2.2.1 Registry Policy Message Syntax
The following definitions will aid in understanding this section:
-
A scoped GPO path that ends in "\Machine".
Scoped GPO path:
A GPO path that is appended with "\User" for User Policy Mode of Policy Application or "\Machine" for Computer Policy Mode.
User-scoped Group Policy Object path:
A scoped GPO path that ends in "\User".
This protocol uses remote file access to copy the file that MUST be named "<gpo path>\registry.pol", where <gpo path> is a scoped GPO path given to the protocol by the Group Policy: Core Protocol, as specified in [MS-GPOL] section 2.2.8. The message is the file itself.
The contents of the Registry.pol file read above MUST be formatted according to the following Augmented Backus-Naur Form (ABNF) (as specified in the [RFC4234]) description).
-
PolicyFile = Header Body Header = Signature Version Signature = %x50.52.65.67 Version = %x01 Body = Instructions Instructions = Instruction / (Instructions Instruction) IdCharacter = %x20-5B / %x5D-7E ValueCharacter = SP / VCHAR Key = 1*IdCharacter Instruction = "[" KeyPath ";" Value ";" Type ";" Size ";" Data "]" KeyPath = Key / KeyPath "\" Key Value = 1*259ValueCharacter Type = %x01 / %x02 / %x03 / %x04 / %x05 / %x07 / %x0B Size = %x00-FFFF Data = *65535OCTET
The meanings and encoding format of the fields are as follows:
Key:
A null-terminated identifier of a record used to distinguish the record and efficiently search for it. The same Key can appear multiple times in the message. HKLM and HKCU MUST NOT be included in the identifier. If registry.pol file is under the computer-scoped path, the root of the key MUST be HKLM; if the file is under the user-scoped path, the root of the key MUST be HKCU. The encoding format is UTF-16LE.
Value:
The null-terminated name of the column in a conceptual database record. The encoding format is UTF-16LE.
Type:
MUST be one of the following:
Value
Meaning
0x01
REG_SZ
Data in the Data field to be interpreted as a null-terminated Unicode string.
0x02
REG_EXPAND_SZ
Data in the Data field to be interpreted as a null-terminated Unicode string that contains operating system environment variables denoted using an operating system-specific syntax.
0x03
REG_BINARY
Data in the Data field to be interpreted as an octet stream.
0x04
REG_DWORD
Data to be interpreted in the same fashion as a 32-bit number in little-endian format.
0x05
REG_DWORD_BIG_ENDIAN
Data to be interpreted in the same fashion as a 32-bit number in big-endian format.
0x07
REG_MULTI_SZ
Data in the Data field to be interpreted as a sequence of characters terminated by two null Unicode characters, and within that sequence zero or more null-terminated Unicode strings can exist.
0x0B
REG_QWORD
Data in the Data field to be interpreted as a 64-bit number in little-endian format.
The field is represented as 32-bit little-endian.
Size:
Indicates the size, in bytes, of the Data field. MUST be in the range 0 to 65535, represented as 32-bit little-endian.
Data:
Indicates the data associated with the value. This field MUST contain a number of bytes data indicated by the value of the Size field.
Signature:
A 32-bit identifier for all registry.pol files.
Version:
A 32-bit little-endian number.
The order of the Instruction elements is significant: two such messages that differ only in the order of the Instruction elements are not considered equivalent messages semantically. This is because message processing is sensitive to the order, as specified in Client Plug-In Details (section 3.2).<3>