Hi,
I am hooking registry calls similar to the way regmon does. I hook the basic
registry calls. Recently I did some change to the way I monitor values in my
driver. What I do now is when a call to NtSetValueKey is caught I create a
key in some private registry “bush”. To create it with the “proper” security
attributes I ObDereference the registry key handle, and then I call
ObGetObjectSecurity to get the SECURITY_DESCRIPTOR of the registry key.
Then, I use this security descriptor to create my own private key and value
(in the call to CreateObjectAttributes macro).
Everything seems simple enough, but when I reboot after running my driver
the os bugcheck with 0xC0000218 code (unable to load hive). If I use a null
security descriptor then everything is OK.
Did anyone encounter a similar problem? In the MSDN after searching for this
bugcheck code I only got a (see -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q104203
http: ) about
installation of a scsi driver, but it is not related to my problem. Anyone
has any suggestions?
G.
“For those who bear the instruments of war - and we are among them,
Some in practice,
Some by a hug of approval -
Are sucked, mumbling “necessity” and “vengeance”,
Into the domain of war crimes.”
Nathan Alterman, 1948</http:>