Hi there,
Two Post-operations can be passed to the hooking routine from the same thread?
Like:
RegNtPreCreateKeyEx(“blabla”) (1)
—> pre-operation
RegNtPreOpenKeyEx(“aaa”) (2)
—> pre-operation
<— post-operation of (1)
<— post-operation of (2)
In the Cm pdf around there, microsoft says to use ThreadId to diferenciate, even so
I’m receiving various pre-operation calls from the same thread id only receiving the post-op later:
236 opened key:
Handle = 00000000
Name = \REGISTRY\USER\S-1-5-21-3795014860-226989805-2600055803-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.exe
[WAITING FOR POST-OP thread=00000144]
236 opened key:
Handle = 00000000
Name = \REGISTRY\USER\S-1-5-21-3795014860-226989805-2600055803-500_CLASSES.exe
[WAITING FOR POST-OP thread=00000144]
236 opened key:
Handle = 00000000
Name = \REGISTRY\Registry\Machine\Software\Classes.exe
[WAITING FOR POST-OP thread=00000144]
(…)
236 [POST-OPERATION]
Thread = 00000144
Status = 00000000
Object = E149EDA8
If the Cm callback routine receives pre and post at random how can I “connect” them correctly?
Thanks in advance,
Jean F.