3

I need a document that describes format of microsoft windows registry hive file format. The only thing I was able to find is this one

http://www.sentinelchicken.com/data/TheWindowsNTRegistryFileFormat.pdf

But it has nothing common with the real registry file format. Most of things described here doesn't work at all. For example "Relative offset of next hive bin" is 0 in most of my local files. Pointer to start of last hbin in file points to the middle of hbin. I understand that microsoft doesn't document this, however I know that people are writing parsers for registry files, so I think there should be one? Does anybody know of a better document?

Thanks in advance.

axe
  • 2,331
  • 4
  • 31
  • 53
  • What is the practical programming problem you are having? – Raymond Chen Apr 30 '12 at 21:32
  • 3
    I'm having practical problem parsing registry files. Of course I could ask a programming question, even bring an example that doesn't work, but the answer to my question is pointing to particular line in documentation. So why just not to ask for docs? Programming is not only coding. – axe May 02 '12 at 09:38
  • The registry file format is not documented and is different on different versions of Windows (and is therefore not stable). The correct interface is the registry API. If this is for forensic purposes, you can make a copy of the hive and mount it. – Raymond Chen May 02 '12 at 13:11
  • 1
    Yes, you are right. This is for forensic purposes, but if I mount it then I wouldn't be able to restore orphans. Operating system is Windows XP. – axe May 02 '12 at 14:05

2 Answers2

6

I'd advise you just to download hivex. It is widely used and battle-tested against real Windows hives.

However you can look in the lib/tools hivex subdirectory which contains some scripts I wrote to reverse engineer the format originally, as well as references to the documentation I used.

Rich
  • 926
  • 1
  • 9
  • 17
5

I am looking for something similar. Here is what I have found so far(except the article you mentioned):
Manipulate Registry Hive files from C#
hivex - Windows Registry "hive" extraction library

Edit
http://files.volatileminds.net/winreg.txt this link is less precise but to me more understandable than yours document

Edit 2
Article describing various registry parsing programs libhivex: Windows Registry hive extractor library

mirh
  • 514
  • 8
  • 14
IvanH
  • 5,039
  • 14
  • 60
  • 81
  • Thanks for sharing it. I'll post anything I find related to reg format here as well. – axe May 02 '12 at 09:38