Digging in : Internal structures of the Windows Registryhttp://blogs.technet.com/ganand/archive/tags/Internal+structures+of+the+Windows+Registry/default.aspxTags: Internal structures of the Windows Registryen-USCommunityServer 2.1 SP1 (Build: 61025.2)Internal structures of the Windows Registryhttp://blogs.technet.com/ganand/archive/2008/01/05/internal-structures-of-the-windows-registry.aspxSat, 05 Jan 2008 20:24:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2713339ganand6http://blogs.technet.com/ganand/comments/2713339.aspxhttp://blogs.technet.com/ganand/commentrss.aspx?PostID=2713339<P>One of the best public document which talks about Registry internals is by Mark Russinovich and I will recommend same before you go ahead with this article. </P> <P><A href="http://www.microsoft.com/technet/archive/winntas/tips/winntmag/inreg.mspx?mfr=true">http://www.microsoft.com/technet/archive/winntas/tips/winntmag/inreg.mspx?mfr=true</A></P> <P>Make sure before proceeding ahead you go through Mark's Article.</P> <P>Ok..so now as you have read that article..you know how registry is broken into blocks,&nbsp;bins, cells&nbsp;and stored in memory or disk. </P> <P><IMG title="Cell directory and tables for regisrty" style="WIDTH: 524px; HEIGHT: 274px" height=229 alt="Cell directory and tables for regisrty" src="http://www.microsoft.com/library/media/1033/technet/images/archive/winntas/tips/winntmag/inreg02_big.gif" width=461 align=middle mce_src="http://www.microsoft.com/library/media/1033/technet/images/archive/winntas/tips/winntmag/inreg02_big.gif"></P> <P mce_keep="true">&nbsp;</P> <P>Now lets see the same via Live debugger and see the same structures.....</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>0: kd&gt; !reg hivelist<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p><FONT face=Calibri size=3>&nbsp;</FONT></o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>-------------------------------------------------------------------------------------------------------------<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| HiveAddr |Stable Length|Stable Map|Volatile Length|Volatile Map|MappedViews|PinnedViews|U(Cnt<SPAN style="BACKGROUND: red; mso-highlight: red">)| BaseBlock | FileName</SPAN><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>-------------------------------------------------------------------------------------------------------------<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| e1008950 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1000&nbsp; | e10089b0 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1000&nbsp;&nbsp;&nbsp; |&nbsp; e1008aec&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0| e1014000&nbsp; | &lt;NONAME&gt;<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri><SPAN style="BACKGROUND: lime; mso-highlight: lime">| e1019458 |&nbsp;&nbsp;&nbsp;&nbsp; 364000&nbsp; | e1021000 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 24000&nbsp;&nbsp;&nbsp; |&nbsp; e10195f4&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 166&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0</SPAN><SPAN style="BACKGROUND: red; mso-highlight: red">| e101e000&nbsp; | SYSTEM</SPAN><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| e1392008 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; b000&nbsp; | e1392068 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4000&nbsp;&nbsp;&nbsp; |&nbsp; e13921a4&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0| e1393000&nbsp; | &lt;NONAME&gt;<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| e2081a80 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f000&nbsp; | e2081ae0 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1000&nbsp;&nbsp;&nbsp; |&nbsp; e2081c1c&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0| e2063000&nbsp; | emRoot\System32\Config\SECURITY<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| e1626a80 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3b000&nbsp; | e1626ae0 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1000&nbsp;&nbsp;&nbsp; |&nbsp; e1626c1c&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 15&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0| e205b000&nbsp; | temRoot\System32\Config\DEFAULT<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| e1484008 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8000&nbsp; | e1484068 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp; |&nbsp; 00000000&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0| e1669000&nbsp; | \SystemRoot\System32\Config\SAM<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| e162fa80 |&nbsp;&nbsp;&nbsp; 1d9a000&nbsp; | e1666000 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1d000&nbsp;&nbsp;&nbsp; |&nbsp; e162fc1c&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 255&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0| e1ff9000&nbsp; | emRoot\System32\Config\SOFTWARE<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| e24cc830 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 35000&nbsp; | e24cc890 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1000&nbsp;&nbsp;&nbsp; |&nbsp; e24cc9cc&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 14&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0| e251d000&nbsp; | tings\NetworkService\ntuser.dat<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| e24c81a8 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1000&nbsp; | e24c8208 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp; |&nbsp; 00000000&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0| e2523000&nbsp; | \Microsoft\Windows\UsrClass.dat<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| e253d798 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 35000&nbsp; | e253d7f8 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1000&nbsp;&nbsp;&nbsp; |&nbsp; e253d934&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 14&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0| e254c000&nbsp; | ettings\LocalService\ntuser.dat<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| e2551008 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1000&nbsp; | e2551068 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp; |&nbsp; 00000000&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0| e2552000&nbsp; | \Microsoft\Windows\UsrClass.dat<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| e24fd0c0 |&nbsp;&nbsp;&nbsp;&nbsp; 2cb000&nbsp; | e2ff8000 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2000&nbsp;&nbsp;&nbsp; |&nbsp; e24fd25c&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 159&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0| e24f9000&nbsp; |&nbsp; and Settings\ganand\ntuser.dat<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>| e302e008 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 9000&nbsp; | e302e068 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp; |&nbsp; 00000000&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; 0| e309d000&nbsp; | \Microsoft\Windows\UsrClass.dat<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>-------------------------------------------------------------------------------------------------------------<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p><FONT face=Calibri size=3></FONT></o:p></P>I dumped out the hive lists on my machine..as registry is maintained as hives and not what we see when we open regedit..thats only visual registry. we see the address of the system hive right now loaded in kernel mode as you can figure out from address. <P class=MsoNormal style="MARGIN: 0in 0in 0pt" mce_keep="true">&nbsp;</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">Now we dumped the system hive </P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>0: kd&gt; dt nt!hhive e1019458<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>nt!HHIVE<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x000 Signature&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0xbee0bee0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x004 GetCellRoutine&nbsp;&nbsp; : 0x8092d3ef&nbsp;&nbsp;&nbsp;&nbsp; nt!HvpGetCellMapped+0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x008 ReleaseCellRoutine : 0x8093db9d&nbsp;&nbsp;&nbsp;&nbsp; nt!HvpReleaseCellMapped+0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x00c Allocate&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x8091f642&nbsp;&nbsp;&nbsp;&nbsp; nt!CmpAllocate+0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x010 Free&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x8091f68d&nbsp;&nbsp;&nbsp;&nbsp; nt!CmpFree+0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x014 FileSetSize&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x8091e608&nbsp;&nbsp;&nbsp;&nbsp; nt!CmpFileSetSize+0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x018 FileWrite&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x8092798f&nbsp;&nbsp;&nbsp;&nbsp; nt!CmpFileWrite+0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x01c FileRead&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x808f6320&nbsp;&nbsp;&nbsp;&nbsp; nt!CmpFileRead+0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x020 FileFlush&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x80927615&nbsp;&nbsp;&nbsp;&nbsp; nt!CmpFileFlush+0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x024 BaseBlock&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0xe101e000 _HBASE_BLOCK<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x028 DirtyVector&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;: _RTL_BITMAP<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x030 DirtyCount&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x034 DirtyAlloc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x364<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x038 BaseBlockAlloc&nbsp;&nbsp; : 0x1000<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x03c Cluster&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x040 Flat&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0 ''<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x041 ReadOnly&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0 ''<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x042 Log&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x1 ''<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x043 DirtyFlag&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x1 ''<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x044 HiveFlags&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x048 LogSize&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x400<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x04c RefreshCount&nbsp;&nbsp;&nbsp;&nbsp; : 0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x050 StorageTypeCount : 2<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x054 Version&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 5<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x058 Storage&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : [2] _DUAL<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>0: kd&gt; dt nt!cmhive e1019458<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>nt!CMHIVE<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x000 Hive&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : _HHIVE<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x2d0 FileHandles&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : [3] 0x8000031c<SPAN style="COLOR: #1f497d; mso-themecolor: dark2">--------------------------------------handles to the hive</SPAN><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x2dc NotifyList&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : _LIST_ENTRY [ 0xe139b678 - 0x0 ]<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x2e4 HiveList&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : _LIST_ENTRY [ 0xe13922ec - 0xe1008c34 ]<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x2ec HiveLock&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : _EX_PUSH_LOCK<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x2f0 ViewLock&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x89b8f1a8 _KGUARDED_MUTEX<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x2f4 WriterLock&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : _EX_PUSH_LOCK<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x2f8 FlusherLock&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : _EX_PUSH_LOCK<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x2fc SecurityLock&nbsp;&nbsp;&nbsp;&nbsp; : _EX_PUSH_LOCK<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x300 LRUViewListHead&nbsp; : _LIST_ENTRY [ 0xe34b4598 - 0xe359d690 ]<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x308 PinViewListHead&nbsp; : _LIST_ENTRY [ 0xe1019760 - 0xe1019760 ]<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x310 FileObject&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x89835df8 _FILE_OBJECT<SPAN style="COLOR: #1f497d; mso-themecolor: dark2">--------------------address of the file object</SPAN><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x314 FileFullPath&nbsp;&nbsp;&nbsp;&nbsp; : _UNICODE_STRING "\Device\HarddiskVolume1\WINNT\system32\config\system"<SPAN style="COLOR: #1f497d; mso-themecolor: dark2">------------------path on disk</SPAN><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x31c FileUserName&nbsp;&nbsp;&nbsp;&nbsp; : _UNICODE_STRING ""<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x324 MappedViews&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0xa6<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x326 PinnedViews&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x328 UseCount&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x32c SecurityCount&nbsp;&nbsp;&nbsp; : 0x5b<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x330 SecurityCacheSize : 0x60<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x334 SecurityHitHint&nbsp; : 13<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x338 SecurityCache&nbsp;&nbsp;&nbsp; : 0xe1391d00 _CM_KEY_SECURITY_CACHE_ENTRY<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x33c SecurityHash&nbsp;&nbsp;&nbsp;&nbsp; : [64] _LIST_ENTRY [ 0xe1020138 - 0xe1020138 ]<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x53c UnloadEvent&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : (null)<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x540 RootKcb&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : (null)<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x544 Frozen&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0 ''<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x548 UnloadWorkItem&nbsp;&nbsp; : (null)<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x54c GrowOnlyMode&nbsp;&nbsp;&nbsp;&nbsp; : 0 ''<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x550 GrowOffset&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x554 KcbConvertListHead : _LIST_ENTRY [ 0xe10199ac - 0xe10199ac ]<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x55c KnodeConvertListHead : _LIST_ENTRY [ 0xe10199b4 - 0xe10199b4 ]<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x564 CellRemapArray&nbsp;&nbsp; : (null)<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x568 Flags&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x56c TrustClassEntry&nbsp; : _LIST_ENTRY [ 0xe10199c4 - 0xe10199c4 ]<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x574 FlushCount&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0x5a1<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x578 CreatorOwner&nbsp;&nbsp;&nbsp;&nbsp; : (null)<o:p></o:p></FONT></FONT></P> <P>Now lets go to the storage...</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>0: kd&gt; dt nt!hhive e1019458 storage.<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>nt!HHIVE<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>Cannot find specified field members.<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>0: kd&gt; dt nt!hhive e1019458 Storage.<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>nt!HHIVE<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x050 StorageTypeCount : 2<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x058 Storage&nbsp; : [2]<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; +0x000 Length&nbsp;&nbsp; : 0x364000<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <SPAN style="BACKGROUND: red; mso-highlight: red">+0x004 Map&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0xe1021000 _HMAP_DIRECTORY</SPAN><SPAN style="COLOR: #1f497d; mso-themecolor: dark2">---map directory used by configuration manager..this is equivalent to PDE in terms of memory management</SPAN><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; +0x008 SmallDir : (null)<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; +0x00c Guard&nbsp;&nbsp;&nbsp; : 0xffffffff<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; +0x010 FreeDisplay : [24] _FREE_DISPLAY<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; +0x130 FreeSummary : 0x100a5f<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <SPAN style="BACKGROUND: red; mso-highlight: red">+0x134 FreeBins : _LIST_ENTRY [ 0xe10195e4 - 0xe10195e4 ]</SPAN><SPAN style="COLOR: #1f497d; mso-themecolor: dark2">---free bins for this hive</SPAN><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p><FONT face=Calibri size=3>&nbsp;</FONT></o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>0: kd&gt; dt 0xe1021000 _<SPAN style="BACKGROUND: yellow; mso-highlight: yellow">HMAP_DIRECTORY</SPAN><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x000 Directory&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : [1024] 0xe1022000 _HMAP_TABLE<SPAN style="COLOR: #1f497d; mso-themecolor: dark2">---so first we went to hive directory address and from there we figured out hive table address and from there we got block offset<SPAN style="BACKGROUND: red; mso-highlight: red">. In this case cell index in configuration manager&nbsp;is equivalent to PFN in case of memory manager.</SPAN> </SPAN><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>0: kd&gt; dt&nbsp; 0xe1022000 _<SPAN style="BACKGROUND: yellow; mso-highlight: yellow">HMAP_TABLE</SPAN><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x000 Table &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: [512] _HMAP_ENTRY<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>0: kd&gt; dt 0xe1021000 _<SPAN style="BACKGROUND: yellow; mso-highlight: yellow">HMAP_ENTRY</SPAN><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; <SPAN style="BACKGROUND: lime; mso-highlight: lime">+0x000 BlockAddress&nbsp;&nbsp;&nbsp;&nbsp; : 0xe1022000<SPAN style="COLOR: #1f497d; mso-themecolor: dark2">-----------------</SPAN><o:p></o:p></SPAN></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri><SPAN style="BACKGROUND: lime; mso-highlight: lime">&nbsp;&nbsp; +0x004 BinAddress&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0xe1024000</SPAN><SPAN style="COLOR: #1f497d; mso-themecolor: dark2">---------------------------</SPAN><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x008 CmView&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : (null)<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>&nbsp;&nbsp; +0x00c MemAlloc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="COLOR: #1f497d; mso-bidi-font-family: 'Times New Roman'; mso-themecolor: dark2; mso-bidi-theme-font: minor-bidi; mso-ascii-font-family: Calibri; mso-hansi-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin"><FONT size=3><FONT face=Calibri>So now we have reached to the block and inside the block we have reached to the bin….from here we will go to that cell…<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="COLOR: #1f497d; mso-bidi-font-family: 'Times New Roman'; mso-themecolor: dark2; mso-bidi-theme-font: minor-bidi; mso-ascii-font-family: Calibri; mso-hansi-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin"><FONT size=3><FONT face=Calibri>Now just to prove that we are on right track..let me achieve the same via debugger ….for that we have !reg cellindex <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="COLOR: #1f497d; mso-bidi-font-family: 'Times New Roman'; mso-themecolor: dark2; mso-bidi-theme-font: minor-bidi; mso-ascii-font-family: Calibri; mso-hansi-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin"><o:p><FONT face=Calibri size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>0: kd&gt; !reg baseblock e1019458<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p><FONT face=Calibri size=3>&nbsp;</FONT></o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>FileName :&nbsp; SYSTEM<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>Signature:&nbsp; HBASE_BLOCK_SIGNATURE<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>Sequence1:&nbsp; 1a0f<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>Sequence2:&nbsp; 1a0f<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>TimeStamp:&nbsp; 1c84fa5 ac4d292c<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>Major&nbsp;&nbsp;&nbsp; :&nbsp; 1<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>Minor&nbsp;&nbsp;&nbsp; :&nbsp; 5<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>Type&nbsp;&nbsp;&nbsp;&nbsp; :&nbsp; HFILE_TYPE_PRIMARY<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>Format&nbsp;&nbsp; :&nbsp; HBASE_FORMAT_MEMORY<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>RootCell :&nbsp; 20<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>Length&nbsp;&nbsp; :&nbsp; 364000<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>Cluster&nbsp; :&nbsp; 1<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>CheckSum :&nbsp; 346bbc65<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>0: kd&gt; !reg cellindex e1019458 20<o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p><FONT face=Calibri size=3>&nbsp;</FONT></o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="BACKGROUND: yellow; mso-highlight: yellow"><FONT size=3><FONT face=Calibri>Map = e1021000 Type = 0 Table = 0 Block = 0 Offset = 20<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="BACKGROUND: yellow; mso-highlight: yellow"><FONT size=3><FONT face=Calibri>MapTable&nbsp;&nbsp;&nbsp;&nbsp; = e1022000<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p><FONT face=Calibri size=3>&nbsp;</FONT></o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>pcell:&nbsp; de441024<SPAN style="COLOR: #1f497d; mso-themecolor: dark2">--------------this is the address of the cell</SPAN></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri><SPAN style="COLOR: #1f497d; mso-themecolor: dark2"></SPAN><o:p></o:p></FONT></FONT>&nbsp;</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>==========</FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri><o:p></o:p></FONT></FONT>&nbsp;</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt" minmax_bound="true"><SPAN class=a minmax_bound="true"><FONT color=#008000 minmax_bound="true"><SPAN lang=EN-IN style="COLOR: black; mso-ansi-language: EN-IN" minmax_bound="true"><FONT size=3 minmax_bound="true"><FONT face=Calibri minmax_bound="true">Gaurav Anand</P> <P minmax_bound="true">This posting is provided "AS IS" with no warranties, and confers no rights.</P><o:p minmax_bound="true"></o:p></FONT></FONT></SPAN></FONT></SPAN> <P class=MsoNormal style="MARGIN: 0in 0in 0pt" mce_keep="true">&nbsp;</P><img src="http://blogs.technet.com/aggbug.aspx?PostID=2713339" width="1" height="1">Internal structures of the Windows Registry