一、Windows NT 下注册表键值导出格式:
REGEDIT4
"dword"=dword:00000980
"string"="Tips"
@="default value"
[HKEY_LOCAL_MACHINE/SOFTWARE/Test]
"dword"=dword:00000980
"string"="Tips"
@="default value"
Tips:
1、导出文件开头是REGEDIT4
2、@表示默认值
3、只支持REG_SZ,REG_DWORD,REG_BINARY
二、Windows xp下的导出格式
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SOFTWARE/Test]
"string"="中国this is a string"
"binary"=hex:00,11,ff,ed,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,aa,aa,aa,aa,bc,cc,ca,
ef,af,ea,bc,ee,ab,ce,af,ff,af,ff,ff,ff,fe,ee,ee,ab,20
"dword"=dword:00002098
"multi_sz"=hex(7):74,00,6f,00,64,00,61,00,79,00,20,00,69,00,73,00,20,00,6d,00,
6f,00,6e,00,64,00,61,00,79,00,00,00,74,00,68,00,65,00,20,00,6d,00,6f,00,6e,
00,6b,00,65,00,79,00,20,00,61,00,6e,00,64,00,20,00,64,00,75,00,63,00,6b,00,
20,00,67,00,6f,00,74,00,6f,00,20,00,73,00,68,00,6f,00,6f,00,6c,00,20,00,74,
00,6f,00,67,00,65,00,74,00,68,00,65,00,72,00,00,00,00,00
"expand_sz"=hex(2):45,00,78,00,70,00,61,00,6e,00,64,00,20,00,73,00,74,00,72,00,
69,00,6e,00,67,00,3a,00,20,00,25,00,49,00,53,00,53,00,43,00,50,00,61,00,74,
00,68,00,25,00,00,00
@="default"
Tips:
1、导出文件头 Windows Registry Editor Version 5.00
2、@表示默认值
3、支持REG_SZ,REG_DWORD,REG_BINARY,REG_MULTI_SZ,REG_EXPAND_SZ格式
4、REG_SZ的导出内容为可见字符
5、REG_BINARY导出格式以hex:开头,后跟导出字节的16进制表示
6、REG_MULTI_SZ,REG_EXPAND_SZ导出值格式为 hex(REG_MULTI_SZ/RGE_EXPAND_SZ):开头,后跟导出字节的16进制表示。REG_MULTI_SZ为2,REG_EXPAND_SZ为7。
7、REG_MULTI_SZ可以连接多个字符串,字符串之间以/0x00,最后以两个/0x00结束。 注意:如果使用Regedit.exe导出,则字符是unicode编码的。 但是,使用RegQueryValueEX获得的值是多字节编码的,汉字占两个字节,ascii字符使用1个字节。
5、REG_BINARY导出格式以hex:开头,后跟导出字节的16进制表示
6、REG_MULTI_SZ,REG_EXPAND_SZ导出值格式为 hex(REG_MULTI_SZ/RGE_EXPAND_SZ):开头,后跟导出字节的16进制表示。REG_MULTI_SZ为2,REG_EXPAND_SZ为7。
7、REG_MULTI_SZ可以连接多个字符串,字符串之间以/0x00,最后以两个/0x00结束。 注意:如果使用Regedit.exe导出,则字符是unicode编码的。 但是,使用RegQueryValueEX获得的值是多字节编码的,汉字占两个字节,ascii字符使用1个字节。
8、REG_EXPAND_SZ,似乎和REG_SZ没太大差距,通过RegQueryValueEX读取的值为原值,需要通过ExpandEnvironmentStrings进行扩展,下面引用MSDN的一段话
Platform SDK: Application Compatibility Guide
Call ExpandEnvironmentStrings Before Reading REG_EXPAND_SZ
Your application should call ExpandEnvironmentStrings before attempting to read the value of a REG_EXPAND_SZ registry data type. The REG_EXPAND_SZ is a null-terminated string that contains references to environment variables
In the following
, the string "%SystemRoot%" is replaced by the actual location of the directory containing the Windows NT system files:File : REG_EXPAND_SZ : %SystemRoot% ile.exe