About ZwDeleteKey fail

allen_zhang · October 20, 2009, 8:30pm

Hi All,

I am trying to delete the registry sub key in my driver with ZwDeleteKey, but it is giving me STATUS_CANNOT_DELETE error.
I open it success by KEY_ALL_ACCRESS.

It seems that it is not deleting the key. Is there any reason?

the follow is my code,

NTSTATUS status;
UNICODE_STRING regPath;
HANDLE hKey;
OBJECT_ATTRIBUTES objAttributes;

RtlInitUnicodeString(&regPath, L"\REGISTRY\Machine\SYSTEM\ControlSet002\Enum\XXXX\YYYY");
InitializeObjectAttributes(&objAttributes, &regPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwOpenKey(&hKey, KEY_ALL_ACCESS, &objAttributes);
KdPrint((“Open key for delete return(%X)\n”, status));
if(NT_SUCCESS(status))
{
status = ZwDeleteKey(hKey);
KdPrint((" ********** Delete key(%X)\n", status));
ZwClose(hKey);
}

Thanks & Regards,
Allen

allen_zhang · October 20, 2009, 8:34pm

An important detail,
There is no sub key under the “SYSTEM\ControlSet002\Enum\XXXX\YYYY”.

Best Regards,
Allen

Tim_Roberts · October 20, 2009, 8:46pm

xxxxx@sina.com wrote:

I am trying to delete the registry sub key in my driver with ZwDeleteKey, but it is giving me STATUS_CANNOT_DELETE error.
I open it success by KEY_ALL_ACCRESS.

It seems that it is not deleting the key. Is there any reason?

the follow is my code,

NTSTATUS status;
UNICODE_STRING regPath;
HANDLE hKey;
OBJECT_ATTRIBUTES objAttributes;

RtlInitUnicodeString(&regPath, L"\REGISTRY\Machine\SYSTEM\ControlSet002\Enum\XXXX\YYYY");
InitializeObjectAttributes(&objAttributes, &regPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwOpenKey(&hKey, KEY_ALL_ACCESS, &objAttributes);
KdPrint((“Open key for delete return(%X)\n”, status));
if(NT_SUCCESS(status))
{
status = ZwDeleteKey(hKey);
KdPrint((" ********** Delete key(%X)\n", status));
ZwClose(hKey);
}

Which operating system is this? The Enum keys are owned by a special
SID on Vista and beyond. In addition, there’s nothing in here that
can’t also be done from user mode.

However, what you’re doing is a bad idea, anyway. The Device Manager
gets confused when Enum keys disappear. And you should never hardcode a
ControlSet number – always use CurrentControlSet.

WHY are you trying to delete an Enum key?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

allen_zhang · October 20, 2009, 8:57pm

Thanks for you answer,

Sorry, My os is Windows XP SP3.

I have test my code, It is correct for the most,
I want to remove it because that the driver is removed by device manager,

Best Regards,
Allen

Doron_Holan · October 20, 2009, 9:41pm

Doesn’t matter if it is test code, the enum key does not belong to you. Let the OS cleanup its state

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@sina.com
Sent: Tuesday, October 20, 2009 5:57 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] About ZwDeleteKey fail

Thanks for you answer,

Sorry, My os is Windows XP SP3.

I have test my code, It is correct for the most,
I want to remove it because that the driver is removed by device manager,

Best Regards,
Allen

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

allen_zhang · October 23, 2009, 4:53pm

Doron Holan,
Thanks for your help.

It will be remain when we removed the driver by device manager, What’s the reason?
For the other keys we can delete it by regedit(Of course, We must be add the ‘full control popedom’ to the sub key) or by icesword.

Best Regards,
Allen

Doron_Holan · October 23, 2009, 4:58pm

It is an OS abstraction, the OS can choose to keep it if it wishes. The reasons behind keeping or deleting the devnode change from release to release

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@sina.com
Sent: Friday, October 23, 2009 1:55 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] About ZwDeleteKey fail

Doron Holan,
Thanks for your help.

It will be remain when we removed the driver by device manager, What’s the reason?
For the other keys we can delete it by regedit(Of course, We must be add the ‘full control popedom’ to the sub key) or by icesword.

Best Regards,
Allen

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Tim_Roberts · October 23, 2009, 5:02pm

xxxxx@sina.com wrote:

It will be remain when we removed the driver by device manager, What’s the reason?
For the other keys we can delete it by regedit(Of course, We must be add the ‘full control popedom’ to the sub key) or by icesword.

Because it doesn’t hurt anything to leave it in there, and it improves
the user experience the next time they plugin.

Please remember that real customers never need this kind of registry
cleaning. This is only useful in a testing situation, and in that case
you’re better off using an image or a system restore point anyway.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

allen_zhang · October 23, 2009, 5:17pm

Tim Roberts

Thanks for your help,
I see, Thanks a lot of!

Best Regards,

Allen