Free Tool – List Registry Links (REG_LINK)

Recently I got into a very interesting discussion with my colleague Nicholas Dille on various aspects of Windows x64. One question he brought up was especially intriguing: knowing about registry redirection, it is not astonishing to find that the 32-bit version of the registry key HKLM\Software\Classes (aka HKCR) gets to be HKLM\Software\Classes\Wow6432Node. But there is also HKLM\Software\Wow6432Node\Classes!? How can there be two different Wow6432Node 32-bit keys for one 64-bit key?

It soon dawned on us that one of those two Wow6432Node keys must be a registry link to the other, meaning that the 32-bit data is actually stored in only one place as common sense dictates. But which is the original and which is the link? And what is a registry link anyway?

What Are REG_LINKs?

Registry links (internal type name: REG_LINK) seem to be one of the last great mysteries of Windows NT-based operating systems although they have been around since NT4 at least. Microsoft uses them to point the CurrentControlSet registry key to one of the actual ControlSets (typically 001 or 002). A registry link essentially is a symbolic link in the registry – one registry key pointing to another. The nice thing is that this whole pointing stuff happens completely opaquely to applications: if key A points to key B, and an application tries to access key A, it will actually see the contents of key B. The concept is simple, easy and powerful.

How to Manipulate REG_LINKs

There is only one problem: There is no officially documented way to list, create or delete REG_LINKs. The registry API simply does not have any functions for manipulating them. This makes things more difficult, but not impossible. Searching the net, I quickly found the excellent tool <a href="http://www.tenox.tc/out" target="_blank">regln</a> which comes with full source code and compiled both as 32-bit and 64-bit binaries. The source code of regln gave me the hints I needed: the internal NT API (not too well documented and hidden in ntdll.dll) contains the functions required for REG_LINK manipulation. With that information and some further research I put together a small command line program that scans the registry for REG_LINKs and lists those found along with their target: ListRegistryLinks.exe. The tool is available both in 32-bit and 64-bit versions.

Starting ListRegistryLinks.exe with the parameter -? prints the following help screen:

ListRegistryLinks by Helge Klein

Syntax:
=======

ListRegistryLinks.exe  [-v]

Description:
============

Recursively searches the registry for links (of type REG_LINK) below a given key. Each link found is displayed with its source and target keys.

The following registry hives are supported: HKLM and HKU. The option '-v' enables output of keys that could not be processed because access was denied.

Example:
========

ListRegistryLinks.exe HKLM\System

Return codes:
=============

0: Successful execution
1: The help screen was printed, maybe because of invalid command line arguments
2: An error occurred

I tried my new toy on Windows XP (32-bit) and Server 2008 (64-bit). On a 32-bit XP it found the following REG_LINKs:

"HKLM\SYSTEM\ControlSet001\Control\Print\Printers" -> "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers"
"HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current" -> "HKLM\System\CurrentControlSet\Hardware Profiles001"
"HKLM\SYSTEM\CurrentControlSet" -> "HKLM\System\ControlSet001"
"HKU\S-1-5-21-1085031214-1417001333-725345543-1003\Software\Classes" -> "HKU\S-1-5-21-1085031214-1417001333-725345543-1003_Classes"
"HKU\S-1-5-18" -> "HKU\.Default"

On a 64-bit Server 2008 it found the following REG_LINKs:

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide" -> "HKLM\COMPONENTS"
"HKLM\SOFTWARE\Wow6432Node\Classes" -> "HKLM\SOFTWARE\Classes\Wow6432Node"
"HKLM\SYSTEM\ControlSet001\Control\Print\Printers" -> "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers"
"HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current" -> "HKLM\System\CurrentControlSet\Hardware Profiles001"
"HKLM\SYSTEM\CurrentControlSet" -> "HKLM\System\ControlSet001"
"HKU\S-1-5-21-552630178-3927703868-1805318510-500\Software\Classes" -> "HKU\S-1-5-21-552630178-3927703868-1805318510-500_Classes"
"HKU\S-1-5-18" -> "HKU\.Default"

Obviously, Microsoft uses REG_LINKs in several places to store multiple configuration sets and have one key point to the currently used set. This is the case with the Control Sets and Hardware Profiles. Another thing to note is that Windows Server 2008 has an additional link (SideBySide) with regards to XP.

Returning to the original topic of this post, ListRegistryLinks proves that HKLM\SOFTWARE\Classes\Wow6432Node is the original, as surmised. HKLM\SOFTWARE\Wow6432Node\Classes is but a link to it.

For the curious: The 32-bit version of ListRegistryLinks finds the following REG_LINKs on Server 2008 x64:

"HKLM\SYSTEM\ControlSet001\Control\Print\Printers" -> "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers"
"HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current" -> "HKLM\System\CurrentControlSet\Hardware Profiles001"
"HKLM\SYSTEM\CurrentControlSet" -> "HKLM\System\ControlSet001"
"HKU\S-1-5-18" -> "HKU\.Default"

Download

ListRegistryLinks.exe can be downloaded here both in a 32-bit and a 64-bit version:

ListRegistryLinks, version 1.0, x86
ListRegistryLinks, version 1.0, x64

I have tested the tool on Windows XP (32-bit) and Server 2008 (64-bit).