Registry Internal Structure

Searching for information about the innards of the Registry returns a whole lot of pages talking about the hives, keys, and values. But, I want to go deeper. What makes the Registry actually tick.

 

After a bit of google-fu, I was only able to come up with a handful of pages that actually talk about the internal structures of the Registry db files. After reviewing them, it quickly became apparent that they all pointed to the same source – Tim Morgan of Virtual Security Research (VSR)(http://www.vsecurity.com/). The important documents are:

http://sentinelchicken.com/data/TheWindowsNTRegistryFileFormat.pdf

http://sentinelchicken.com/data/RecoveringDeletedDataFromTheWindowsRegistry_DFRWS.pdf

http://sentinelchicken.com/data/RecoveringDeletedDataFromTheWindowsRegistry_DFRWS-Slides.pdf

 

More to follow…