0-terminated string (sometimes without the 0!)
  367. 0x00000003 RegBin - binary value (a simple data-block)
  368. 0x00000004 RegDWord - D-Word (always 4 bytes in size)
  369.  
  370.  
  371.  
  372. Windows NT (Version 4.0)
  373. ========================
  374.  
  375. Whoever thought that the registry of windows 95 and windows nt are similar
  376. will be surprised! They only look much the same, but have completely other
  377. structures!
  378. Since the RGDB-blocks in the windows 95 registry are not larger than
  379. 0xFFFF, we can see that it is optimized for a 16-bit OS...
  380. Windows NT stores its registry in a page-oriented format with blocks
  381. of 4kb (4096 = 0x1000 bytes)
  382.  
  383. The windows NT registry has 2 different blocks, where one can occure many
  384. times...
  385.  
  386. the "regf"-Block
  387. ================
  388.  
  389. "regf" is obviosly the abbreviation for "Registry file". "regf" is the
  390. signature of the header-block which is always 4kb in size, although only
  391. the first 64 bytes seem to be used and a checksum is calculated over
  392. the first 0x200 bytes only!
  393.  
  394. Offset Size Contents
  395. 0x00000000 D-Word ID: ASCII-"regf" = 0x66676572
  396. 0x00000004 D-Word ????
  397. 0x00000008 D-Word ???? Always the same value as at 0x00000004
  398. 0x0000000C Q-Word last modify date in WinNT date-format
  399. 0x00000014 D-Word 1
  400. 0x00000018 D-Word 3
  401. 0x0000001C D-Word 0
  402. 0x00000020 D-Word 1
  403. 0x00000024 D-Word Offset of 1st key record
  404. 0x00000028 D-Word Size of the data-blocks (Filesize-4kb)
  405. 0x0000002C D-Word 1
  406. 0x000001FC D-Word Sum of all D-Words from 0x00000000 to 0x000001FB
  407.  
  408. I have analyzed more registry files (from multiple machines running
  409. NT 4.0 german version) and could not find an explanation for the values
  410. marked with ???? the rest of the first 4kb page is not important...
  411.  
  412.  
  413. the "hbin"-Block
  414. ================
  415.  
  416. I don't know what "hbin" stands for, but this block is always a multiple
  417. of 4kb in size.
  418.  
  419. Inside these hbin-blocks the different records are placed. The memory-
  420. management looks like a C-compiler heap management to me...
  421.  
  422.  
  423. hbin-Header
  424. ===========
  425.  
  426. Offset Size Contents
  427. 0x0000 D-Word ID: ASCII-"hbin" = 0x6E696268
  428. 0x0004 D-Word Offset from the 1st hbin-Block
  429. 0x0008 D-Word Offset to the next hbin-Block
  430. 0x001C D-Word Block-size
  431.  
  432. The values in 0x0008 and 0x001C should be the same, so I don't know
  433. if they are correct or swapped...
  434.  
  435. From offset 0x0020 inside a hbin-block data is stored with the following
  436. format:
  437.  
  438.  
  439. Offset Size Contents
  440. 0x0000 D-Word Data-block size
  441. 0x0004 ???? Data
  442.  
  443. If the size field is negative (bit 31 set), the corresponding block
  444. is free and has a size of -blocksize!
  445. The data is stored as one record per block. Block size is a multiple
  446. of 4 and the last block reaches the next hbin-block, leaving no room.
  447.  
  448.  
  449. Records in the hbin-blocks
  450. ==========================
  451.  
  452.  
  453. nk-Record
  454.  
  455. The nk-record can be treated as a kombination of tree-record and
  456. key-record of the win 95 registry.
  457.  
  458. lf-Record
  459.  
  460. The lf-record is the counterpart to the RGKN-record (the hash-function)
  461.  
  462. vk-Record
  463.  
  464. The vk-record consists information to a single value.
  465.  
  466. sk-Record
  467.  
  468. sk (? Security Key ?) is the ACL of the registry.
  469.  
  470. Value-Lists
  471.  
  472. The value-lists contain information about which values are inside a
  473. sub-key and don't have a header.
  474.  
  475. Datas
  476.  
  477. The datas of the registry are (like the value-list) stored without a
  478. header.
  479.  
  480.  
  481. All offset-values are relative to the first hbin-block and point to the block-
  482. size field of the record-entry. to get the file offset, you have to add
  483. the header size (4kb) and the size field (4 bytes)...
  484.  
  485. the nk-Record
  486. =============
  487.  
  488. Offset Size Contents
  489. 0x0000 Word ID: ASCII-"nk" = 0x6B6E
  490. 0x0002 Word for the root-key: 0x2C, otherwise 0x20
  491. 0x0004 Q-Word write-date/time in windows nt notation
  492. 0x0010 D-Word Offset of Owner/Parent key
  493. 0x0014 D-Word number of sub-Keys
  494. 0x001C D-Word Offset of the sub-key lf-Records
  495. 0x0024 D-Word number of values
  496. 0x0028 D-Word Offset of the Value-List
  497. 0x002C D-Word Offset of the sk-Record
  498. 0x0030 D-Word Offset of the Class-Name
  499. 0x0044 D-Word Unused (data-trash)
  500. 0x0048 Word name-length
  501. 0x004A Word class-name length
  502. 0x004C ???? key-name
  503.  
  504. the Value-List
  505. ==============
  506.  
  507. Offset Size Contents
  508. 0x0000 D-Word Offset 1st Value
  509. 0x0004 D-Word Offset 2nd Value
  510. 0x???? D-Word Offset nth Value
  511.  
  512. To determine the number of values, you have to look at the
  513. owner-nk-record!
  514.  
  515. Der vk-Record
  516. =============
  517.  
  518. Offset Size Contents
  519. 0x0000 Word ID: ASCII-"vk" = 0x6B76
  520. 0x0002 Word name length
  521. 0x0004 D-Word length of the data
  522. 0x0008 D-Word Offset of Data
  523. 0x000C D-Word Type of value
  524. 0x0010 Word Flag
  525. 0x0012 Word Unused (data-trash)
  526. 0x0014 ???? Name
  527.  
  528. If bit 0 of the flag-word is set, a name is present, otherwise the
  529. value has no name (=default)
  530. If the data-size is lower 5, the data-offset value is used to store
  531. the data itself!
  532.  
  533.  
  534. The data-types
  535. ==============
  536.  
  537. Wert Beteutung
  538. 0x0001 RegSZ: character string (in UNICODE!)
  539. 0x0002 ExpandSZ: string with "%var%" expanding (UNICODE!)
  540. 0x0003 RegBin: raw-binary value
  541. 0x0004 RegDWord: Dword
  542. 0x0007 RegMultiSZ: multiple strings, seperated with 0
  543. (UNICODE!)
  544.  
  545. The "lf"-record
  546. ===============
  547.  
  548. Offset Size Contents
  549. 0x0000 Word ID: ASCII-"lf" = 0x666C
  550. 0x0002 Word number of keys
  551. 0x0004 ???? Hash-Records
  552.  
  553. Hash-Record
  554. ===========
  555.  
  556. Offset Size Contents
  557. 0x0000 D-Word Offset of corresponding "nk"-Record
  558. 0x0004 D-Word ASCII: the first 4 characters of the key-name,
  559. padded with 0's. Case sensitiv!
  560.  
  561. Keep in mind, that the value at 0x0004 is used for checking the
  562. data-consistency! If you change the key-name you have to change the
  563. hash-value too!
  564.  
  565. The "sk"-block
  566. ==============
  567.  
  568. (due to the complexity of the SAM-info, not clear jet)
  569.  
  570. Offset Size Contents
  571. 0x0000 Word ID: ASCII-"sk" = 0x6B73
  572. 0x0002 Word Unused
  573. 0x0004 D-Word Offset of previous "sk"-Record
  574. 0x0008 D-Word Offset of next "sk"-Record
  575. 0x000C D-Word usage-counter
  576. 0x0010 D-Word Size of "sk"-record in bytes
  577. ????
  578. ???? ???? Security and auditing settings...
  579. ????
  580.  
  581. The usage counter counts the number of references to this
  582. "sk"-record. You can use one "sk"-record for the entire registry!
  583.  
  584.  
  585. Windows nt date/time format
  586. ===========================
  587.  
  588. The time-format is a 64-bit integer which is incremented every
  589. 0,0000001 seconds by 1 (I don't know how accurate it realy is!)
  590. It starts with 0 at the 1st of january 1601 0:00! All values are
  591. stored in GMT time! The time-zone is important to get the real
  592. time!
  593.  
  594.  
  595.  
  596. Common values for win95 and win-nt
  597. ==================================
  598.  
  599. Offset values marking an "end of list", are either 0 or -1 (0xFFFFFFFF).
  600. If a value has no name (length=0, flag(bit 0)=0), it is treated as the
  601. "Default" entry...
  602. If a value has no data (length=0), it is displayed as empty.
  603.  
  604.  
  605.  
  606. simplyfied win-3.?? registry:
  607. =============================
  608.  
  609.  
  610.  
  611. +-----------+
  612. | next rec. |---+ +-----> +------------+
  613. | first sub | | | | Usage cnt. |
  614. | name | | +--> +------------+ | | length |
  615. | value | | | | next rec. | | | text |-------> +-------+
  616. +-----------+ | | | name rec. |--+ +------------+ | xxxxx |
  617. +------------+ | | value rec. |--------> +------------+ +-------+
  618. v | +------------+ | Usage cnt. |
  619. +-----------+ | | length |
  620. | next rec. | | | text |-------> +-------+
  621. | first sub |------+ +------------+ | xxxxx |
  622. | name | +-------+
  623. | value |
  624. +-----------+
  625.  
  626.  
  627.  
  628. Greatly simplyfied structure of the nt-registry:
  629. ================================================
  630.  
  631.  
  632. +-------------------------------------------------------------------------+
  633. v |
  634. +---------------+ +-------------> +-----------+ +------> +---------+ |
  635. | "nk" | | | lf-rec. | | | nk-rec. | |
  636. | ID | | | # of keys | | | parent |---+
  637. | Date | | | 1st key |--+ | .... |
  638. | parent | | +-----------+ +---------+
  639. | suk-keys |-------+
  640. | values |---------------------> +----------+
  641. | SK-rec. |---------------+ | 1. value |--> +----------+
  642. | class |--+ | +----------+ | vk-rec. |
  643. +---------------+ | | | .... |
  644. v | | data |--> +-------+
  645. +------------+ | +----------+ | xxxxx |
  646. | Class name | | +-------+
  647. +------------+ |
  648. v
  649. +---------+ +---------+
  650. +-----> | next sk |---> | Next sk |--+
  651. | +---| prev sk | <---| prev sk | |
  652. | | | .... | | ... | |
  653. | | +---------+ +---------+ |
  654. | | ^ |
  655. | +--------------------+ |
  656. +------------------------------------+
  657.  
  658. --------------------------------------------------------------------------------
  659.  
  660. Hope this helps.... (Although it was "fun" for me to uncover this things,
  661. it took me several sleepless nights ;)
  662.  
  663. B.D.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement