From 201fd3bd72d5f080eb16455f35e182c266aaf64b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 3 Sep 2005 14:58:00 +0000 Subject: r9995: Add file describing the REGF file format in IDL. (used in reg_backend_nt4.c rewrite) (This used to be commit 5e1a16eda28d432b94dc933b44da3ca556f92fdf) --- source4/lib/registry/regf.idl | 154 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 154 insertions(+) create mode 100644 source4/lib/registry/regf.idl (limited to 'source4/lib/registry') diff --git a/source4/lib/registry/regf.idl b/source4/lib/registry/regf.idl new file mode 100644 index 0000000000..8bef15c79e --- /dev/null +++ b/source4/lib/registry/regf.idl @@ -0,0 +1,154 @@ +/* + Definitions for the REGF registry file format as used by + Windows NT4 and above. + + Written by Jelmer Vernooij, 2005 + + Based on two files from Samba 3: + regedit.c by Richard Sharpe + regfio.c by Jerry Carter + + Thanks to Wilco Baan Hofman for some of the info on li and ri fields. +*/ + +interface regf +{ + typedef struct { + uint32 major; + uint32 minor; + uint32 release; + uint32 build; + } regf_version; + + /* 1.3.0.1 for WinNT 4 + * 1.5.0.1 for WinXP + */ + + + /* + "regf" is obviously the abbreviation for "Registry file". "regf" is the + signature of the header-block which is always 4kb in size, although only + the first 64 bytes seem to be used and a checksum is calculated over + the first 0x200 bytes only! + */ + + typedef [public] struct { + [charset(DOS)] uint8 REGF_ID[4]; /* 'regf' */ + uint32 update_counter1; + uint32 update_counter2; + NTTIME modtime; + regf_version version; + uint32 data_offset; + uint32 last_block; + [value(1)] uint32 uk7; /* 1 */ + [charset(UTF16)] uint16 description[0x40]; + uint32 padding[83]; /* Padding */ + /* Checksum of first 0x200 bytes XOR-ed */ + uint32 chksum; + } regf_hdr; + + /* + hbin probably means hive-bin (what bin stands for I don't know) + This block is always a multiple + of 4kb in size. + */ + typedef [public] struct { + [charset(DOS)] uint8 HBIN_ID[4]; /* hbin */ + uint32 off_from_first; /* Offset from 1st hbin-Block */ + uint32 off_to_next; /* Offset to the next hbin-Block */ + uint32 unknown[2]; + NTTIME last_change; + uint32 block_size; /* Block size */ + uint8 data[block_size]; /* Filled with hbin_data blocks */ + } hbin_block; + + typedef struct { + uint32 length; + [charset(DOS)] uint8 header[2]; /* li, lh, ri, nk, vk, sk, lf or \0\0 */ + uint8 data[length-2]; + } hbin_data; + + typedef enum { + REG_ROOT_KEY = 0x20, + REG_SUB_KEY = 0x2C, + REG_SYM_LINK = 0x10 + } reg_key_type; + + /* + The nk-record can be treated as a combination of tree-record and + key-record of the win 95 registry. + */ + typedef struct { + reg_key_type type; + NTTIME last_change; + uint32 uk1; + uint32 parent_offset; + uint32 num_subkeys; + uint32 uk2; + uint32 subkeys_offset; + uint32 uk3; + uint32 num_values; + uint32 values_offset; + uint32 sk_offset; + uint32 clsnam_offset; + uint32 unk4[5]; + uint16 name_length; + uint16 clsname_length; + [charset(DOS)] uint8 key_name[name_length]; + } nk_block; + + /* sk (? Security Key ?) is the ACL of the registry. */ + typedef struct { + uint16 uk1; + uint32 prev_offset; + uint32 next_offset; + uint32 ref_cnt; + uint32 rec_size; + uint8 sec_desc[rec_size]; + } sk_block; + + typedef struct { + uint32 offset_nk; + uint32 base37; /* base37 of key name */ + } lh_hash; + + typedef struct { + uint16 key_count; + lh_hash hashes[key_count]; + } lh_block; + + typedef struct { + uint16 key_count; + uint32 offset_nk[key_count]; + } li_block; + + typedef struct { + uint16 key_count; + uint32 offset[key_count]; /* li/lh offset */ + } ri_block; + + /* The vk-record consists information to a single value (value key). */ + typedef struct { + uint16 name_length; + uint32 data_length; /* If top-bit set, offset contains the data */ + uint32 data_offset; + uint32 data_type; + uint16 flag; /* =1, has name, else no name (=Default). */ + uint16 unk1; + [charset(DOS)] uint8 data_name[name_length]; + } vk_block; + + typedef struct { + uint32 nk_off; + uint8 hash[4]; + } hash_record; + + /* + The lf-record is the counterpart to the RGKN-record (the + hash-function) + */ + typedef struct { + uint16 key_count; + hash_record hr[key_count]; /* Array of hash records, depending on key_count */ + } lf_block; +} -- cgit