Understanding a negative offset of a registry data reference to a dll file

I almost have an answer to my last question, but I need help.

The Windows Firewall Rules (Vista and up) are stored in the Registry HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Example rule: v2.0|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|RPor开发者_如何转开发t=5722|App=%SystemRoot%\system32\dfsr.exe|Svc=Dfsr|Name=@FirewallAPI.dll,-32257|Desc=@FirewallAPI.dll,-32260|EmbedCtxt=@FirewallAPI.dll,-32252|Edge=FALSE|

The field I need to decode is EmbedCtxt=@FirewallAPI.dll,-32252

I think it references C:\WINDOWS\System32\FirewallAPI.dll, but I can't figure out how the number works. The file is ~400KB depending.

I tried a few variations like pretending it was an unsigned short, pretending it was not negative, pretending it was offset from the end, but they did not look right when I arrived at the location with my hex editor.

Could somebody give me their ideas? What this number might mean? I hardly know anything about DLL files. It could even be a section number for all I know.

I also tried searching the text for the expected output, but it seems it is neither byte per character, nor is it UTF-16, either that or I am doing something wrong.

---

Raymond covers it here. Positive numbers are resource indices. Negative numbers (once you've removed the minus sign) are resource identifiers.