source4/lib/registry/regf.idl

   1 /*
   2  Definitions for the REGF registry file format as used by
   3  Windows NT4 and above.
   4
   5    Copyright (C) 2005 Jelmer Vernooij, jelmer@samba.org
   6    Copyright (C) 2006 Wilco Baan Hofman, wilco@baanhofman.nl
   7
   8  Based on two files from Samba 3:
   9         regedit.c by Richard Sharpe
  10     regfio.c by Jerry Carter
  11
  12 */
  13
  14 interface regf
  15 {
  16         const int REGF_OFFSET_NONE = 0xffffffff;
  17
  18         /*
  19          * Registry version number
  20          * 1.2.0.1 for WinNT 3.51
  21          * 1.3.0.1 for WinNT 4
  22          * 1.5.0.1 for WinXP
  23          */
  24
  25         [noprint] struct regf_version {
  26                 [value(1)] uint32 major;
  27                 [value(3)] uint32 minor;
  28                 [value(0)] uint32 release;
  29                 [value(1)] uint32 build;
  30         };
  31
  32         /*
  33                 "regf" is obviously the abbreviation for "Registry file". "regf" is the
  34                 signature of the header-block which is always 4kb in size, although only
  35                 the first 64 bytes seem to be used and a checksum is calculated over
  36                 the first 0x200 bytes only!
  37          */
  38
  39         [public,noprint] struct regf_hdr {
  40                 [charset(DOS)] uint8 REGF_ID[4];     /* 'regf' */
  41                 uint32 update_counter1;
  42                 uint32 update_counter2;
  43                 NTTIME modtime;
  44                 regf_version version;
  45                 uint32 data_offset;
  46                 uint32 last_block;
  47                 [value(1)] uint32 uk7;                  /* 1 */
  48                 [charset(UTF16)] uint16 description[0x20];
  49                 uint32 padding[99];                                     /* Padding */
  50                 /* Checksum of first 0x200 bytes XOR-ed */
  51                 uint32 chksum;
  52         };
  53
  54         /*
  55                 hbin probably means hive-bin (i.e. hive-container)
  56                 This block is always a multiple
  57                 of 4kb in size.
  58      */
  59         [public,noprint] struct hbin_block {
  60                 [charset(DOS)] uint8 HBIN_ID[4]; /* hbin */
  61                 uint32 offset_from_first; /* Offset from 1st hbin-Block */
  62                 uint32 offset_to_next;    /* Offset to the next hbin-Block */
  63                 uint32 unknown[2];
  64                 NTTIME last_change;
  65                 uint32 block_size;         /* Block size (including the header!) */
  66                 uint8 data[offset_to_next-0x20];
  67                 /* data is filled with:
  68                         uint32 length;
  69                                 Negative if in use, positive otherwise
  70                                 Always a multiple of 8
  71                         uint8_t data[length];
  72                                 Free space marker if 0xffffffff
  73              */
  74         };
  75
  76         [noprint] enum reg_key_type {
  77                 REG_ROOT_KEY = 0x20,
  78                 REG_SUB_KEY  = 0x2C,
  79                 REG_SYM_LINK = 0x10
  80         };
  81
  82         /*
  83       The nk-record can be treated as a combination of tree-record and
  84       key-record of the win 95 registry.
  85         */
  86         [public,noprint] struct nk_block {
  87                 [charset(DOS)] uint8 header[2];
  88                 reg_key_type type;
  89                 NTTIME last_change;
  90                 uint32 uk1;
  91                 uint32 parent_offset;
  92                 uint32 num_subkeys;
  93                 uint32 uk2;
  94                 uint32 subkeys_offset;
  95                 uint32 unknown_offset;
  96                 uint32 num_values;
  97                 uint32 values_offset; /* Points to a list of offsets of vk-records */
  98                 uint32 sk_offset;
  99                 uint32 clsname_offset;
 100                 uint32 unk3[5];
 101                 [value(strlen(key_name))] uint16 name_length;
 102                 uint16 clsname_length;
 103                 [charset(DOS)] uint8 key_name[name_length];
 104         };
 105
 106         /* sk (? Security Key ?) is the ACL of the registry. */
 107         [noprint,public] struct sk_block {
 108                 [charset(DOS)] uint8 header[2];
 109                 uint16 tag;
 110                 uint32 prev_offset;
 111                 uint32 next_offset;
 112                 uint32 ref_cnt;
 113                 uint32 rec_size;
 114                 uint8 sec_desc[rec_size];
 115         };
 116
 117         [noprint] struct lh_hash {
 118                         uint32 nk_offset;
 119                         uint32 base37; /* base37 of key name */
 120         };
 121
 122         /* Subkey listing with hash of first 4 characters */
 123         [public,noprint] struct lh_block {
 124                 [charset(DOS)] uint8 header[2];
 125                 uint16 key_count;
 126                 lh_hash hr[key_count];
 127         };
 128
 129         [public,noprint] struct li_block {
 130                 [charset(DOS)] uint8 header[2];
 131                 uint16 key_count;
 132                 uint32 nk_offset[key_count];
 133         };
 134
 135         [public,noprint] struct ri_block {
 136                 [charset(DOS)] uint8 header[2];
 137                 uint16 key_count;
 138                 uint32 offset[key_count]; /* li/lh offset */
 139         };
 140
 141         /* The vk-record consists information to a single value (value key). */
 142         [public,noprint] struct vk_block {
 143                 [charset(DOS)] uint8 header[2];
 144                 [value(strlen(data_name))] uint16 name_length;
 145                 uint32 data_length;    /* If top-bit set, offset contains the data */
 146                 uint32 data_offset;
 147                 uint32 data_type;
 148                 uint16 flag;        /* =1, has name, else no name (=Default). */
 149                 uint16 unk1;
 150                 [charset(DOS)] uint8 data_name[name_length];
 151         };
 152
 153         [noprint] struct hash_record {
 154                 uint32 nk_offset;
 155                 [charset(DOS)] uint8 hash[4];
 156         };
 157
 158         /*
 159       The lf-record is the counterpart to the RGKN-record (the
 160       hash-function)
 161         */
 162         [public,noprint] struct lf_block {
 163                 [charset(DOS)] uint8 header[2];
 164                 uint16 key_count;
 165                 hash_record hr[key_count];  /* Array of hash records, depending on key_count */
 166         };
 167 }