2005-09-03 18:58:00 +04:00
/*
Definitions for the REGF registry file format as used by
Windows NT4 and above.
2006-05-05 17:16:58 +04:00
Copyright (C) 2005 Jelmer Vernooij, jelmer@samba.org
Copyright (C) 2006 Wilco Baan Hofman, wilco@baanhofman.nl
2005-09-03 18:58:00 +04:00
Based on two files from Samba 3:
regedit.c by Richard Sharpe
regfio.c by Jerry Carter
*/
interface regf
{
2005-09-04 02:58:04 +04:00
const int REGF_OFFSET_NONE = 0xffffffff;
2005-09-03 21:17:30 +04:00
/*
* Registry version number
2006-03-21 04:30:22 +03:00
* 1.2.0.1 for WinNT 3.51
2005-09-03 21:17:30 +04:00
* 1.3.0.1 for WinNT 4
2005-09-03 18:58:00 +04:00
* 1.5.0.1 for WinXP
*/
2007-02-18 21:44:56 +03:00
[noprint] struct regf_version {
2005-09-03 21:17:30 +04:00
[value(1)] uint32 major;
[value(3)] uint32 minor;
[value(0)] uint32 release;
[value(1)] uint32 build;
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
/*
"regf" is obviously the abbreviation for "Registry file". "regf" is the
signature of the header-block which is always 4kb in size, although only
the first 64 bytes seem to be used and a checksum is calculated over
the first 0x200 bytes only!
*/
2007-02-18 21:44:56 +03:00
[public,noprint] struct regf_hdr {
2005-09-03 18:58:00 +04:00
[charset(DOS)] uint8 REGF_ID[4]; /* 'regf' */
uint32 update_counter1;
uint32 update_counter2;
NTTIME modtime;
regf_version version;
uint32 data_offset;
uint32 last_block;
[value(1)] uint32 uk7; /* 1 */
[charset(UTF16)] uint16 description[0x40];
uint32 padding[83]; /* Padding */
/* Checksum of first 0x200 bytes XOR-ed */
uint32 chksum;
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
/*
2005-09-13 21:28:18 +04:00
hbin probably means hive-bin (i.e. hive-container)
2005-09-03 18:58:00 +04:00
This block is always a multiple
of 4kb in size.
*/
2007-02-18 21:44:56 +03:00
[public,noprint] struct hbin_block {
2005-09-03 18:58:00 +04:00
[charset(DOS)] uint8 HBIN_ID[4]; /* hbin */
2005-09-04 02:58:04 +04:00
uint32 offset_from_first; /* Offset from 1st hbin-Block */
uint32 offset_to_next; /* Offset to the next hbin-Block */
2005-09-03 18:58:00 +04:00
uint32 unknown[2];
NTTIME last_change;
2005-09-04 02:58:04 +04:00
uint32 block_size; /* Block size (including the header!) */
uint8 data[offset_to_next-0x20];
/* data is filled with:
2005-09-04 06:09:32 +04:00
uint32 length;
Negative if in used, positive otherwise
Always a multiple of 8
uint8_t data[length];
Free space marker if 0xffffffff
2005-09-04 02:58:04 +04:00
*/
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
2007-02-18 21:44:56 +03:00
[base_type(uint16),noprint] enum reg_key_type {
2005-09-03 18:58:00 +04:00
REG_ROOT_KEY = 0x20,
2005-09-03 21:17:30 +04:00
REG_SUB_KEY = 0x2C,
2005-09-03 18:58:00 +04:00
REG_SYM_LINK = 0x10
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
/*
The nk-record can be treated as a combination of tree-record and
key-record of the win 95 registry.
*/
2007-02-18 21:44:56 +03:00
[public,noprint] struct nk_block {
2005-09-04 02:58:04 +04:00
[charset(DOS)] uint8 header[2];
2005-09-03 18:58:00 +04:00
reg_key_type type;
NTTIME last_change;
uint32 uk1;
uint32 parent_offset;
uint32 num_subkeys;
uint32 uk2;
uint32 subkeys_offset;
2005-09-04 02:58:04 +04:00
uint32 unknown_offset;
2005-09-03 18:58:00 +04:00
uint32 num_values;
2005-09-04 02:58:04 +04:00
uint32 values_offset; /* Points to a list of offsets of vk-records */
2005-09-03 18:58:00 +04:00
uint32 sk_offset;
2005-09-03 21:17:30 +04:00
uint32 clsname_offset;
2005-09-04 02:58:04 +04:00
uint32 unk3[5];
2005-09-04 06:09:32 +04:00
[value(strlen(key_name))] uint16 name_length;
2005-09-03 18:58:00 +04:00
uint16 clsname_length;
[charset(DOS)] uint8 key_name[name_length];
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
/* sk (? Security Key ?) is the ACL of the registry. */
2007-02-18 21:44:56 +03:00
[noprint,public] struct sk_block {
2005-09-04 02:58:04 +04:00
[charset(DOS)] uint8 header[2];
2005-09-04 03:23:14 +04:00
uint16 tag;
2005-09-03 18:58:00 +04:00
uint32 prev_offset;
uint32 next_offset;
uint32 ref_cnt;
uint32 rec_size;
uint8 sec_desc[rec_size];
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
2007-02-18 21:44:56 +03:00
[noprint] struct lh_hash {
2006-05-05 17:16:58 +04:00
uint32 nk_offset;
2005-09-03 18:58:00 +04:00
uint32 base37; /* base37 of key name */
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
2005-09-03 21:17:30 +04:00
/* Subkey listing with hash of first 4 characters */
2007-02-18 21:44:56 +03:00
[public,noprint] struct lh_block {
2005-09-04 02:58:04 +04:00
[charset(DOS)] uint8 header[2];
2005-09-03 18:58:00 +04:00
uint16 key_count;
2006-05-05 17:16:58 +04:00
lh_hash hr[key_count];
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
2007-02-18 21:44:56 +03:00
[public,noprint] struct li_block {
2005-09-04 02:58:04 +04:00
[charset(DOS)] uint8 header[2];
2005-09-03 18:58:00 +04:00
uint16 key_count;
2006-05-05 17:16:58 +04:00
uint32 nk_offset[key_count];
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
2007-02-18 21:44:56 +03:00
[public,noprint] struct ri_block {
2005-09-04 02:58:04 +04:00
[charset(DOS)] uint8 header[2];
2005-09-03 18:58:00 +04:00
uint16 key_count;
uint32 offset[key_count]; /* li/lh offset */
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
/* The vk-record consists information to a single value (value key). */
2007-02-18 21:44:56 +03:00
[public,noprint] struct vk_block {
2005-09-04 02:58:04 +04:00
[charset(DOS)] uint8 header[2];
2005-09-04 06:09:32 +04:00
[value(strlen(data_name))] uint16 name_length;
2005-09-03 18:58:00 +04:00
uint32 data_length; /* If top-bit set, offset contains the data */
uint32 data_offset;
uint32 data_type;
uint16 flag; /* =1, has name, else no name (=Default). */
uint16 unk1;
2005-09-04 02:58:04 +04:00
[charset(DOS)] uint8 data_name[name_length];
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
2007-02-18 21:44:56 +03:00
[noprint] struct hash_record {
2006-05-05 17:16:58 +04:00
uint32 nk_offset;
2005-09-04 06:09:32 +04:00
[charset(DOS)] uint8 hash[4];
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
/*
The lf-record is the counterpart to the RGKN-record (the
hash-function)
*/
2007-02-18 21:44:56 +03:00
[public,noprint] struct lf_block {
2005-09-04 02:58:04 +04:00
[charset(DOS)] uint8 header[2];
2005-09-03 18:58:00 +04:00
uint16 key_count;
hash_record hr[key_count]; /* Array of hash records, depending on key_count */
2007-02-18 21:44:56 +03:00
};
2005-09-03 18:58:00 +04:00
}
