Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available

Download PDF here:

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

I need help to understand the following code in scanner MS sample minifilter

parsaparsa Member Posts: 4

I am seeing the following code in the scanner minifilter sample code converting array of UCHAR to PWCHAR and finding the number of strings as shown below. Is this correct code. H

----------------- snip -------------------
ch = (PWCHAR)(valueBuffer->Data);

count = 0;

//  Count how many strings are in the multi string

while (*ch != '\0') {

    ch = ch + wcslen( ch ) + 1;

------------------------ end --------------------------
Here is the declaration of variable for your reference.



ULONG TitleIndex;
ULONG DataLength;
(DataLength) UCHAR Data[1]; // Variable size

My question is how the finding of the number of strings will work when the input is multi string in UCHAR format. For example say this is the input "Abc Def". When i checked "Abc Def" sample input "wcslen" is showing 16 in the first iteration inside the loop. I want to understand how 16 comes here.


  • Jeremy_HurrenJeremy_Hurren Member - All Emails Posts: 14
    edited September 24

    String data is stored in wide-characters in the kernel. So your "Abc Def" string is actually stored in bytes as 7 wide characters (14 bytes) plus a wide character null terminator for a total of 16 bytes. The KEY_VALUE_PARTIAL_INFORMATION structure just uses a placeholder byte in the structure and dynamically fills whatever buffer is available to be filled. The only thing I would change about the sample code would be to change the while loop to compare to a wide-character literal L'\0', but that's just because I'm picky, ha ha.

  • parsaparsa Member Posts: 4

    Thanks for clarification.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,172

    Any time I see MULTI_SZ parsing in a driver I cringe...Just want to point out that this code is inherently unsafe in that the Registry does not guarantee that string values are:

    1. Properly NULL terminated.

    2. A multiple of sizeof(WCHAR)

    So, you can make this code go off a cliff by putting some arbitrary, non-NULL terminated junk in the MULTI_SZ value.

    The value being read here is under a somewhat restrictive ACL so you could say that makes it "safe" for the sample. It wouldn't take much to fix but I'd be careful about duplicating this code as is elsewhere.


Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE