Free Tool - List Registry Links (REG_LINK)

Recently I got into a very interesting discussion with my colleague Nicholas Dille on various aspects of Windows x64. One question he brought up was especially intriguing: knowing about registry redirection, it is not astonishing to find that the 32-bit version of the registry key HKLM\Software\Classes (aka HKCR) gets to be HKLM\Software\Classes\Wow6432Node. But there is also HKLM\Software\Wow6432Node\Classes!? How can there be two different Wow6432Node 32-bit keys for one 64-bit key?

It soon dawned on us that one of those two Wow6432Node keys must be a registry link to the other, meaning that the 32-bit data is actually stored in only one place as common sense dictates. But which is the original and which is the link? And what is a registry link anyway?

Registry links (internal type name: REG_LINK) seem to be one of the last great mysteries of Windows NT-based operating systems although they have been around since NT4 at least. Microsoft uses them to point the CurrentControlSet registry key to one of the actual ControlSets (typically 001 or 002). A registry link essentially is a symbolic link in the registry - one registry key pointing to another. The nice thing is that this whole pointing stuff happens completely opaquely to applications: if key A points to key B, and an application tries to access key A, it will actually see the contents of key B. The concept is simple, easy and powerful.

There is only one problem: There is no officially documented way to list, create or delete REG_LINKs. The registry API simply does not have any functions for manipulating them. This makes things more difficult, but not impossible. Searching the net, I quickly found the excellent tool regln which comes with full source code and compiled both as 32-bit and 64-bit binaries. The source code of regln gave me the hints I needed: the internal NT API (not too well documented and hidden in ntdll.dll) contains the functions required for REG_LINK manipulation. With that information and some further research I put together a small command line program that scans the registry for REG_LINKs and lists those found along with their target: ListRegistryLinks.exe. The tool is available both in 32-bit and 64-bit versions.

Starting ListRegistryLinks.exe with the parameter -? prints the following help screen:

ListRegistryLinks by Helge Klein

Syntax:
=======

ListRegistryLinks.exe  [-v]

Description:
============

Recursively searches the registry for links (of type REG_LINK) below a given key. Each link found is displayed with its source and target keys.

The following registry hives are supported: HKLM and HKU. The option '-v' enables output of keys that could not be processed because access was denied.

Example:
========

ListRegistryLinks.exe HKLM\System

Return codes:
=============

0: Successful execution
1: The help screen was printed, maybe because of invalid command line arguments
2: An error occurred

I tried my new toy on Windows XP (32-bit) and Server 2008 (64-bit). On a 32-bit XP it found the following REG_LINKs:

"HKLM\SYSTEM\ControlSet001\Control\Print\Printers" -> "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers"
"HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current" -> "HKLM\System\CurrentControlSet\Hardware Profiles001"
"HKLM\SYSTEM\CurrentControlSet" -> "HKLM\System\ControlSet001"
"HKU\S-1-5-21-1085031214-1417001333-725345543-1003\Software\Classes" -> "HKU\S-1-5-21-1085031214-1417001333-725345543-1003_Classes"
"HKU\S-1-5-18" -> "HKU\.Default"

On a 64-bit Server 2008 it found the following REG_LINKs:

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide" -> "HKLM\COMPONENTS"
"HKLM\SOFTWARE\Wow6432Node\Classes" -> "HKLM\SOFTWARE\Classes\Wow6432Node"
"HKLM\SYSTEM\ControlSet001\Control\Print\Printers" -> "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers"
"HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current" -> "HKLM\System\CurrentControlSet\Hardware Profiles001"
"HKLM\SYSTEM\CurrentControlSet" -> "HKLM\System\ControlSet001"
"HKU\S-1-5-21-552630178-3927703868-1805318510-500\Software\Classes" -> "HKU\S-1-5-21-552630178-3927703868-1805318510-500_Classes"
"HKU\S-1-5-18" -> "HKU\.Default"

Obviously, Microsoft uses REG_LINKs in several places to store multiple configuration sets and have one key point to the currently used set. This is the case with the Control Sets and Hardware Profiles. Another thing to note is that Windows Server 2008 has an additional link (SideBySide) with regards to XP.

Returning to the original topic of this post, ListRegistryLinks proves that HKLM\SOFTWARE\Classes\Wow6432Node is the original, as surmised. HKLM\SOFTWARE\Wow6432Node\Classes is but a link to it.

For the curious: The 32-bit version of ListRegistryLinks finds the following REG_LINKs on Server 2008 x64:

"HKLM\SYSTEM\ControlSet001\Control\Print\Printers" -> "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers"
"HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current" -> "HKLM\System\CurrentControlSet\Hardware Profiles001"
"HKLM\SYSTEM\CurrentControlSet" -> "HKLM\System\ControlSet001"
"HKU\S-1-5-18" -> "HKU\.Default"

Download

ListRegistryLinks.exe can be downloaded here both in a 32-bit and a 64-bit version:

ListRegistryLinks, version 1.0, x86
ListRegistryLinks, version 1.0, x64

I have tested the tool on Windows XP (32-bit) and Server 2008 (64-bit).

Free ToolLinkRedirectionRegistryX64

Comments

Related Posts

DiskLED - A Flexible Hard Disk and General System Activity Indicator System Tray Applet

DiskLED - A Flexible Hard Disk and General System Activity Indicator System Tray Applet
What do you do when your computer reacts sluggishly to even the simplest commands? You probably look at its hard disk LED to determine if the disk is busy, because if it is, the only thing that really helps is waiting (apart from buying a faster disk or SSD). Problem solved - if you are sitting right next to the machine. But what if you are using a protocol like RDP or ICA to connect to a remote computer or VM? No HDD LED, no quick and simple way to check for hard drive activity. This has been bugging me enough to write a software replacement: DiskLED.
Helge's Tools

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware