the .reg file format



1 introduction
the .reg file format is used by regedit, the program supplied with windows 3.x,
windows 95, and windows nt, to import and export settings from the registry.
note that i will not explain what the registry is, how it works, or what it can
be used for. there are other documents describing the registry and it's most
interesting parts all over the net - check out some of the links at the end of
this document. also, i will not provide you with information on regedit for
windows 3.x - i know that it exists, but not if it's format is in any way like
the regedit of 95/nt. besides, the registry is much less interesting on windows
3.x.

2 description
the file is formatted as plain ascii text. every line is ended with a cr/lf
combination.

2.1 header
it starts with regeditx, where x is regedit's version number - on 95/nt, it's
4, making the string regedit4.

this is also the only part of the file actually checked by regedit when it's
importing - if the file contains any formatting errors, regedit will not notify
you and simply skip the settings that contain errors.

in particular, regedit will pretty much accept anything as long as it starts
with regeditx, and ignore anything erroneous. yes, that does add up to the
microsoft stupid mistakes list.

2.2 keys
key names are exported as they are encountered, but need not be in any order.
subkeys are explicitly named. for example, if you had the key
hkey_classes_root\clsid and it's subkey
hkey_classes_root\clsid\{21ec2020-3aea-1069-a2dd-08002b30309d} (which
represents the classid of the control panel, by the way), they would be
exported as:

[hkey_classes_root\clsid]

[hkey_classes_root\clsid\{21ec2020-3aea-1069-a2dd-08002b30309d}]

for a key name to be valid, it must start with one of the root key names:
hkey_classes_root, hkey_current_user, hkey_local_machine, hkey_users,
hkey_current_config and hkey_dyn_data.

a key name may only contain printable ascii characters (that is, characters
with values from 32 through 127) and may not contain spaces, backslashes \ or
the wildcards * and ?.

every key name is followed by it's values, starting on the line directly
following it. the list of values is terminated with an empty line, and may be
empty itself.

for example:
[key-name]

[second-key-name]
"value1"=something
"value2"=something

[third-key-name]

if a key is specified which does not exist, it is created, along with any
parent keys that do not exist. for example, if the key
hkey_users\jeroen\test\subkey is specified, and only the key hkey_users\jeroen
exists, the key hkey_users\jeroen\test is also created.

note that you cannot delete keys or values - you can only add them if they
don't already exist, or modify them if they do.

2.3 values
there are three kinds of values in the registry: strings, binary values, and
dwords. they represent a collection of characters, a collection of bytes, and a
32-bit integer, respectively.

values consist of a name, enclosed in quotes "", followed by an equal sign = ,
followed by the value value (there's no other way to put it).

every key, even if created empty, contains at least one string value - this is
the value shown as (default) in regedit. to set it's value, use @ as the value
name, and omit the usual quotes around the value name.

example:
@="this is the default value."

2.3.1 strings
strings may be any size. they are represented within quotes "", and contain
normal ascii characters.

the quote " and backslash \ are also allowed in strings - however, they must be
represented as \" and \\, respectively. also, regedit can import and export all
non-ascii characters except for linefeed (or newline, ascii code 10). should a
linefeed end up in a string, regedit will export this as a real newline,
splitting the string in two lines. when reimporting this string, regedit will
only read the first line. the moral of the story: don't store linefeeds in
strings.

examples of strings:
"foo"="bar"
"foopath"="c:\\windows\\system"
"foomessage"="this/nmessage/nactually/nconsists/nof/one/nlong/nline."

2.3.2 binary values
binary values are used where strings and dwords fail. they can be used to
represent any type of data. they are represented as hex:xx,yy,zz where xx,yy
and zz are hexadecimal representations of single bytes. they may be any length.

lengthy binary values can be divided into multiple lines using the c line
separator \. for example:
"bar"=hex:48,00,00,00,01,00,00,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,\
00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,\
0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,00,00,00,00,c4,ac,01,\
00

also take note that this is only allowed with binary values. in particular, you
cannot divide strings this way. and yes, this is pretty stupid.

although i usually ignore microsoft, they recommend you shouldn't store more
than around two kilobytes of binary data at most, and i agree with them for
once.

example of binary values:
"foo"=hex:00,de,ca,de,12,34

2.3.2.1 types of binary values
along with 'regular' binary values, there are also some special types of data
which regedit represents as special binary values, like this:

"foobar"=hex(type):xx,xx,xx,xx,...

where type is a number ranging from zero to ten in the current versions of
windows, as follows:

type name
0 reg_none
1 reg_sz
2 reg_expand_sz
3 reg_binary
4 reg_dword, reg_dword_little_endian
5 reg_dword_big_endian
6 reg_link
7 reg_multi_sz
8 reg_resource_list
9 reg_full_resource_descriptor
10 reg_resource_requirements_list

2.3.2.1.1 reg_none
reg_none means 'no defined value type'. no, i don't know what it's good for -
reg_binary is already a catch-all type for everything that has no type. perhaps
it's used for values that have no contents, although i can't imagine what that
would be good for.

2.3.2.1.2 reg_sz
a null-terminated string. this is the same as the string type, represented as
bytes. for example, these definitions are equal:

"barfoo"=hex(1):41,42,43,44,00
and
"barfoo"="abcd"

see also 2.3.1, strings.

2.3.2.1.3 reg_expand_sz
a null-terminated string that contains unexpanded references to environment
variables. when an application reads this string from the registry, it can let
windows replace the references with the environment variable value.

for example, the following value

"forbaa"=hex(2):25,50,41,54,48,25,3b,53,6f,6d,65,74,68,69,6e,67,00

represents the string "%path%;something". when this string is read, the
"%path%" section can be replaced with the contents of your path variable.

2.3.2.1.4 reg_dword, reg_dword_little_endian
represents a little-endian dword (the common format of windows dwords). in
little-endian format, the most significant byte of a word is the high-order
byte. see also 2.3.3, dwords.

2.3.2.1.5 reg_dword_big_endian
represents a big-endian dword (used on macintoshes, for example). as you can
probably guess, in big-endian format, the most significant byte of a word is
the low-order byte.

2.3.2.1.6 reg_link
represents a unicode symbolic link. no, i don't know what this is, and i
probably don't want to know either.

2.3.2.1.7 reg_multi_sz
a collection of null-terminated strings, null-terminated. for example:

"farboo"=hex(7):41,42,43,44,00,45,46,47,48,00,00

represents two strings: "abcd" and "efgh".

2.3.2.1.8 reg_resource_list
a device driver resource list. another one in the category "don't know and
don't want to know."

2.3.2.1.9 reg_full_resource_descriptor
undocumented. it's probably ment for windows itself only, as device driver
stuff.

2.3.2.1.10 reg_resource_requirements_list
undocumented. it's probably ment for windows itself only, as device driver
stuff.

2.3.3. dwords
dwords are 32-bit integers represented as dword:xxxxxxxx, where x is a
hexadecimal digit. they're pretty boring, as that's all i can tell about them.

example of dword values:
"foo"=dword:00decade

3. the end
that's about it - the .reg format is pretty simple, but it does the job.
should you find any unclarities, mistakes or things you think are missing,
contact me by emailing to "j.mostert@oke.nl".

4. well, almost, we still need the links
oh yeah, here are the links i promised, listed in no particular order. they
were all valid on november 4th, 1997.

http://help.mindspring.com/technotes/96dec/registry1.htm
this is the registry page at technotes+, the site for a lot of tips and tricks
about pretty much anything technical. it contains an introduction to the
registry, and how it should be used. i recommend to read this first if you've
never even heard about this registry thing.

http://www.geocities.com/siliconvalley/pines/2857/
this is a registry page by neil mcquarry, and a nice one it is, too. it
contains a quick introduction to the registry, a brief description of .reg
files, and a detailed description of various keys of interest. recommended if
you want to get the most of the registry.

http://www.amazon.com
this is amazons home page, "earth's biggest bookstore". try their search
function to search for "windows registry" - this will provide you with more
than enough literary references. no online information, however.

http://www.windows95.com/tips
this is the tips section of windows95.com. although it doesn't contain just
registry tips, it's really worth checking out. but then again, all of
windows95.com is worth checking out. if you have windows 95/nt, be sure to
visit it.