Internal structures of the Windows Registry

  • Article

One of the best public document which talks about Registry internals is by Mark Russinovich and I will recommend same before you go ahead with this article.

https://www.microsoft.com/technet/archive/winntas/tips/winntmag/inreg.mspx?mfr=true

Make sure before proceeding ahead you go through Mark's Article.

Ok..so now as you have read that article..you know how registry is broken into blocks, bins, cells and stored in memory or disk.

Cell directory and tables for regisrty

 

Now lets see the same via Live debugger and see the same structures.....

0: kd> !reg hivelist

 

-------------------------------------------------------------------------------------------------------------

| HiveAddr |Stable Length|Stable Map|Volatile Length|Volatile Map|MappedViews|PinnedViews|U(Cnt)| BaseBlock | FileName

-------------------------------------------------------------------------------------------------------------

| e1008950 | 1000 | e10089b0 | 1000 | e1008aec | 0 | 0 | 0| e1014000 | <NONAME>

| e1019458 | 364000 | e1021000 | 24000 | e10195f4 | 166 | 0 | 0| e101e000 | SYSTEM

| e1392008 | b000 | e1392068 | 4000 | e13921a4 | 0 | 0 | 0| e1393000 | <NONAME>

| e2081a80 | f000 | e2081ae0 | 1000 | e2081c1c | 4 | 0 | 0| e2063000 | emRoot\System32\Config\SECURITY

| e1626a80 | 3b000 | e1626ae0 | 1000 | e1626c1c | 15 | 0 | 0| e205b000 | temRoot\System32\Config\DEFAULT

| e1484008 | 8000 | e1484068 | 0 | 00000000 | 3 | 0 | 0| e1669000 | \SystemRoot\System32\Config\SAM

| e162fa80 | 1d9a000 | e1666000 | 1d000 | e162fc1c | 255 | 0 | 0| e1ff9000 | emRoot\System32\Config\SOFTWARE

| e24cc830 | 35000 | e24cc890 | 1000 | e24cc9cc | 14 | 0 | 0| e251d000 | tings\NetworkService\ntuser.dat

| e24c81a8 | 1000 | e24c8208 | 0 | 00000000 | 1 | 0 | 0| e2523000 | \Microsoft\Windows\UsrClass.dat

| e253d798 | 35000 | e253d7f8 | 1000 | e253d934 | 14 | 0 | 0| e254c000 | ettings\LocalService\ntuser.dat

| e2551008 | 1000 | e2551068 | 0 | 00000000 | 1 | 0 | 0| e2552000 | \Microsoft\Windows\UsrClass.dat

| e24fd0c0 | 2cb000 | e2ff8000 | 2000 | e24fd25c | 159 | 0 | 0| e24f9000 | and Settings\ganand\ntuser.dat

| e302e008 | 9000 | e302e068 | 0 | 00000000 | 3 | 0 | 0| e309d000 | \Microsoft\Windows\UsrClass.dat

-------------------------------------------------------------------------------------------------------------

I dumped out the hive lists on my machine..as registry is maintained as hives and not what we see when we open regedit..thats only visual registry. we see the address of the system hive right now loaded in kernel mode as you can figure out from address.

 

Now we dumped the system hive

0: kd> dt nt!hhive e1019458

nt!HHIVE

   +0x000 Signature : 0xbee0bee0

   +0x004 GetCellRoutine : 0x8092d3ef nt!HvpGetCellMapped+0

   +0x008 ReleaseCellRoutine : 0x8093db9d nt!HvpReleaseCellMapped+0

   +0x00c Allocate : 0x8091f642 nt!CmpAllocate+0

   +0x010 Free : 0x8091f68d nt!CmpFree+0

   +0x014 FileSetSize : 0x8091e608 nt!CmpFileSetSize+0

   +0x018 FileWrite : 0x8092798f nt!CmpFileWrite+0

   +0x01c FileRead : 0x808f6320 nt!CmpFileRead+0

   +0x020 FileFlush : 0x80927615 nt!CmpFileFlush+0

   +0x024 BaseBlock : 0xe101e000 _HBASE_BLOCK

   +0x028 DirtyVector : _RTL_BITMAP

   +0x030 DirtyCount : 0

   +0x034 DirtyAlloc : 0x364

   +0x038 BaseBlockAlloc : 0x1000

   +0x03c Cluster : 1

   +0x040 Flat : 0 ''

   +0x041 ReadOnly : 0 ''

   +0x042 Log : 0x1 ''

   +0x043 DirtyFlag : 0x1 ''

   +0x044 HiveFlags : 0

   +0x048 LogSize : 0x400

   +0x04c RefreshCount : 0

   +0x050 StorageTypeCount : 2

   +0x054 Version : 5

   +0x058 Storage : [2] _DUAL

0: kd> dt nt!cmhive e1019458

nt!CMHIVE

   +0x000 Hive : _HHIVE

   +0x2d0 FileHandles : [3] 0x8000031c--------------------------------------handles to the hive

   +0x2dc NotifyList : _LIST_ENTRY [ 0xe139b678 - 0x0 ]

   +0x2e4 HiveList : _LIST_ENTRY [ 0xe13922ec - 0xe1008c34 ]

   +0x2ec HiveLock : _EX_PUSH_LOCK

   +0x2f0 ViewLock : 0x89b8f1a8 _KGUARDED_MUTEX

   +0x2f4 WriterLock : _EX_PUSH_LOCK

   +0x2f8 FlusherLock : _EX_PUSH_LOCK

   +0x2fc SecurityLock : _EX_PUSH_LOCK

   +0x300 LRUViewListHead : _LIST_ENTRY [ 0xe34b4598 - 0xe359d690 ]

   +0x308 PinViewListHead : _LIST_ENTRY [ 0xe1019760 - 0xe1019760 ]

   +0x310 FileObject : 0x89835df8 _FILE_OBJECT--------------------address of the file object

   +0x314 FileFullPath : _UNICODE_STRING "\Device\HarddiskVolume1\WINNT\system32\config\system"------------------path on disk

   +0x31c FileUserName : _UNICODE_STRING ""

   +0x324 MappedViews : 0xa6

   +0x326 PinnedViews : 0

   +0x328 UseCount : 0

   +0x32c SecurityCount : 0x5b

   +0x330 SecurityCacheSize : 0x60

   +0x334 SecurityHitHint : 13

   +0x338 SecurityCache : 0xe1391d00 _CM_KEY_SECURITY_CACHE_ENTRY

   +0x33c SecurityHash : [64] _LIST_ENTRY [ 0xe1020138 - 0xe1020138 ]

   +0x53c UnloadEvent : (null)

   +0x540 RootKcb : (null)

   +0x544 Frozen : 0 ''

   +0x548 UnloadWorkItem : (null)

   +0x54c GrowOnlyMode : 0 ''

   +0x550 GrowOffset : 0

   +0x554 KcbConvertListHead : _LIST_ENTRY [ 0xe10199ac - 0xe10199ac ]

   +0x55c KnodeConvertListHead : _LIST_ENTRY [ 0xe10199b4 - 0xe10199b4 ]

   +0x564 CellRemapArray : (null)

   +0x568 Flags : 0

   +0x56c TrustClassEntry : _LIST_ENTRY [ 0xe10199c4 - 0xe10199c4 ]

   +0x574 FlushCount : 0x5a1

   +0x578 CreatorOwner : (null)

Now lets go to the storage...

0: kd> dt nt!hhive e1019458 storage.

nt!HHIVE

Cannot find specified field members.

0: kd> dt nt!hhive e1019458 Storage.

nt!HHIVE

   +0x050 StorageTypeCount : 2

   +0x058 Storage : [2]

      +0x000 Length : 0x364000

      +0x004 Map : 0xe1021000 _HMAP_DIRECTORY---map directory used by configuration manager..this is equivalent to PDE in terms of memory management

      +0x008 SmallDir : (null)

      +0x00c Guard : 0xffffffff

      +0x010 FreeDisplay : [24] _FREE_DISPLAY

      +0x130 FreeSummary : 0x100a5f

      +0x134 FreeBins : _LIST_ENTRY [ 0xe10195e4 - 0xe10195e4 ]---free bins for this hive

 

0: kd> dt 0xe1021000 _HMAP_DIRECTORY

   +0x000 Directory : [1024] 0xe1022000 _HMAP_TABLE---so first we went to hive directory address and from there we figured out hive table address and from there we got block offset. In this case cell index in configuration manager is equivalent to PFN in case of memory manager.

0: kd> dt 0xe1022000 _HMAP_TABLE

   +0x000 Table : [512] _HMAP_ENTRY

0: kd> dt 0xe1021000 _HMAP_ENTRY

   +0x000 BlockAddress : 0xe1022000-----------------

   +0x004 BinAddress : 0xe1024000---------------------------

   +0x008 CmView : (null)

   +0x00c MemAlloc : 0

So now we have reached to the block and inside the block we have reached to the bin….from here we will go to that cell…

Now just to prove that we are on right track..let me achieve the same via debugger ….for that we have !reg cellindex

0: kd> !reg baseblock e1019458

 

FileName : SYSTEM

Signature: HBASE_BLOCK_SIGNATURE

Sequence1: 1a0f

Sequence2: 1a0f

TimeStamp: 1c84fa5 ac4d292c

Major : 1

Minor : 5

Type : HFILE_TYPE_PRIMARY

Format : HBASE_FORMAT_MEMORY

RootCell : 20

Length : 364000

Cluster : 1

CheckSum : 346bbc65

0: kd> !reg cellindex e1019458 20

 

Map = e1021000 Type = 0 Table = 0 Block = 0 Offset = 20

MapTable = e1022000

 

pcell: de441024--------------this is the address of the cell

 

==========

 

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.