Difference between revisions of "Windows NT Registry File (REGF)"

From ForensicsWiki
Jump to: navigation, search
(Contents)
Line 1: Line 1:
[[Microsoft]] [[Windows]] NT 4 (and later) uses the '''Windows NT Registry File (REGF)''' to store system and application related data, e.g. configurations, most recently used (MRU) files,
+
[[Microsoft]] [[Windows]] NT 4 (and later) uses the '''Windows NT Registry File (REGF)''' to store system and application related data, e.g. configurations, most recently used (MRU) files.
  
 
== MIME types ==
 
== MIME types ==
Line 12: Line 12:
  
 
== File types ==
 
== File types ==
 +
There are multiple types of REGF files:
 +
* normal (data) file
 +
* transaction log file
 +
 +
In Vista the Transactional Registry (TxR) was introduced. This introduces the transaction log files:
 +
* %FILE%{%GUID%}.TM.blf
 +
* %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
 +
* %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms
  
 
== Contents ==
 
== Contents ==
Line 17: Line 25:
 
The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.
 
The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.
  
== See also==
+
== See also ==
  
 
* [[Windows Registry]]
 
* [[Windows Registry]]

Revision as of 03:32, 12 November 2010

Microsoft Windows NT 4 (and later) uses the Windows NT Registry File (REGF) to store system and application related data, e.g. configurations, most recently used (MRU) files.

MIME types

File signature

REGF has the following file signature:

hexadecimal: 72 65 67 66

ASCII: regf

File types

There are multiple types of REGF files:

  • normal (data) file
  • transaction log file

In Vista the Transactional Registry (TxR) was introduced. This introduces the transaction log files:

  •  %FILE%{%GUID%}.TM.blf
  •  %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
  •  %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms

Contents

The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.

See also