Difference between pages "Windows NT Registry File (REGF)" and "Libregf"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(External Links)
 
Line 1: Line 1:
[[Microsoft]] [[Windows]] NT 4 (and later) uses the '''Windows NT Registry File (REGF)''' to store system and application related data, e.g. configurations, most recently used (MRU) files.
+
{{Infobox_Software |
 +
  name = libregf |
 +
  maintainer = [[Joachim Metz]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Analysis}} |
 +
  license = {{LGPL}} |
 +
  website = [http://libregf.sourceforge.net libregf.sourceforge.net] |
 +
}}
  
== MIME types ==
+
The '''libregf''' package contains a library and applications to read the [[Windows_NT_Registry_File_(REGF) | Windows NT Registry File (REGF)]] format.
  
== File signature ==
+
== Tools ==  
 +
The '''libregf''' package contains the following tools:
 +
* '''regfinfo''', which shows information about REGF files.
 +
* '''regfmount''', which mounts the keys and values in a REGF file as directories and files.
  
REGF has the following file signature:
+
== History ==
  
hexadecimal: 72 65 67 66
+
Libregf was created by [[Joachim Metz]] in 2009, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
 
+
ASCII: regf
+
 
+
== File types ==
+
There are multiple types of REGF files:
+
* normal (data) file
+
* transaction log file
+
 
+
== Transactional Registry (TxR) ==
+
In Vista the Transactional Registry (TxR) was introduced. TxR creates transaction log files similar to:
+
* %FILE%{%GUID%}.TM.blf
+
* %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
+
* %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms
+
 
+
Where %FILE% is the name of the REGF normal (data) file, e.g. NTUSER.DAT and %GUID% a string representation of a GUID/UUID.
+
 
+
TxR is similar to [[NTFS | Transactional NTFS (TxF)]] and uses the [[Common Log File System (CLFS)]].
+
 
+
== Contents ==
+
 
+
The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.
+
  
 
== Also See ==
 
== Also See ==
 
+
* [[Windows NT Registry File (REGF)]]
 
* [[Windows Registry]]
 
* [[Windows Registry]]
  
 
== External Links ==
 
== External Links ==
  
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]]
+
* [http://code.google.com/p/libregf/ Project site]
* [https://googledrive.com/host/0B3fBvzttpiiSSC1yUDZpb3l0UHM/Windows%20NT%20Registry%20File%20(REGF)%20format.pdf Windows NT Registry File (REGF) format], by the [[libregf|libregf project]]
+
 
+
[[Category:File Formats]]
+

Latest revision as of 10:41, 12 July 2013

libregf
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Analysis
License: LGPL
Website: libregf.sourceforge.net

The libregf package contains a library and applications to read the Windows NT Registry File (REGF) format.

Tools

The libregf package contains the following tools:

  • regfinfo, which shows information about REGF files.
  • regfmount, which mounts the keys and values in a REGF file as directories and files.

History

Libregf was created by Joachim Metz in 2009, while working for Hoffmann Investigations.

Also See

External Links