Difference between revisions of "Windows NT Registry File (REGF)"

From Forensics Wiki
Jump to: navigation, search
(Created page with "Microsoft Windows NT 4 (and later) uses the '''Windows NT Registry File (REGF)''' to store system and application related data, e.g. configurations, most recently used (M...")
 
 
(14 intermediate revisions by one user not shown)
Line 1: Line 1:
[[Microsoft]] [[Windows]] NT 4 (and later) uses the '''Windows NT Registry File (REGF)''' to store system and application related data, e.g. configurations, most recently used (MRU) files,
+
[[Microsoft]] [[Windows]] NT 4 (and later) uses the '''Windows NT Registry File (REGF)''' to store system and application related data, e.g. configurations, most recently used (MRU) files.
  
 
== MIME types ==
 
== MIME types ==
Line 5: Line 5:
 
== File signature ==
 
== File signature ==
  
The PFF has the following file signature:
+
REGF has the following file signature:
 +
 
 
hexadecimal: 72 65 67 66
 
hexadecimal: 72 65 67 66
 +
 
ASCII: regf
 
ASCII: regf
  
 
== File types ==
 
== File types ==
 +
There are multiple types of REGF files:
 +
* normal (data) file
 +
* transaction log file
 +
 +
== Transactional Registry (TxR) ==
 +
In Vista the Transactional Registry (TxR) was introduced. TxR creates transaction log files similar to:
 +
* %FILE%{%GUID%}.TM.blf
 +
* %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
 +
* %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms
 +
 +
Where %FILE% is the name of the REGF normal (data) file, e.g. NTUSER.DAT and %GUID% a string representation of a GUID/UUID.
 +
 +
TxR is similar to [[NTFS | Transactional NTFS (TxF)]] and uses the [[Common Log File System (CLFS)]].
  
 
== Contents ==
 
== Contents ==
  
The REGF basically contains a hierarchy of keys and values.
+
The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.
 +
 
 +
== Also See ==
 +
 
 +
* [[Windows Registry]]
 +
* [[Windows 9x Registry File (CREG)]]
  
== See also==
+
== External Links ==
  
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], Timothy D. Morgan
+
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]]
* [http://downloads.sourceforge.net/project/libregf/Documentation/Windows%20NT%20Registry%20File%20%28REGF%29%20format.pdf Windows NT Registry File (REGF) format]
+
* [https://googledrive.com/host/0B3fBvzttpiiSSC1yUDZpb3l0UHM/Windows%20NT%20Registry%20File%20(REGF)%20format.pdf Windows NT Registry File (REGF) format], by the [[libregf|libregf project]]
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]

Latest revision as of 10:08, 17 September 2013

Microsoft Windows NT 4 (and later) uses the Windows NT Registry File (REGF) to store system and application related data, e.g. configurations, most recently used (MRU) files.

Contents

MIME types

File signature

REGF has the following file signature:

hexadecimal: 72 65 67 66

ASCII: regf

File types

There are multiple types of REGF files:

  • normal (data) file
  • transaction log file

Transactional Registry (TxR)

In Vista the Transactional Registry (TxR) was introduced. TxR creates transaction log files similar to:

  •  %FILE%{%GUID%}.TM.blf
  •  %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
  •  %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms

Where %FILE% is the name of the REGF normal (data) file, e.g. NTUSER.DAT and %GUID% a string representation of a GUID/UUID.

TxR is similar to Transactional NTFS (TxF) and uses the Common Log File System (CLFS).

Contents

The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.

Also See

External Links