source/lib/registry/regf.idl

   1 /*
   2  Definitions for the REGF registry file format as used by
   3  Windows NT4 and above.
   4
   5  Written by Jelmer Vernooij, 2005
   6
   7  Based on two files from Samba 3:
   8         regedit.c by Richard Sharpe
   9     regfio.c by Jerry Carter
  10
  11  Thanks to Wilco Baan Hofman for some of the info on li and ri fields.
  12 */
  13
  14 interface regf
  15 {
  16         typedef struct {
  17                 uint32 major;
  18                 uint32 minor;
  19                 uint32 release;
  20                 uint32 build;
  21         } regf_version;
  22
  23         /* 1.3.0.1 for WinNT 4
  24          * 1.5.0.1 for WinXP
  25          */
  26
  27
  28         /*
  29                 "regf" is obviously the abbreviation for "Registry file". "regf" is the
  30                 signature of the header-block which is always 4kb in size, although only
  31                 the first 64 bytes seem to be used and a checksum is calculated over
  32                 the first 0x200 bytes only!
  33          */
  34
  35         typedef [public] struct {
  36                 [charset(DOS)] uint8 REGF_ID[4];     /* 'regf' */
  37                 uint32 update_counter1;
  38                 uint32 update_counter2;
  39                 NTTIME modtime;
  40                 regf_version version;
  41                 uint32 data_offset;
  42                 uint32 last_block;
  43                 [value(1)] uint32 uk7;                  /* 1 */
  44                 [charset(UTF16)] uint16 description[0x40];
  45                 uint32 padding[83];                                     /* Padding */
  46                 /* Checksum of first 0x200 bytes XOR-ed */
  47                 uint32 chksum;
  48         } regf_hdr;
  49
  50         /*
  51                 hbin probably means hive-bin (what bin stands for I don't know)
  52                 This block is always a multiple
  53                 of 4kb in size.
  54      */
  55         typedef [public] struct {
  56                 [charset(DOS)] uint8 HBIN_ID[4]; /* hbin */
  57                 uint32 off_from_first; /* Offset from 1st hbin-Block */
  58                 uint32 off_to_next;        /* Offset to the next hbin-Block */
  59                 uint32 unknown[2];
  60                 NTTIME last_change;
  61                 uint32 block_size;         /* Block size */
  62                 uint8 data[block_size]; /* Filled with hbin_data blocks */
  63         } hbin_block;
  64
  65         typedef struct {
  66                 uint32 length;
  67                 [charset(DOS)] uint8 header[2]; /* li, lh, ri, nk, vk, sk, lf or \0\0 */
  68                 uint8 data[length-2];
  69         } hbin_data;
  70
  71         typedef enum {
  72                 REG_ROOT_KEY = 0x20,
  73                 REG_SUB_KEY = 0x2C,
  74                 REG_SYM_LINK = 0x10
  75         } reg_key_type;
  76
  77         /*
  78       The nk-record can be treated as a combination of tree-record and
  79       key-record of the win 95 registry.
  80         */
  81         typedef struct {
  82                 reg_key_type type;
  83                 NTTIME last_change;
  84                 uint32 uk1;
  85                 uint32 parent_offset;
  86                 uint32 num_subkeys;
  87                 uint32 uk2;
  88                 uint32 subkeys_offset;
  89                 uint32 uk3;
  90                 uint32 num_values;
  91                 uint32 values_offset;
  92                 uint32 sk_offset;
  93                 uint32 clsnam_offset;
  94                 uint32 unk4[5];
  95                 uint16 name_length;
  96                 uint16 clsname_length;
  97                 [charset(DOS)] uint8 key_name[name_length];
  98         } nk_block;
  99
 100         /* sk (? Security Key ?) is the ACL of the registry. */
 101         typedef struct {
 102                 uint16 uk1;
 103                 uint32 prev_offset;
 104                 uint32 next_offset;
 105                 uint32 ref_cnt;
 106                 uint32 rec_size;
 107                 uint8 sec_desc[rec_size];
 108         } sk_block;
 109
 110         typedef struct {
 111                         uint32 offset_nk;
 112                         uint32 base37; /* base37 of key name */
 113         } lh_hash;
 114
 115         typedef struct {
 116                 uint16 key_count;
 117                 lh_hash hashes[key_count];
 118         } lh_block;
 119
 120         typedef struct {
 121                 uint16 key_count;
 122                 uint32 offset_nk[key_count];
 123         } li_block;
 124
 125         typedef struct {
 126                 uint16 key_count;
 127                 uint32 offset[key_count]; /* li/lh offset */
 128         } ri_block;
 129
 130         /* The vk-record consists information to a single value (value key). */
 131         typedef struct {
 132                 uint16 name_length;
 133                 uint32 data_length;    /* If top-bit set, offset contains the data */
 134                 uint32 data_offset;
 135                 uint32 data_type;
 136                 uint16 flag;        /* =1, has name, else no name (=Default). */
 137                 uint16 unk1;
 138                 [charset(DOS)] uint8 data_name[name_length];
 139         } vk_block;
 140
 141         typedef struct {
 142                 uint32 nk_off;
 143                 uint8 hash[4];
 144         } hash_record;
 145
 146         /*
 147       The lf-record is the counterpart to the RGKN-record (the
 148       hash-function)
 149         */
 150         typedef struct {
 151                 uint16 key_count;
 152                 hash_record hr[key_count];  /* Array of hash records, depending on key_count */
 153         } lf_block;
 154 }