J
Jim Carlock
I am looking for references to the binary/physical structure
of Win2K registry files.
I've noticed that they all start with "regf" and then at certain
positions within each of the files there is information about
the file, tags, etc. For instance, at 0x32 there is a unicode
string within the ntuser.dat that provides the folder and name
of the registry file in case.
It appears this string ends at 0x1FB. 1FB - 32 = 1C9 which
means that the string being unicode (2 bytes per character),
and 1C9 translating to 457 decimal, which when divided by
2, translates to a maximum length of 228 characters for the
file path and name.
So then, address 0x1FC of the file is a pointer or a file size.
All the registry files pretty much seem to have "hbin" at
address 0x1000 within the file.
At address 0x1070 either $$$PROTO.HIV or the name of
the file exists. It looks like 16 bytes of information is reserved
for a filename here. The filename is stored in an ANSI format.
$$$PROTO.HIV indicates that the HIVE starts there.
I'm looking for anything that might help with such things as
unlocking the file in order to back it up programatically, read
the file, etc. I've noticed that the API calls used to read the
file are all located in the AdvApi32.dll. I have also noticed
that this particular file in turns makes calls to ntdll.dll. It appears
that the ntdll.dll as well as the advapi32.dll are the two files
I'm interested in.
And that applies only to XP/Win2K and possibly Win2003.
If anyone knows which files holds the API calls for Windows 9x,
that would be helpful in my search as well, but I'm not
currently working with Win9x machines, though I would like
the information.
Thanks to all in advance!
of Win2K registry files.
I've noticed that they all start with "regf" and then at certain
positions within each of the files there is information about
the file, tags, etc. For instance, at 0x32 there is a unicode
string within the ntuser.dat that provides the folder and name
of the registry file in case.
It appears this string ends at 0x1FB. 1FB - 32 = 1C9 which
means that the string being unicode (2 bytes per character),
and 1C9 translating to 457 decimal, which when divided by
2, translates to a maximum length of 228 characters for the
file path and name.
So then, address 0x1FC of the file is a pointer or a file size.
All the registry files pretty much seem to have "hbin" at
address 0x1000 within the file.
At address 0x1070 either $$$PROTO.HIV or the name of
the file exists. It looks like 16 bytes of information is reserved
for a filename here. The filename is stored in an ANSI format.
$$$PROTO.HIV indicates that the HIVE starts there.
I'm looking for anything that might help with such things as
unlocking the file in order to back it up programatically, read
the file, etc. I've noticed that the API calls used to read the
file are all located in the AdvApi32.dll. I have also noticed
that this particular file in turns makes calls to ntdll.dll. It appears
that the ntdll.dll as well as the advapi32.dll are the two files
I'm interested in.
And that applies only to XP/Win2K and possibly Win2003.
If anyone knows which files holds the API calls for Windows 9x,
that would be helpful in my search as well, but I'm not
currently working with Win9x machines, though I would like
the information.
Thanks to all in advance!