Free Tool - List Registry Links (REG_LINK)

Recently I got into a very interesting discussion with my colleague Nicholas Dille on various aspects of Windows x64. One question he brought up was especially intriguing: knowing about registry redirection, it is not astonishing to find that the 32-bit version of the registry key HKLM\Software\Classes (aka HKCR) gets to be HKLM\Software\Classes\Wow6432Node. But there is also HKLM\Software\Wow6432Node\Classes!? How can there be two different Wow6432Node 32-bit keys for one 64-bit key?

It soon dawned on us that one of those two Wow6432Node keys must be a registry link to the other, meaning that the 32-bit data is actually stored in only one place as common sense dictates. But which is the original and which is the link? And what is a registry link anyway?

Registry links (internal type name: REG_LINK) seem to be one of the last great mysteries of Windows NT-based operating systems although they have been around since NT4 at least. Microsoft uses them to point the CurrentControlSet registry key to one of the actual ControlSets (typically 001 or 002). A registry link essentially is a symbolic link in the registry - one registry key pointing to another. The nice thing is that this whole pointing stuff happens completely opaquely to applications: if key A points to key B, and an application tries to access key A, it will actually see the contents of key B. The concept is simple, easy and powerful.

There is only one problem: There is no officially documented way to list, create or delete REG_LINKs. The registry API simply does not have any functions for manipulating them. This makes things more difficult, but not impossible. Searching the net, I quickly found the excellent tool regln which comes with full source code and compiled both as 32-bit and 64-bit binaries. The source code of regln gave me the hints I needed: the internal NT API (not too well documented and hidden in ntdll.dll) contains the functions required for REG_LINK manipulation. With that information and some further research I put together a small command line program that scans the registry for REG_LINKs and lists those found along with their target: ListRegistryLinks.exe. The tool is available both in 32-bit and 64-bit versions.

Starting ListRegistryLinks.exe with the parameter -? prints the following help screen:

ListRegistryLinks by Helge Klein

Syntax:
=======

ListRegistryLinks.exe  [-v]

Description:
============

Recursively searches the registry for links (of type REG_LINK) below a given key. Each link found is displayed with its source and target keys.

The following registry hives are supported: HKLM and HKU. The option '-v' enables output of keys that could not be processed because access was denied.

Example:
========

ListRegistryLinks.exe HKLM\System

Return codes:
=============

0: Successful execution
1: The help screen was printed, maybe because of invalid command line arguments
2: An error occurred

I tried my new toy on Windows XP (32-bit) and Server 2008 (64-bit). On a 32-bit XP it found the following REG_LINKs:

"HKLM\SYSTEM\ControlSet001\Control\Print\Printers" -> "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers"
"HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current" -> "HKLM\System\CurrentControlSet\Hardware Profiles001"
"HKLM\SYSTEM\CurrentControlSet" -> "HKLM\System\ControlSet001"
"HKU\S-1-5-21-1085031214-1417001333-725345543-1003\Software\Classes" -> "HKU\S-1-5-21-1085031214-1417001333-725345543-1003_Classes"
"HKU\S-1-5-18" -> "HKU\.Default"

On a 64-bit Server 2008 it found the following REG_LINKs:

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide" -> "HKLM\COMPONENTS"
"HKLM\SOFTWARE\Wow6432Node\Classes" -> "HKLM\SOFTWARE\Classes\Wow6432Node"
"HKLM\SYSTEM\ControlSet001\Control\Print\Printers" -> "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers"
"HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current" -> "HKLM\System\CurrentControlSet\Hardware Profiles001"
"HKLM\SYSTEM\CurrentControlSet" -> "HKLM\System\ControlSet001"
"HKU\S-1-5-21-552630178-3927703868-1805318510-500\Software\Classes" -> "HKU\S-1-5-21-552630178-3927703868-1805318510-500_Classes"
"HKU\S-1-5-18" -> "HKU\.Default"

Obviously, Microsoft uses REG_LINKs in several places to store multiple configuration sets and have one key point to the currently used set. This is the case with the Control Sets and Hardware Profiles. Another thing to note is that Windows Server 2008 has an additional link (SideBySide) with regards to XP.

Returning to the original topic of this post, ListRegistryLinks proves that HKLM\SOFTWARE\Classes\Wow6432Node is the original, as surmised. HKLM\SOFTWARE\Wow6432Node\Classes is but a link to it.

For the curious: The 32-bit version of ListRegistryLinks finds the following REG_LINKs on Server 2008 x64:

"HKLM\SYSTEM\ControlSet001\Control\Print\Printers" -> "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers"
"HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current" -> "HKLM\System\CurrentControlSet\Hardware Profiles001"
"HKLM\SYSTEM\CurrentControlSet" -> "HKLM\System\ControlSet001"
"HKU\S-1-5-18" -> "HKU\.Default"

Download

ListRegistryLinks.exe can be downloaded here both in a 32-bit and a 64-bit version:

ListRegistryLinks, version 1.0, x86
ListRegistryLinks, version 1.0, x64

I have tested the tool on Windows XP (32-bit) and Server 2008 (64-bit).

Free ToolLinkRedirectionRegistryX64

Comments

Related Posts

DiskLED - A Flexible Hard Disk and General System Activity Indicator System Tray Applet

DiskLED - A Flexible Hard Disk and General System Activity Indicator System Tray Applet
What do you do when your computer reacts sluggishly to even the simplest commands? You probably look at its hard disk LED to determine if the disk is busy, because if it is, the only thing that really helps is waiting (apart from buying a faster disk or SSD). Problem solved - if you are sitting right next to the machine. But what if you are using a protocol like RDP or ICA to connect to a remote computer or VM? No HDD LED, no quick and simple way to check for hard drive activity. This has been bugging me enough to write a software replacement: DiskLED.
Helge's Tools

Windows x64 Part 7: File System & Registry Redirection, Registry Reflection

This is the seventh part of a mini-series on Windows x64, focusing on behind the scene changes in the operating system. In the last article I explained that mixed 32-/64-bit processes are not allowed and how that rule affects both administrators and script-writers. In this context I mentioned the strangely named directory SysWOW64. Today I am going to explain what it is used for by starting with redirection.
64-Bit Windows (x64)

Latest Posts

Scripted WordPress to Hugo Migration

Scripted WordPress to Hugo Migration
After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.
Website