Microsoft published the format of the registry policy (Local Group Policy or backed-up Group Policy) files, but their document is not at all specific about the byte-level arrangement of the information. I did some tinkering with the .POL files and figured out everything I need to know.
A .POL file starts with the four-byte integer 0x67655250, which is the string "PReg". The file's version follows as a four-byte little-endian integer. The main body of the file consists of records for registry values to update. All text in the body appears to be UTF-16LE, so when it's storing only ASCII, there's a null byte after each character.
At the beginning of a record, there is an open bracket "[" (yes, the punctuation in the MSDN document is literal) and a null byte after it. The path to the key (folder as seen in Registry Editor) follows, also as UTF-16LE, and is terminated by a null character (two null bytes after the last real character). There is then a literal semicolon character, including the null, and the name of the value (name of the entry as seen in Registry Editor). Some values are special, and I don't understand them fully; see the Microsoft document.
After another semicolon character, the data type appears as a four-byte little-endian integer. Common values are 1 (string), 2 (expand string), 4 (four-byte little-endian integer), and 11 (QWORD, LE). The full list appears at line 4884 in this copy of WinNT.h.
The next semicolon-delimited field is the size of the data, which is again a four-byte little-endian integer, and appears all the time, even for types whose data are always a constant size. Finally, after another semicolon character, the data appears. Numeric types are represented in binary; string types always are in UTF-16LE and null-terminated. The record is finished off with a "]" character. No null appears between the ending bracket of one record and the opening bracket of the next.
No comments:
Post a Comment