Windows NT Registry File (REGF)
REGF has the following file signature:
hexadecimal: 72 65 67 66
There are multiple types of REGF files:
- normal (data) file
- transaction log file
Transactional Registry (TxR)
In Vista the Transactional Registry (TxR) was introduced. TxR creates transaction log files similar to:
Where %FILE% is the name of the REGF normal (data) file, e.g. NTUSER.DAT and %GUID% a string representation of a GUID/UUID.
The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.