NT registry filesystem for linux

This is a file system driver for linux, which understands the NT registry file format. With it, you can take registry files from NT, e.g., SAM, SECURITY, etc., and mount them on linux. Currently, it's read-only, though I may add read-write capability in the future.

Usage

To install, untar the source and compile it. See below for kernel version info. Once it's built, you can use it like any other filesystem. E.g.,

[root@prof /root]# cd ~tas/src/ntreg
[root@prof ntreg]# insmod ntreg.o
[root@prof ntreg]# cd ../../syskeyreg/5-aftersyskey/
[root@prof 5-aftersyskey]# ls
AppEvent.Evt  SECURITY      SecEvent.Evt  default.LOG  software.LOG  system.LOG
SAM           SECURITY.LOG  SysEvent.Evt  default.sav  software.sav  system.sav
SAM.LOG       SYSTEM.ALT    default       software     system        userdiff
[root@prof 5-aftersyskey]# mount -t ntreg -o loop SAM /mnt/reg
[root@prof 5-aftersyskey]# cd /mnt/reg
[root@prof reg]# ls
SAM
[root@prof reg]# cd SAM
[root@prof SAM]# ls
C  Domains  RXACT
[root@prof SAM]# cd Domains
[root@prof Domains]# ls
Account  Builtin  Unnamed-Value
[root@prof Domains]# cd Account
[root@prof Account]# ls
Aliases  F  Groups  Users  V
[root@prof Account]# hexl F
00000000: 0200 0100 b800 1400 a04c bd31 d1fd be01  .........L.1....
00000010: 0d00 0000 0000 0000 0080 a60a ffde ffff  ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0080  ................
00000030: 00cc 1dcf fbff ffff 00cc 1dcf fbff ffff  ................
00000040: 0000 0000 0000 0000 ea03 0000 0000 0000  ................
00000050: 0000 0800 0000 4e00 0100 0000 0300 0000  ......N.........
00000060: 0100 0000 0100 0100 0100 0000 3800 0000  ............8...
00000070: 170e b1ca 5add 1a15 d352 07c5 7a64 0904  ....Z....R..zd..
00000080: df9e 1dda 0d0b fed1 2029 a8d2 1301 9a02  ........ )......
00000090: 1d4b 4682 533f 80ae 636f c819 8f2e 2e56  .KF.S?..co.....V
000000a0: 0000 0000 0000 0000                      ........
[root@prof Account]#

Limitations

It's read-only.
It doesn't make any attempt to get the file times correct.
I've had problems with mounting over loop when the registry file is actually on an NTFS partition. There are (or were) bugs in the NTFS driver related to block mapping that caused this. I currently always copy the registry file to an ext2 partition before mounting it.

Kernel versions

It was written against 2.2.x, and that's where I run it most of the time. It does build against 2.3.x, but with a warning. The warning needs to be fixed, but I'm fairly sure it's ok for now. It hasn't been widely used, yet, but it's been very stable for me. I haven't had any oopsen, for months. Of course, YMMV.

Acknowledgements

I figured out some of the registry file format myself, but lots of details were provided by Petter Nordahl-Hagen. Also, there's a document of unknown authorship which describes details of the various registry types. It is included in the tarball.

The code for implementing the filesystem in linux is based upon the ntfs driver, written by Martin von Loewis, et al.

Feedback

If you have question/problems/etc., let me know.

Todd Sabin