Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

A question on registry callbacks

Don_Burn_1Don_Burn_1 Member Posts: 4,311
I am doing some work for a client, and realized that registry callbacks
have a limitation that I wonder if there is a way around. Since you get
the object pointer to the registry key, is there any way to determine if
a particular operation is part of a transaction? For instance:


ZwOpenKey(&h, ... )
ZwOpenKeyTransacted(&ht, ...
ZwDeleteKey( h, Key1 );
ZwDeleteKey( ht, Key2 );
ZwRollBackTransaction(...

Is there any way for the above to know that the ZwDeleteKey of Key2 was
canceled? Or in other words if I want to do an operation based on the
callback how do I know to enlist my operation into the transaction for
one ZwDeleteKey but not the other?


Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

Comments

  • Daniel_TerhellDaniel_Terhell Member Posts: 1,349
    The REG_CREATE_KEY_INFORMATION notification class will reveal a possibly
    related transaction object.You can track subsequent operations on the same
    registry object to see if they are associated with that transaction (or
    perform operations yourself).

    //Daniel



    "Don Burn" wrote in message news:xxxxx@ntdev...
    >I am doing some work for a client, and realized that registry callbacks
    >have a limitation that I wonder if there is a way around. Since you get
    >the object pointer to the registry key, is there any way to determine if a
    >particular operation is part of a transaction? For instance:
    >
    >
    > ZwOpenKey(&h, ... )
    > ZwOpenKeyTransacted(&ht, ...
    > ZwDeleteKey( h, Key1 );
    > ZwDeleteKey( ht, Key2 );
    > ZwRollBackTransaction(...
    >
    > Is there any way for the above to know that the ZwDeleteKey of Key2 was
    > canceled? Or in other words if I want to do an operation based on the
    > callback how do I know to enlist my operation into the transaction for one
    > ZwDeleteKey but not the other?
    >
    >
    > Don Burn
    > Windows Filesystem and Driver Consulting
    > Website: http://www.windrvr.com
    > Blog: http://msmvps.com/blogs/WinDrvr
    >
    >
    >
    >
    >
  • Don_Burn_1Don_Burn_1 Member Posts: 4,311
    Daniel,

    How can I track subsequent operations to know if they are part of
    the transaction? The callbacks for the operations other than Create and
    Open do not indicate an associated transaction, and there is nothing
    stopping a situation like I showed where there are two handles to one
    key object one that is for the transaction and one that is not.


    Don Burn
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr




    "xxxxx@resplendence.com" <xxxxx@resplendence.com> wrote in message
    news:xxxxx@ntdev:

    > The REG_CREATE_KEY_INFORMATION notification class will reveal a possibly
    > related transaction object.You can track subsequent operations on the same
    > registry object to see if they are associated with that transaction (or
    > perform operations yourself).
    >
    > //Daniel
    >
    >
    >
    > "Don Burn" <xxxxx@acm.org> wrote in message news:xxxxx@ntdev...
    > >I am doing some work for a client, and realized that registry callbacks
    > >have a limitation that I wonder if there is a way around. Since you get
    > >the object pointer to the registry key, is there any way to determine if a
    > >particular operation is part of a transaction? For instance:
    > >
    > >
    > > ZwOpenKey(&h, ... )
    > > ZwOpenKeyTransacted(&ht, ...
    > > ZwDeleteKey( h, Key1 );
    > > ZwDeleteKey( ht, Key2 );
    > > ZwRollBackTransaction(...
    > >
    > > Is there any way for the above to know that the ZwDeleteKey of Key2 was
    > > canceled? Or in other words if I want to do an operation based on the
    > > callback how do I know to enlist my operation into the transaction for one
    > > ZwDeleteKey but not the other?
    > >
    > >
    > > Don Burn
    > > Windows Filesystem and Driver Consulting
    > > Website: http://www.windrvr.com
    > > Blog: http://msmvps.com/blogs/WinDrvr
    > >
    > >
    > >
    > >
    > >
  • Daniel_TerhellDaniel_Terhell Member Posts: 1,349
    In a filesystem, subsequent opens to the same file will create handles to
    different file objects. Are you sure the registry does not work the same way
    and and registry key objects do not represent opened keys only, so that the
    second open will create a handle to a different registry key object even
    though it has the same path ? Because I am talking to you I am starting to
    doubt now and will look this up.

    //Daniel



    "Don Burn" wrote in message news:xxxxx@ntdev...
    > Daniel,
    >
    > How can I track subsequent operations to know if they are part of the
    > transaction? The callbacks for the operations other than Create and Open
    > do not indicate an associated transaction, and there is nothing stopping a
    > situation like I showed where there are two handles to one key object one
    > that is for the transaction and one that is not.
    >
    >
    > Don Burn
    > Windows Filesystem and Driver Consulting
    > Website: http://www.windrvr.com
    > Blog: http://msmvps.com/blogs/WinDrvr
    >
    >
    >
    >
    > "xxxxx@resplendence.com" wrote in message
    > news:xxxxx@ntdev:
    >
    >> The REG_CREATE_KEY_INFORMATION notification class will reveal a possibly
    >> related transaction object.You can track subsequent operations on the
    >> same
    >> registry object to see if they are associated with that transaction (or
    >> perform operations yourself).
    >>
    >> //Daniel
    >>
    >>
    >>
    >> "Don Burn" wrote in message news:xxxxx@ntdev...
    >> >I am doing some work for a client, and realized that registry callbacks
    >> >have a limitation that I wonder if there is a way around. Since you get
    >> >the object pointer to the registry key, is there any way to determine if
    >> >a
    >> >particular operation is part of a transaction? For instance:
    >> >
    >> >
    >> > ZwOpenKey(&h, ... )
    >> > ZwOpenKeyTransacted(&ht, ...
    >> > ZwDeleteKey( h, Key1 );
    >> > ZwDeleteKey( ht, Key2 );
    >> > ZwRollBackTransaction(...
    >> >
    >> > Is there any way for the above to know that the ZwDeleteKey of Key2 was
    >> > canceled? Or in other words if I want to do an operation based on the
    >> > callback how do I know to enlist my operation into the transaction for
    >> > one
    >> > ZwDeleteKey but not the other?
    >> >
    >> >
    >> > Don Burn
    >> > Windows Filesystem and Driver Consulting
    >> > Website: http://www.windrvr.com
    >> > Blog: http://msmvps.com/blogs/WinDrvr
    >> >
    >> >
    >> >
    >> >
    >> >
    >
    >
  • Daniel_TerhellDaniel_Terhell Member Posts: 1,349
    So it looks I was correct. You will need to duplicate a handle in order to
    get a second handle to the same registry object. In your example h and ht
    become two different handles to two different registry key objects even
    though the paths are the same so you can track operations by registry key
    object.

    //Daniel



    wrote in message news:xxxxx@ntdev...
    > In a filesystem, subsequent opens to the same file will create handles to
    > different file objects. Are you sure the registry does not work the same
    > way and and registry key objects do not represent opened keys only, so
    > that the second open will create a handle to a different registry key
    > object even though it has the same path ? Because I am talking to you I am
    > starting to doubt now and will look this up.
    >
    > //Daniel
    >
    >
    >
    > "Don Burn" wrote in message news:xxxxx@ntdev...
    >> Daniel,
    >>
    >> How can I track subsequent operations to know if they are part of the
    >> transaction? The callbacks for the operations other than Create and Open
    >> do not indicate an associated transaction, and there is nothing stopping
    >> a situation like I showed where there are two handles to one key object
    >> one that is for the transaction and one that is not.
    >>
    >>
    >> Don Burn
    >> Windows Filesystem and Driver Consulting
    >> Website: http://www.windrvr.com
    >> Blog: http://msmvps.com/blogs/WinDrvr
    >>
    >>
    >>
    >>
    >> "xxxxx@resplendence.com" wrote in message
    >> news:xxxxx@ntdev:
    >>
    >>> The REG_CREATE_KEY_INFORMATION notification class will reveal a possibly
    >>> related transaction object.You can track subsequent operations on the
    >>> same
    >>> registry object to see if they are associated with that transaction (or
    >>> perform operations yourself).
    >>>
    >>> //Daniel
    >>>
    >>>
    >>>
    >>> "Don Burn" wrote in message news:xxxxx@ntdev...
    >>> >I am doing some work for a client, and realized that registry callbacks
    >>> >have a limitation that I wonder if there is a way around. Since you
    >>> >get
    >>> >the object pointer to the registry key, is there any way to determine
    >>> >if a
    >>> >particular operation is part of a transaction? For instance:
    >>> >
    >>> >
    >>> > ZwOpenKey(&h, ... )
    >>> > ZwOpenKeyTransacted(&ht, ...
    >>> > ZwDeleteKey( h, Key1 );
    >>> > ZwDeleteKey( ht, Key2 );
    >>> > ZwRollBackTransaction(...
    >>> >
    >>> > Is there any way for the above to know that the ZwDeleteKey of Key2
    >>> > was
    >>> > canceled? Or in other words if I want to do an operation based on the
    >>> > callback how do I know to enlist my operation into the transaction for
    >>> > one
    >>> > ZwDeleteKey but not the other?
    >>> >
    >>> >
    >>> > Don Burn
    >>> > Windows Filesystem and Driver Consulting
    >>> > Website: http://www.windrvr.com
    >>> > Blog: http://msmvps.com/blogs/WinDrvr
    >>> >
    >>> >
    >>> >
    >>> >
    >>> >
    >>
    >>
    >
    >
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA