From 2332db552d1dfec9e14acb50fe2e9f38f71ec802 Mon Sep 17 00:00:00 2001 From: Richard Jones Date: Tue, 19 Jan 2010 15:20:36 +0000 Subject: [PATCH] hivex: Clarify some more fields. Taken from sentinelchicken.com documentation. --- hivex/hivex.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hivex/hivex.c b/hivex/hivex.c index e1df96a..7efea9a 100644 --- a/hivex/hivex.c +++ b/hivex/hivex.c @@ -196,7 +196,8 @@ struct ntreg_nk_record { int32_t seg_len; /* length (always -ve because used) */ char id[2]; /* "nk" */ uint16_t flags; - char timestamp[12]; + char timestamp[8]; + char unknown0[4]; uint32_t parent; /* offset of owner/parent */ uint32_t nr_subkeys; /* number of subkeys */ uint32_t unknown1; @@ -219,7 +220,7 @@ struct ntreg_lf_record { uint16_t nr_keys; /* number of keys in this record */ struct { uint32_t offset; /* offset of nk-record for this subkey */ - char name[4]; /* first 4 characters of subkey name */ + char hash[4]; /* hash of subkey name */ } keys[1]; } __attribute__((__packed__)); -- 1.8.3.1