Struct BaseBlock 

pub struct BaseBlock {

    pub primary_sequence: u32,
    pub secondary_sequence: u32,
    pub last_written: u64,
    pub major_version: u32,
    pub minor_version: u32,
    pub file_type: u32,
    pub format: u32,
    pub root_cell_offset: u32,
    pub hive_bins_data_size: u32,
    pub clustering_factor: u32,
    pub file_name: [u8; 64],
    pub rm_id: [u8; 16],
    pub log_id: [u8; 16],
    pub flags: u32,
    pub tm_id: [u8; 16],
    pub guid_signature: u32,
    pub last_reorganize_time: u64,
    pub reserved1: Vec<u8>,
    pub checksum: u32,
}

REGF base block header (first 512 bytes of the 4096-byte header block).

Reference: research/regf-binary-format-specification.md Section 1.1

Fields

primary_sequence: u32

Incremented on each write; must match secondary if hive was properly synced.

secondary_sequence: u32

Updated after successful write; mismatch = dirty hive.

last_written: u64

FILETIME (UTC). Not updated as of Windows 8.1.

major_version: u32

Always 1 for all known Windows versions.

minor_version: u32

0-2 (NT 3.x), 3 (NT 4.0), 5 (XP+), 6 (Win10+ differencing).

file_type: u32

0 = primary, 1 = transaction log, 2 = alternate (Win2000 SYSTEM.ALT).

format: u32

Always 1 (direct memory load).

root_cell_offset: u32

Offset to root key node cell, relative to hive bins data start.

hive_bins_data_size: u32

Total size of all hive bins in bytes.

clustering_factor: u32

Logical sector size / 512. Typically 1 or 8.

file_name: [u8; 64]

Internal hive path, UTF-16LE, 64 bytes. May contain remnant data.

rm_id: [u8; 16]

Resource Manager GUID (Vista+). Null if CLFS not used.

log_id: [u8; 16]

Log GUID. Usually same as rm_id.

flags: u32

Bit mask: 0x1 = pending txns, 0x2 = differencing hive.

tm_id: [u8; 16]

Transaction Manager GUID.

guid_signature: u32

“rmtm” signature validating GUID fields are present.

last_reorganize_time: u64

FILETIME of latest hive reorganization (Win8+).

reserved1: Vec<u8>

Reserved (332 bytes = 83 DWORDs).

checksum: u32

XOR-32 checksum of first 508 bytes (offsets 0x000-0x1FB).

Implementations

impl BaseBlock

pub const SIZE: usize = 4096

Size of the base block in the file (always 4096 bytes).

pub fn validate_checksum(header_bytes: &[u8]) -> bool

Validate the XOR-32 checksum.

Algorithm: XOR all 127 u32 LE words from offsets 0x000-0x1FB. Special cases: result 0 becomes 1, result 0xFFFFFFFF becomes 0xFFFFFFFE.

pub fn compute_checksum(header_bytes: &[u8]) -> u32

Compute the XOR-32 checksum over the first 508 bytes.

pub fn is_clean(&self) -> bool

Check if primary and secondary sequence numbers match (clean hive).

pub fn file_name_string(&self) -> String

Decode the internal file name from UTF-16LE.

Trait Implementations

impl BinRead for BaseBlock

type Args = ()

The type used for the args parameter of read_args() and read_options().

fn read_options<R: Read + Seek>( __binrw_generated_var_reader: &mut R, __binrw_generated_var_options: &ReadOptions, __binrw_generated_var_arguments: Self::Args, ) -> BinResult<Self>

Read Self from the reader using the given ReadOptions and arguments.

fn read<R>(reader: &mut R) -> Result<Self, Error>

where R: Read + Seek, Self::Args: Default,

Read Self from the reader using default arguments.

fn read_args<R>(reader: &mut R, args: Self::Args) -> Result<Self, Error>

where R: Read + Seek,

Read Self from the reader using the given arguments.

fn after_parse<R>( &mut self, _: &mut R, _: &ReadOptions, _: Self::Args, ) -> Result<(), Error>

where R: Read + Seek,

Runs any post-processing steps required to finalize construction of the object.

impl Clone for BaseBlock

fn clone(&self) -> BaseBlock

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for BaseBlock

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.