Windows NT Registry File (REGF)
From Forensics Wiki
Microsoft Windows NT 4 (and later) uses the Windows NT Registry File (REGF) to store system and application related data, e.g. configurations, most recently used (MRU) files.
Contents |
MIME types
File signature
REGF has the following file signature:
hexadecimal: 72 65 67 66
ASCII: regf
File types
There are multiple types of REGF files:
- normal (data) file
- transaction log file
Transactional Registry (TxR)
In Vista the Transactional Registry (TxR) was introduced. TxR creates transaction log files similar to:
- %FILE%{%GUID%}.TM.blf
- %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
- %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms
Where %FILE% is the name of the REGF normal (data) file, e.g. NTUSER.DAT and %GUID% a string representation of a GUID/UUID.
TxR is similar to Transactional NTFS (TxF) and uses the Common Log File System (CLFS).
Contents
The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.
