Difference between pages "Windows NT Registry File (REGF)" and "File:7-bb9320-VendorPlate.jpg"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
[[Microsoft]] [[Windows]] NT 4 (and later) uses the '''Windows NT Registry File (REGF)''' to store system and application related data, e.g. configurations, most recently used (MRU) files.
 
  
== MIME types ==
 
 
== File signature ==
 
 
REGF has the following file signature:
 
 
hexadecimal: 72 65 67 66
 
 
ASCII: regf
 
 
== File types ==
 
There are multiple types of REGF files:
 
* normal (data) file
 
* transaction log file
 
 
== Transactional Registry (TxR) ==
 
In Vista the Transactional Registry (TxR) was introduced. TxR creates transaction log files similar to:
 
* %FILE%{%GUID%}.TM.blf
 
* %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
 
* %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms
 
 
Where %FILE% is the name of the REGF normal (data) file, e.g. NTUSER.DAT and %GUID% a string representation of a GUID/UUID.
 
 
TxR is similar to [[NTFS | Transactional NTFS (TxF)]] and uses the [[Common Log File System (CLFS)]].
 
 
== Contents ==
 
 
The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.
 
 
== Also See ==
 
 
* [[Windows Registry]]
 
* [[Windows 9x Registry File (CREG)]]
 
 
== External Links ==
 
 
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]]
 
* [https://googledrive.com/host/0B3fBvzttpiiSSC1yUDZpb3l0UHM/Windows%20NT%20Registry%20File%20(REGF)%20format.pdf Windows NT Registry File (REGF) format], by the [[libregf|libregf project]]
 
 
[[Category:File Formats]]
 

Latest revision as of 12:30, 30 October 2013