📄 winreg.htm
字号:
0x0014 ???? key-name
0x???? ???? values</pre>
<pre>the first size (record length) can be used to find the next record.
the second size value is only correct if the key has at least one value,
otherwise it is a little lower.</pre>
<pre>the key-name is not 0-terminated, its length is defined by the key-
text length field. the values are stored as records.
</pre>
<pre>value-record
============</pre>
<pre>offset size contents
0x0000 d-word type of data
0x0004 d-word always 0
0x0008 word length of value-name
0x000a word length of value-data
0x000c ???? value-name
0x???? ???? data</pre>
<pre>data-types
==========</pre>
<pre>value contents
0x00000001 regsz - 0-terminated string (sometimes without the 0!)
0x00000003 regbin - binary value (a simple data-block)
0x00000004 regdword - d-word (always 4 bytes in size)
</pre>
<pre>windows nt (version 4.0)
========================</pre>
<pre>whoever thought that the registry of windows 95 and windows nt are similar
will be surprised! they only look much the same, but have completely other
structures!
since the rgdb-blocks in the windows 95 registry are not larger than
0xffff, we can see that it is optimized for a 16-bit os...
windows nt stores its registry in a page-oriented format with blocks
of 4kb (4096 = 0x1000 bytes)</pre>
<pre>the windows nt registry has 2 different blocks, where one can occure many
times...</pre>
<pre>the "regf"-block
================</pre>
<pre>"regf" is obviosly the abbreviation for "registry file". "regf" is the
signature of the header-block which is always 4kb in size, although only
the first 64 bytes seem to be used and a checksum is calculated over
the first 0x200 bytes only!</pre>
<pre>offset size contents
0x00000000 d-word id: ascii-"regf" = 0x66676572
0x00000004 d-word ????
0x00000008 d-word ???? always the same value as at 0x00000004
0x0000000c q-word last modify date in winnt date-format
0x00000014 d-word 1
0x00000018 d-word 3
0x0000001c d-word 0
0x00000020 d-word 1
0x00000024 d-word offset of 1st key record
0x00000028 d-word size of the data-blocks (filesize-4kb)
0x0000002c d-word 1
0x000001fc d-word sum of all d-words from 0x00000000 to 0x000001fb</pre>
<pre>i have analyzed more registry files (from multiple machines running
nt 4.0 german version) and could not find an explanation for the values
marked with ???? the rest of the first 4kb page is not important...
</pre>
<pre>the "hbin"-block
================</pre>
<pre>i don't know what "hbin" stands for, but this block is always a multiple
of 4kb in size.</pre>
<pre>inside these hbin-blocks the different records are placed. the memory-
management looks like a c-compiler heap management to me...
</pre>
<pre>hbin-header
===========</pre>
<pre>offset size contents
0x0000 d-word id: ascii-"hbin" = 0x6e696268
0x0004 d-word offset from the 1st hbin-block
0x0008 d-word offset to the next hbin-block
0x001c d-word block-size</pre>
<pre>the values in 0x0008 and 0x001c should be the same, so i don't know
if they are correct or swapped...</pre>
<pre>from offset 0x0020 inside a hbin-block data is stored with the following
format:
</pre>
<pre>offset size contents
0x0000 d-word data-block size
0x0004 ???? data</pre>
<pre>if the size field is negative (bit 31 set), the corresponding block
is free and has a size of -blocksize!
the data is stored as one record per block. block size is a multiple
of 4 and the last block reaches the next hbin-block, leaving no room.
</pre>
<pre>records in the hbin-blocks
==========================
</pre>
<pre>nk-record</pre>
<pre> the nk-record can be treated as a kombination of tree-record and
key-record of the win 95 registry.</pre>
<pre>lf-record</pre>
<pre> the lf-record is the counterpart to the rgkn-record (the hash-function)</pre>
<pre>vk-record</pre>
<pre> the vk-record consists information to a single value.</pre>
<pre>sk-record</pre>
<pre> sk (? security key ?) is the acl of the registry.</pre>
<pre>value-lists</pre>
<pre> the value-lists contain information about which values are inside a
sub-key and don't have a header.</pre>
<pre>datas</pre>
<pre> the datas of the registry are (like the value-list) stored without a
header.
</pre>
<pre>all offset-values are relative to the first hbin-block and point to the block-
size field of the record-entry. to get the file offset, you have to add
the header size (4kb) and the size field (4 bytes)...</pre>
<pre>the nk-record
=============</pre>
<pre>offset size contents
0x0000 word id: ascii-"nk" = 0x6b6e
0x0002 word for the root-key: 0x2c, otherwise 0x20
0x0004 q-word write-date/time in windows nt notation
0x0010 d-word offset of owner/parent key
0x0014 d-word number of sub-keys
0x001c d-word offset of the sub-key lf-records
0x0024 d-word number of values
0x0028 d-word offset of the value-list
0x002c d-word offset of the sk-record
0x0030 d-word offset of the class-name
0x0044 d-word unused (data-trash)
0x0048 word name-length
0x004a word class-name length
0x004c ???? key-name</pre>
<pre>the value-list
==============</pre>
<pre>offset size contents
0x0000 d-word offset 1st value
0x0004 d-word offset 2nd value
0x???? d-word offset nth value</pre>
<pre>to determine the number of values, you have to look at the
owner-nk-record!</pre>
<pre>der vk-record
=============</pre>
<pre>offset size contents
0x0000 word id: ascii-"vk" = 0x6b76
0x0002 word name length
0x0004 d-word length of the data
0x0008 d-word offset of data
0x000c d-word type of value
0x0010 word flag
0x0012 word unused (data-trash)
0x0014 ???? name</pre>
<pre>if bit 0 of the flag-word is set, a name is present, otherwise the
value has no name (=default)
if the data-size is lower 5, the data-offset value is used to store
the data itself!
</pre>
<pre>the data-types
==============</pre>
<pre>wert beteutung
0x0001 regsz: character string (in unicode!)
0x0002 expandsz: string with "%var%" expanding (unicode!)
0x0003 regbin: raw-binary value
0x0004 regdword: dword
0x0007 regmultisz: multiple strings, seperated with 0
(unicode!)</pre>
<pre>the "lf"-record
===============</pre>
<pre>offset size contents
0x0000 word id: ascii-"lf" = 0x666c
0x0002 word number of keys
0x0004 ???? hash-records</pre>
<pre>hash-record
===========</pre>
<pre>offset size contents
0x0000 d-word offset of corresponding "nk"-record
0x0004 d-word ascii: the first 4 characters of the key-name,
padded with 0's. case sensitiv!</pre>
<pre>keep in mind, that the value at 0x0004 is used for checking the
data-consistency! if you change the key-name you have to change the
hash-value too!</pre>
<pre>the "sk"-block
==============</pre>
<pre>(due to the complexity of the sam-info, not clear jet)</pre>
<pre>offset size contents
0x0000 word id: ascii-"sk" = 0x6b73
0x0002 word unused
0x0004 d-word offset of previous "sk"-record
0x0008 d-word offset of next "sk"-record
0x000c d-word usage-counter
0x0010 d-word size of "sk"-record in bytes
????
???? ???? security and auditing settings...
????</pre>
<pre>the usage counter counts the number of references to this
"sk"-record. you can use one "sk"-record for the entire registry!
</pre>
<pre>windows nt date/time format
===========================</pre>
<pre>the time-format is a 64-bit integer which is incremented every
0,0000001 seconds by 1 (i don't know how accurate it realy is!)
it starts with 0 at the 1st of january 1601 0:00! all values are
stored in gmt time! the time-zone is important to get the real
time!
</pre>
<pre>common values for win95 and win-nt
==================================</pre>
<pre>offset values marking an "end of list", are either 0 or -1 (0xffffffff).
if a value has no name (length=0, flag(bit 0)=0), it is treated as the
"default" entry...
if a value has no data (length=0), it is displayed as empty.
</pre>
<pre>simplyfied win-3.?? registry:
=============================
</pre>
<pre>+-----------+
| next rec. |---+ +-----> +------------+
| first sub | | | | usage cnt. |
| name | | +--> +------------+ | | length |
| value | | | | next rec. | | | text |-------> +-------+
+-----------+ | | | name rec. |--+ +------------+ | xxxxx |
+------------+ | | value rec. |--------> +------------+ +-------+
v | +------------+ | usage cnt. |
+-----------+ | | length |
| next rec. | | | text |-------> +-------+
| first sub |------+ +------------+ | xxxxx |
| name | +-------+
| value |
+-----------+
</pre>
<pre>greatly simplyfied structure of the nt-registry:
================================================
</pre>
<pre> +-------------------------------------------------------------------------+
v |
+---------------+ +-------------> +-----------+ +------> +---------+ |
| "nk" | | | lf-rec. | | | nk-rec. | |
| id | | | # of keys | | | parent |---+
| date | | | 1st key |--+ | .... |
| parent | | +-----------+ +---------+
| suk-keys |-------+
| values |---------------------> +----------+
| sk-rec. |---------------+ | 1. value |--> +----------+
| class |--+ | +----------+ | vk-rec. |
+---------------+ | | | .... |
v | | data |--> +-------+
+------------+ | +----------+ | xxxxx |
| class name | | +-------+
+------------+ |
v
+---------+ +---------+
+-----> | next sk |---> | next sk |--+
| +---| prev sk | <---| prev sk | |
| | | .... | | ... | |
| | +---------+ +---------+ |
| | ^ |
| +--------------------+ |
+------------------------------------+</pre>
<pre>--------------------------------------------------------------------------------</pre>
<pre>hope this helps.... (although it was "fun" for me to uncover this things,
it took me several sleepless nights ;)</pre>
<pre> b.d.</pre>
</td>
</tr>
</table>
</center></div>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -