The Windows Registry Adventure #5: The regf file format
Posted by Mateusz Jurczyk, Google Project Zero As previously mentioned in the second installment of the blog post series ( "A brief history of the feature" ), the binary format used to encode registry hives from Windows NT 3.1 up to the modern Windows 11 is called regf. In a way, it is quite special, because it represents a registry subtree simultaneously on disk and in memory, as opposed to most other common file formats. Documents, images, videos, etc. are generally designed to store data efficiently on disk, and they are subsequently parsed to and from different in-memory representations whenever [...]