--- /dev/null
+/*
+ Definitions for the REGF registry file format as used by
+ Windows NT4 and above.
+
+ Written by Jelmer Vernooij, 2005
+
+ Based on two files from Samba 3:
+ regedit.c by Richard Sharpe
+ regfio.c by Jerry Carter
+
+ Thanks to Wilco Baan Hofman for some of the info on li and ri fields.
+*/
+
+interface regf
+{
+ typedef struct {
+ uint32 major;
+ uint32 minor;
+ uint32 release;
+ uint32 build;
+ } regf_version;
+
+ /* 1.3.0.1 for WinNT 4
+ * 1.5.0.1 for WinXP
+ */
+
+
+ /*
+ "regf" is obviously the abbreviation for "Registry file". "regf" is the
+ signature of the header-block which is always 4kb in size, although only
+ the first 64 bytes seem to be used and a checksum is calculated over
+ the first 0x200 bytes only!
+ */
+
+ typedef [public] struct {
+ [charset(DOS)] uint8 REGF_ID[4]; /* 'regf' */
+ uint32 update_counter1;
+ uint32 update_counter2;
+ NTTIME modtime;
+ regf_version version;
+ uint32 data_offset;
+ uint32 last_block;
+ [value(1)] uint32 uk7; /* 1 */
+ [charset(UTF16)] uint16 description[0x40];
+ uint32 padding[83]; /* Padding */
+ /* Checksum of first 0x200 bytes XOR-ed */
+ uint32 chksum;
+ } regf_hdr;
+
+ /*
+ hbin probably means hive-bin (what bin stands for I don't know)
+ This block is always a multiple
+ of 4kb in size.
+ */
+ typedef [public] struct {
+ [charset(DOS)] uint8 HBIN_ID[4]; /* hbin */
+ uint32 off_from_first; /* Offset from 1st hbin-Block */
+ uint32 off_to_next; /* Offset to the next hbin-Block */
+ uint32 unknown[2];
+ NTTIME last_change;
+ uint32 block_size; /* Block size */
+ uint8 data[block_size]; /* Filled with hbin_data blocks */
+ } hbin_block;
+
+ typedef struct {
+ uint32 length;
+ [charset(DOS)] uint8 header[2]; /* li, lh, ri, nk, vk, sk, lf or \0\0 */
+ uint8 data[length-2];
+ } hbin_data;
+
+ typedef enum {
+ REG_ROOT_KEY = 0x20,
+ REG_SUB_KEY = 0x2C,
+ REG_SYM_LINK = 0x10
+ } reg_key_type;
+
+ /*
+ The nk-record can be treated as a combination of tree-record and
+ key-record of the win 95 registry.
+ */
+ typedef struct {
+ reg_key_type type;
+ NTTIME last_change;
+ uint32 uk1;
+ uint32 parent_offset;
+ uint32 num_subkeys;
+ uint32 uk2;
+ uint32 subkeys_offset;
+ uint32 uk3;
+ uint32 num_values;
+ uint32 values_offset;
+ uint32 sk_offset;
+ uint32 clsnam_offset;
+ uint32 unk4[5];
+ uint16 name_length;
+ uint16 clsname_length;
+ [charset(DOS)] uint8 key_name[name_length];
+ } nk_block;
+
+ /* sk (? Security Key ?) is the ACL of the registry. */
+ typedef struct {
+ uint16 uk1;
+ uint32 prev_offset;
+ uint32 next_offset;
+ uint32 ref_cnt;
+ uint32 rec_size;
+ uint8 sec_desc[rec_size];
+ } sk_block;
+
+ typedef struct {
+ uint32 offset_nk;
+ uint32 base37; /* base37 of key name */
+ } lh_hash;
+
+ typedef struct {
+ uint16 key_count;
+ lh_hash hashes[key_count];
+ } lh_block;
+
+ typedef struct {
+ uint16 key_count;
+ uint32 offset_nk[key_count];
+ } li_block;
+
+ typedef struct {
+ uint16 key_count;
+ uint32 offset[key_count]; /* li/lh offset */
+ } ri_block;
+
+ /* The vk-record consists information to a single value (value key). */
+ typedef struct {
+ uint16 name_length;
+ uint32 data_length; /* If top-bit set, offset contains the data */
+ uint32 data_offset;
+ uint32 data_type;
+ uint16 flag; /* =1, has name, else no name (=Default). */
+ uint16 unk1;
+ [charset(DOS)] uint8 data_name[name_length];
+ } vk_block;
+
+ typedef struct {
+ uint32 nk_off;
+ uint8 hash[4];
+ } hash_record;
+
+ /*
+ The lf-record is the counterpart to the RGKN-record (the
+ hash-function)
+ */
+ typedef struct {
+ uint16 key_count;
+ hash_record hr[key_count]; /* Array of hash records, depending on key_count */
+ } lf_block;
+}
git.samba.org / samba.git / commitdiff