The Windows NT ∗ Regist ry File Forma t Version 0.4 Timothy D. Morgan tim-registry(α)sentinelchicken.org June 9, 2009 Abstract The Windows re gist ry serv es as a primary stor age lo- cation for system configurations and other information. Numerous third-party commercial and open source tools have been released to interpret and manipulate registry hives, but a comprehensive description of the registry’s data structures seems to be missing from the public do- main. This document attempts to shed light on the details of the registry format and will be updated as more infor- mation is made available. 1 Intr oducti on The Windows registry stores a wide variety of informa- tion, including core system configurations, user-specific configuration, information on installed applications, and user credent ials . Litt le information has been publi shed by Microsoft related to the specifics of how registry in- forma tion is organize d into data stru ctures on disk. For - tunately, various open source developers have worked to understand and publish these technical details in order to write software compatible with Microsoft’s registry for- mat. However, these sources are by and large incomplete and fragment ed, maki ng tool imple menta tion difficult and tedio us at best. Here we attempt to combine the av ail- able public information, along with additional knowledge gleaned from testing, to provide a comprehensive refer- ence on Windows NT-based registry data structures. This should be considered a living document and will be up- dated as new information becomes available. Please con- tact the author with any errata or new information per- taining to data structure specifics. ∗ Throughout this paper, note that Windows, Microsoft, Windows 95, Wind ows 98, Windo ws ME, Windows NT, Windows 2000, Windo ws XP, Windows Vista, and Windows Server are registered trademarks ofMicrosoft Corporation. 2 Previous Work Registry internal structures have been outlined by MarkRussinovich [15] and David Probert [14], which provide a good overview of how Windows interacts with registry compo nents . Furth er detai led work has been publis hed by unknown authors in [3] and [2], which lays the ground- work for a detailed understanding of registry data struc- tures. Numerous open source tools provide access to NT registry internals [12, 16, 18, 20] and have expanded on the public’s knowledge of technical specifics. 3 Regi stry Structur e Over view Here, we briefly provide an overview of the internal data stru cture s of the registr y. Later secti ons provided addi- tional details about specific groups of data structures. Fi- nally, a reference on the specific layout of each structure may be found in Appendix A. The Windows registry is organized in a tree structure and is analogous to a filesystem. For instance, registry values are similar to files in a filesystem as they store name and type informatio n for discr ete portion s of raw data. Reg- istry keys are closely analogous to filesystem directories, acti ng as paren t nodes for both subk eys and values . Fi- nally , individual registry fil es (or “hive s”) are presented to users in Windows under a set of virtual top-level keys in much the same way that multiple filesystems in UNIX 1 are mounted under the same root directory. The inte rnal structure of Wi ndows regi stry hives does, however, differ a great deal from typical filesystems. One major difference is that keys reference values differently than subke ys, where as most files ystems refer ence both us- ing the same struct ures. Addit ional ly , due to the type ofst orage (a bin ary file ), the all ocatio n sto rage for data st ruc- tures is done in a way as to minimize fragmentation and linear space utilization. 1 UNIX is a registered trademark of the Open Group. 1