Difference between pages "Windows NT Registry File (REGF)" and "File:7-bb9320-VendorPlate.jpg"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
Line 1: Line 1:
[[Microsoft]] [[Windows]] NT 4 (and later) uses the '''Windows NT Registry File (REGF)''' to store system and application related data, e.g. configurations, most recently used (MRU) files.
== MIME types ==
== File signature ==
REGF has the following file signature:
hexadecimal: 72 65 67 66
ASCII: regf
== File types ==
There are multiple types of REGF files:
* normal (data) file
* transaction log file
== Transactional Registry (TxR) ==
In Vista the Transactional Registry (TxR) was introduced. TxR creates transaction log files similar to:
* %FILE%{%GUID%}.TM.blf
* %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
* %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms
Where %FILE% is the name of the REGF normal (data) file, e.g. NTUSER.DAT and %GUID% a string representation of a GUID/UUID.
TxR is similar to [[NTFS | Transactional NTFS (TxF)]] and uses the [[Common Log File System (CLFS)]].
== Contents ==
The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.
== Also See ==
* [[Windows Registry]]
* [[Windows 9x Registry File (CREG)]]
== External Links ==
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]]
* [https://googledrive.com/host/0B3fBvzttpiiSSC1yUDZpb3l0UHM/Windows%20NT%20Registry%20File%20(REGF)%20format.pdf Windows NT Registry File (REGF) format], by the [[libregf|libregf project]]
[[Category:File Formats]]

Latest revision as of 13:30, 30 October 2013