Difference between revisions of "Windows NT Registry File (REGF)"

From Forensics Wiki
Jump to: navigation, search
(File types)
(File types)
Line 20: Line 20:
 
* %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
 
* %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
 
* %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms
 
* %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms
 +
 +
TxR is similar to [[NTFS | Transactional NTFS (TxF)]] and uses the Common Log File System (CLFS).
  
 
== Contents ==
 
== Contents ==

Revision as of 02:35, 12 November 2010

Microsoft Windows NT 4 (and later) uses the Windows NT Registry File (REGF) to store system and application related data, e.g. configurations, most recently used (MRU) files.

Contents

MIME types

File signature

REGF has the following file signature:

hexadecimal: 72 65 67 66

ASCII: regf

File types

There are multiple types of REGF files:

  • normal (data) file
  • transaction log file

In Vista the Transactional Registry (TxR) was introduced. TxR creates transaction log files similar to:

  •  %FILE%{%GUID%}.TM.blf
  •  %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
  •  %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms

TxR is similar to Transactional NTFS (TxF) and uses the Common Log File System (CLFS).

Contents

The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.

See also