Internal structures of the Windows Registry
One of the best public document which talks about Registry internals is by Mark Russinovich and I will recommend same before you go ahead with this article.
https://www.microsoft.com/technet/archive/winntas/tips/winntmag/inreg.mspx?mfr=true
Make sure before proceeding ahead you go through Mark's Article.
Ok..so now as you have read that article..you know how registry is broken into blocks, bins, cells and stored in memory or disk.
Now lets see the same via Live debugger and see the same structures.....
0: kd> !reg hivelist
-------------------------------------------------------------------------------------------------------------
| HiveAddr |Stable Length|Stable Map|Volatile Length|Volatile Map|MappedViews|PinnedViews|U(Cnt)| BaseBlock | FileName
-------------------------------------------------------------------------------------------------------------
| e1008950 | 1000 | e10089b0 | 1000 | e1008aec | 0 | 0 | 0| e1014000 | <NONAME>
| e1019458 | 364000 | e1021000 | 24000 | e10195f4 | 166 | 0 | 0| e101e000 | SYSTEM
| e1392008 | b000 | e1392068 | 4000 | e13921a4 | 0 | 0 | 0| e1393000 | <NONAME>
| e2081a80 | f000 | e2081ae0 | 1000 | e2081c1c | 4 | 0 | 0| e2063000 | emRoot\System32\Config\SECURITY
| e1626a80 | 3b000 | e1626ae0 | 1000 | e1626c1c | 15 | 0 | 0| e205b000 | temRoot\System32\Config\DEFAULT
| e1484008 | 8000 | e1484068 | 0 | 00000000 | 3 | 0 | 0| e1669000 | \SystemRoot\System32\Config\SAM
| e162fa80 | 1d9a000 | e1666000 | 1d000 | e162fc1c | 255 | 0 | 0| e1ff9000 | emRoot\System32\Config\SOFTWARE
| e24cc830 | 35000 | e24cc890 | 1000 | e24cc9cc | 14 | 0 | 0| e251d000 | tings\NetworkService\ntuser.dat
| e24c81a8 | 1000 | e24c8208 | 0 | 00000000 | 1 | 0 | 0| e2523000 | \Microsoft\Windows\UsrClass.dat
| e253d798 | 35000 | e253d7f8 | 1000 | e253d934 | 14 | 0 | 0| e254c000 | ettings\LocalService\ntuser.dat
| e2551008 | 1000 | e2551068 | 0 | 00000000 | 1 | 0 | 0| e2552000 | \Microsoft\Windows\UsrClass.dat
| e24fd0c0 | 2cb000 | e2ff8000 | 2000 | e24fd25c | 159 | 0 | 0| e24f9000 | and Settings\ganand\ntuser.dat
| e302e008 | 9000 | e302e068 | 0 | 00000000 | 3 | 0 | 0| e309d000 | \Microsoft\Windows\UsrClass.dat
-------------------------------------------------------------------------------------------------------------
I dumped out the hive lists on my machine..as registry is maintained as hives and not what we see when we open regedit..thats only visual registry. we see the address of the system hive right now loaded in kernel mode as you can figure out from address.
Now we dumped the system hive
0: kd> dt nt!hhive e1019458
nt!HHIVE
+0x000 Signature : 0xbee0bee0
+0x004 GetCellRoutine : 0x8092d3ef nt!HvpGetCellMapped+0
+0x008 ReleaseCellRoutine : 0x8093db9d nt!HvpReleaseCellMapped+0
+0x00c Allocate : 0x8091f642 nt!CmpAllocate+0
+0x010 Free : 0x8091f68d nt!CmpFree+0
+0x014 FileSetSize : 0x8091e608 nt!CmpFileSetSize+0
+0x018 FileWrite : 0x8092798f nt!CmpFileWrite+0
+0x01c FileRead : 0x808f6320 nt!CmpFileRead+0
+0x020 FileFlush : 0x80927615 nt!CmpFileFlush+0
+0x024 BaseBlock : 0xe101e000 _HBASE_BLOCK
+0x028 DirtyVector : _RTL_BITMAP
+0x030 DirtyCount : 0
+0x034 DirtyAlloc : 0x364
+0x038 BaseBlockAlloc : 0x1000
+0x03c Cluster : 1
+0x040 Flat : 0 ''
+0x041 ReadOnly : 0 ''
+0x042 Log : 0x1 ''
+0x043 DirtyFlag : 0x1 ''
+0x044 HiveFlags : 0
+0x048 LogSize : 0x400
+0x04c RefreshCount : 0
+0x050 StorageTypeCount : 2
+0x054 Version : 5
+0x058 Storage : [2] _DUAL
0: kd> dt nt!cmhive e1019458
nt!CMHIVE
+0x000 Hive : _HHIVE
+0x2d0 FileHandles : [3] 0x8000031c--------------------------------------handles to the hive
+0x2dc NotifyList : _LIST_ENTRY [ 0xe139b678 - 0x0 ]
+0x2e4 HiveList : _LIST_ENTRY [ 0xe13922ec - 0xe1008c34 ]
+0x2ec HiveLock : _EX_PUSH_LOCK
+0x2f0 ViewLock : 0x89b8f1a8 _KGUARDED_MUTEX
+0x2f4 WriterLock : _EX_PUSH_LOCK
+0x2f8 FlusherLock : _EX_PUSH_LOCK
+0x2fc SecurityLock : _EX_PUSH_LOCK
+0x300 LRUViewListHead : _LIST_ENTRY [ 0xe34b4598 - 0xe359d690 ]
+0x308 PinViewListHead : _LIST_ENTRY [ 0xe1019760 - 0xe1019760 ]
+0x310 FileObject : 0x89835df8 _FILE_OBJECT--------------------address of the file object
+0x314 FileFullPath : _UNICODE_STRING "\Device\HarddiskVolume1\WINNT\system32\config\system"------------------path on disk
+0x31c FileUserName : _UNICODE_STRING ""
+0x324 MappedViews : 0xa6
+0x326 PinnedViews : 0
+0x328 UseCount : 0
+0x32c SecurityCount : 0x5b
+0x330 SecurityCacheSize : 0x60
+0x334 SecurityHitHint : 13
+0x338 SecurityCache : 0xe1391d00 _CM_KEY_SECURITY_CACHE_ENTRY
+0x33c SecurityHash : [64] _LIST_ENTRY [ 0xe1020138 - 0xe1020138 ]
+0x53c UnloadEvent : (null)
+0x540 RootKcb : (null)
+0x544 Frozen : 0 ''
+0x548 UnloadWorkItem : (null)
+0x54c GrowOnlyMode : 0 ''
+0x550 GrowOffset : 0
+0x554 KcbConvertListHead : _LIST_ENTRY [ 0xe10199ac - 0xe10199ac ]
+0x55c KnodeConvertListHead : _LIST_ENTRY [ 0xe10199b4 - 0xe10199b4 ]
+0x564 CellRemapArray : (null)
+0x568 Flags : 0
+0x56c TrustClassEntry : _LIST_ENTRY [ 0xe10199c4 - 0xe10199c4 ]
+0x574 FlushCount : 0x5a1
+0x578 CreatorOwner : (null)
Now lets go to the storage...
0: kd> dt nt!hhive e1019458 storage.
nt!HHIVE
Cannot find specified field members.
0: kd> dt nt!hhive e1019458 Storage.
nt!HHIVE
+0x050 StorageTypeCount : 2
+0x058 Storage : [2]
+0x000 Length : 0x364000
+0x004 Map : 0xe1021000 _HMAP_DIRECTORY---map directory used by configuration manager..this is equivalent to PDE in terms of memory management
+0x008 SmallDir : (null)
+0x00c Guard : 0xffffffff
+0x010 FreeDisplay : [24] _FREE_DISPLAY
+0x130 FreeSummary : 0x100a5f
+0x134 FreeBins : _LIST_ENTRY [ 0xe10195e4 - 0xe10195e4 ]---free bins for this hive
0: kd> dt 0xe1021000 _HMAP_DIRECTORY
+0x000 Directory : [1024] 0xe1022000 _HMAP_TABLE---so first we went to hive directory address and from there we figured out hive table address and from there we got block offset. In this case cell index in configuration manager is equivalent to PFN in case of memory manager.
0: kd> dt 0xe1022000 _HMAP_TABLE
+0x000 Table : [512] _HMAP_ENTRY
0: kd> dt 0xe1021000 _HMAP_ENTRY
+0x000 BlockAddress : 0xe1022000-----------------
+0x004 BinAddress : 0xe1024000---------------------------
+0x008 CmView : (null)
+0x00c MemAlloc : 0
So now we have reached to the block and inside the block we have reached to the bin….from here we will go to that cell…
Now just to prove that we are on right track..let me achieve the same via debugger ….for that we have !reg cellindex
0: kd> !reg baseblock e1019458
FileName : SYSTEM
Signature: HBASE_BLOCK_SIGNATURE
Sequence1: 1a0f
Sequence2: 1a0f
TimeStamp: 1c84fa5 ac4d292c
Major : 1
Minor : 5
Type : HFILE_TYPE_PRIMARY
Format : HBASE_FORMAT_MEMORY
RootCell : 20
Length : 364000
Cluster : 1
CheckSum : 346bbc65
0: kd> !reg cellindex e1019458 20
Map = e1021000 Type = 0 Table = 0 Block = 0 Offset = 20
MapTable = e1022000
pcell: de441024--------------this is the address of the cell
==========
Gaurav Anand
This posting is provided "AS IS" with no warranties, and confers no rights.
Comments
Anonymous
January 01, 2003
Neste artigo, Ganand fala um pouco sobre a estrutura de registro do Windows tomando como base o artigoAnonymous
January 01, 2003
PingBack from http://geeklectures.info/2008/01/05/internal-structures-of-the-windows-registry/Anonymous
September 19, 2008
Hi Gaurav , Great article thanks. Do you know what the difference is between the BlockAddress and the BinAddress values. From looking at them it seems to me that the BinAddress is either 5 or 1 more than the BlockAddress and the BlockAddress seems to be the address of the hbin. I'd be very interested if you could shed some light on this. Thanks.Anonymous
March 19, 2009
Dear Gaurav: Thanks a lot for your article. I'm looking for some advice as to what I might be doing wrong. 0: kd> !reg hivelist
| HiveAddr |Stable Length|Stable Map|Volatile Length|Volatile Map|MappedViews|PinnedViews|U(Cnt)| BaseBlock | FileName
| e28b59b8 | 1b000 | e28b5a18 | 0 | 00000000 | 7 | 0 | 0| e28c3000 | MicrosoftWindowsUsrClass.dat | e28ea008 | 426000 | e28bd000 | 3000 | e28ea144 | 167 | 0 | 0| e28b0000 | ttingsAdministratorntuser.dat | e276fb60 | 1000 | e276fbc0 | 0 | 00000000 | 1 | 0 | 0| e27de000 | MicrosoftWindowsUsrClass.dat | e287eb60 | 38000 | e287ebc0 | 1000 | e287ec9c | 15 | 0 | 0| e27d3000 | ettingsLocalServicentuser.dat | e2318b60 | 1000 | e2318bc0 | 0 | 00000000 | 1 | 0 | 0| e2319000 | MicrosoftWindowsUsrClass.dat | e2310b60 | 37000 | e2310bc0 | 1000 | e2310c9c | 14 | 0 | 0| e2312000 | tingsNetworkServicentuser.dat | e1dd3638 | 1492000 | e1dea000 | 7000 | e1dd3774 | 256 | 6 | 0| e1dd6000 | emRootSystem32ConfigSOFTWARE | e1dc3b60 | 3b000 | e1dc3bc0 | 0 | 00000000 | 15 | 0 | 0| e1dcb000 | temRootSystem32ConfigDEFAULT | e1dc5008 | c000 | e1dc5068 | 1000 | e1dc5144 | 4 | 0 | 0| e1dc6000 | emRootSystem32ConfigSECURITY | e1dc7b60 | 6000 | e1dc7bc0 | 0 | 00000000 | 2 | 0 | 0| e1dcd000 | SystemRootSystem32ConfigSAM | e13a9840 | e000 | e13a98a0 | 4000 | e13a997c | 0 | 0 | 0| e13ac000 | <NONAME> | e1024758 | 365000 | e1038000 | 22000 | e1024894 | 164 | 0 | 0| e1037000 | SYSTEM | e102f008 | 1000 | e102f068 | 1000 | e102f144 | 0 | 0 | 0| e1030000 | <NONAME>
0: kd> dt nt!hhive e1024758 Symbol nt!hhive not found. 0: kd> dt nt!cmhive e1024758 Symbol nt!cmhive not found. Please help me. My email is snowy_1207@163.com. Thanks a lot.
Anonymous
May 22, 2009
you're missing the _ dt nt!_hhive you could search for it using dt nt!*hive in my machine i get ntkrpamp!_CMHIVE ntkrpamp!_HHIVE i use a dual core processor hope this helpsAnonymous
June 26, 2009
I am looking to access HKEY_CLass_root from kernel.. Howz that possible...