I’ve got a registry callback in place on WinXP, and I want to modify the registry path during the PreDelete stage. The REG_DELETE_KEY_INFORMATION pointer that’s passed into the callback function has the path stored in the “Object” variable. To get the name, it seems you run it through ObQueryNameString and that function fills a NEW structure with the path. If I change that NEW structure, the real one is still going to be the old path, correct? Then how do I change the path in the “Object” variable, so that the kernel uses the modified path?
Thanks!
> I’ve got a registry callback in place on WinXP, and I want to modify the
registry path during the PreDelete stage. The REG_DELETE_KEY_INFORMATION
pointer that’s passed into the callback function has the path stored in
the “Object” variable. To get the name, it seems you run it through
ObQueryNameString and that function fills a NEW structure with the path.
If I change that NEW structure, the real one is still going to be the old
path, correct?
Correct.
Then how do I change the path in the “Object” variable, so that the kernel
uses the modified path?
You dont.
So it’s not possible to modify registry operations that use this Object variable? Is there any other way to accomplish this?
The point is that the PVOID Object is an opaque pointer to an object that
represents an open instance of a registry key so by time you are at
RegNtPreDeleteKey vis a vis names the horse has so to speak bolted. It seems
therefore if some caller wants to open a certain key, you want to key to be
opened, but if the caller then wants to use the handle (object) to delete
the key, you want some other key to be deleted … I wonder what you really
seek to accomplish?
wrote in message news:xxxxx@ntfsd…
> So it’s not possible to modify registry operations that use this Object
> variable? Is there any other way to accomplish this?
>
I’m simply trying to sandbox Applications by redirecting all registry operations to another hive.
Fair enough - so, you’d be wanting instead to redirect reg key open/create
and such for example?
wrote in message news:xxxxx@ntfsd…
> I’m simply trying to sandbox Applications by redirecting all registry
> operations to another hive.
>
>
Yes, all Open/Create/Delete/Rename/etc operations should get redirected to a new location (a prepended path). I want to implement this on HKLM, HKCU, and HKCR.
So you have this part working for open/create? If so then doesnt delete just
come out in the wash becuase the open had been ‘rediected’?
wrote in message news:xxxxx@ntfsd…
> Yes, all Open/Create/Delete/Rename/etc operations should get redirected to
> a new location (a prepended path). I want to implement this on HKLM, HKCU,
> and HKCR.
>
I haven’t written the redirection code yet. I’m just going through the various operations first, making sure I’ll be able to modify the regkey path. It seems like quite a few operations use this “Object” object, so I’m tackling this issue before moving on.
Regarding your second commented, if the open is redirected, the program would still think that it wrote to the “non-redirected” location. If/when it did another operation, wouldn’t it still try to write to the original location (which is why I am trying to redirect all registry operations)?
If program opens key …\A\B\C and you change name to …\MY\A\B\C (or other
name shift as you choose), if you always change name the same, program
always sees the same, world view is consistent, so where is the problem?
Nowhere! The PVOID Object is the registry key object. The association
between Object and name is made when Object is open/create. Hence it is the
open/create you need to meddle about with. I womder did you get that working
back in December?
wrote in message news:xxxxx@ntfsd…
>I haven’t written the redirection code yet. I’m just going through the
>various operations first, making sure I’ll be able to modify the regkey
>path. It seems like quite a few operations use this “Object” object, so I’m
>tackling this issue before moving on.
>
> Regarding your second commented, if the open is redirected, the program
> would still think that it wrote to the “non-redirected” location. If/when
> it did another operation, wouldn’t it still try to write to the original
> location (which is why I am trying to redirect all registry operations)?
>