Internal structures of the Windows Registry

Geek Lectures - Things geeks should know about » Blog Archive » Internal structures of the Windows Registry

Sat, 05 Jan 2008 21:28:39 GMT

PingBack from http://geeklectures.info/2008/01/05/internal-structures-of-the-windows-registry/

Entenda um pouco mais sobre a estrutura interna do Registro do Windows

Blog do Anderson Thiago (a.k.a Anderson T) — Sat, 05 Jan 2008 22:25:32 GMT

Neste artigo, Ganand fala um pouco sobre a estrutura de registro do Windows tomando como base o artigo

re: Internal structures of the Windows Registry

PeterN — Fri, 19 Sep 2008 12:30:39 GMT

Hi Gaurav ,

Great article thanks.

Do you know what the difference is between the BlockAddress and the BinAddress values. From looking at them it seems to me that the BinAddress is either 5 or 1 more than the BlockAddress and the BlockAddress seems to be the address of the hbin.

I'd be very interested if you could shed some light on this. Thanks.

re: Internal structures of the Windows Registry

kelly — Thu, 19 Mar 2009 11:53:04 GMT

Dear Gaurav:

Thanks a lot for your article.

I'm looking for some advice as to what I might be doing wrong.

0: kd> !reg hivelist

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

| e28b59b8 | 1b000 | e28b5a18 | 0 | 00000000 | 7 | 0 | 0| e28c3000 | \Microsoft\Windows\UsrClass.dat

| e28ea008 | 426000 | e28bd000 | 3000 | e28ea144 | 167 | 0 | 0| e28b0000 | ttings\Administrator\ntuser.dat

| e276fb60 | 1000 | e276fbc0 | 0 | 00000000 | 1 | 0 | 0| e27de000 | \Microsoft\Windows\UsrClass.dat

| e287eb60 | 38000 | e287ebc0 | 1000 | e287ec9c | 15 | 0 | 0| e27d3000 | ettings\LocalService\ntuser.dat

| e2318b60 | 1000 | e2318bc0 | 0 | 00000000 | 1 | 0 | 0| e2319000 | \Microsoft\Windows\UsrClass.dat

| e2310b60 | 37000 | e2310bc0 | 1000 | e2310c9c | 14 | 0 | 0| e2312000 | tings\NetworkService\ntuser.dat

| e1dd3638 | 1492000 | e1dea000 | 7000 | e1dd3774 | 256 | 6 | 0| e1dd6000 | emRoot\System32\Config\SOFTWARE

| e1dc3b60 | 3b000 | e1dc3bc0 | 0 | 00000000 | 15 | 0 | 0| e1dcb000 | temRoot\System32\Config\DEFAULT

| e1dc5008 | c000 | e1dc5068 | 1000 | e1dc5144 | 4 | 0 | 0| e1dc6000 | emRoot\System32\Config\SECURITY

| e1dc7b60 | 6000 | e1dc7bc0 | 0 | 00000000 | 2 | 0 | 0| e1dcd000 | \SystemRoot\System32\Config\SAM

| e13a9840 | e000 | e13a98a0 | 4000 | e13a997c | 0 | 0 | 0| e13ac000 | <NONAME>

| e1024758 | 365000 | e1038000 | 22000 | e1024894 | 164 | 0 | 0| e1037000 | SYSTEM

| e102f008 | 1000 | e102f068 | 1000 | e102f144 | 0 | 0 | 0| e1030000 | <NONAME>

-------------------------------------------------------------------------------------------------------------

0: kd> dt nt!hhive e1024758

Symbol nt!hhive not found.

0: kd> dt nt!cmhive e1024758

Symbol nt!cmhive not found.

Please help me. My email is snowy_1207@163.com.

Thanks a lot.

re: Internal structures of the Windows Registry

Artur Carvalho — Fri, 22 May 2009 13:16:35 GMT

you're missing the _

dt nt!_hhive

you could search for it using dt nt!*hive

in my machine i get

ntkrpamp!_CMHIVE

ntkrpamp!_HHIVE

i use a dual core processor

hope this helps

re: Internal structures of the Windows Registry

SP — Fri, 26 Jun 2009 16:05:54 GMT

I am looking to access HKEY_CLass_root from kernel.. Howz that possible...