Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Windows NT Registry File (REGF)
REGF has the following file signature:
hexadecimal: 72 65 67 66
There are multiple types of REGF files:
- primary file (other names: normal file, data file)
- transaction log file
- external file
- backup file
Primary files, external files (created with the RegSaveKey() routine), and backup files share exactly the same format.
Transactional Registry (TxR)
In Vista the Transactional Registry (TxR) was introduced. TxR creates transaction log files similar to:
Where %FILE% is the name of the REGF normal (data) file, e.g. NTUSER.DAT and %GUID% a string representation of a GUID/UUID.
The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.
The on-disk format itself contains several artifacts:
- last written timestamp of a registry key;
- access bits of a registry key (starting from Windows 8 and Windows Server 2012);
- last written timestamp of a base block in a hive (before Windows 8.1 and Windows Server 2012 R2);
- last reorganized timestamp (starting from Windows 8 and Windows Server 2012).