Got question regarding CmRegisterCallback and RegNtPreCreateKey/RegNtPreCreateKeyEx.
After calling CmRegisterCallback/CmRegisterCallbackEx CallbackRoutine is called each time registry is ‘touched’.
Now, assuming that we’re on vista+ os: is RegNtPreCreateKeyEx called even if user used CreateKey (not *Ex version) or it will work only on Ex version.
If it will work only on ex version then is it possible to modify arguments via RegNtPreCreate (without ex) - since doc says that REG_PRE_CREATE_KEY_INFORMATION struct has only one member so there is no field to be updated after modification.
Next question is regarding Xp system - I understand that RegNtPreCreateKeyEx won’t be called in this os - correct?
Is it possible to somehow modify parameters in pre create callback or should I do it in different way, if so then how?
sorry for bunch of questions and thank you for everyone!
> Hello! > > Got question regarding CmRegisterCallback and RegNtPreCreateKey/RegNtPreCreateKeyEx. > > After calling CmRegisterCallback/CmRegisterCallbackEx CallbackRoutine is called each time registry is ‘touched’. > Now, assuming that we’re on vista+ os: is RegNtPreCreateKeyEx called even if user used CreateKey (not *Ex version) or it will work only on Ex version. > If it will work only on ex version then is it possible to modify arguments via RegNtPreCreate (without ex) - since doc says that REG_PRE_CREATE_KEY_INFORMATION struct has only one member so there is no field to be updated after modification. > > Next question is regarding Xp system - I understand that RegNtPreCreateKeyEx won’t be called in this os - correct? > Is it possible to somehow modify parameters in pre create callback or should I do it in different way, if so then how? > > sorry for bunch of questions and thank you for everyone!
The WDK documentation states that RegNtPreCreateKey is only called for XP
while RegNtPreCreateKeyEx is called starting with W2K3. Do you think that
the documentation is incorrect?
Bill Wandel
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, December 28, 2011 4:43 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] CmRegisterCallback question
Hello!
Got question regarding CmRegisterCallback and
RegNtPreCreateKey/RegNtPreCreateKeyEx.
After calling CmRegisterCallback/CmRegisterCallbackEx CallbackRoutine is
called each time registry is ‘touched’.
Now, assuming that we’re on vista+ os: is RegNtPreCreateKeyEx called even if
user used CreateKey (not *Ex version) or it will work only on Ex version.
If it will work only on ex version then is it possible to modify arguments
via RegNtPreCreate (without ex) - since doc says that
REG_PRE_CREATE_KEY_INFORMATION struct has only one member so there is no
field to be updated after modification.
Next question is regarding Xp system - I understand that RegNtPreCreateKeyEx
won’t be called in this os - correct?
Is it possible to somehow modify parameters in pre create callback or should
I do it in different way, if so then how?
sorry for bunch of questions and thank you for everyone!
Thank you for your quick response!
Well I was wondering how to ommit hooks, but if guy so experienced like You says that this ‘is’ solution I assume that probably there is no way to ommit this.
The problem seems to be with Windows Xp x64 since because of KPP is introduced and even if problem is not in KPP indeed, it is disallowed solution by microsoft, so any hooks on x64 will be ended up with UNTRUSTED pop up.
Any ideas how to achieve it on x64 xp?
> Don, > > Thank you for your quick response! > Well I was wondering how to ommit hooks, but if guy so experienced like You says that this ‘is’ solution I assume that probably there is no way to ommit this. > The problem seems to be with Windows Xp x64 since because of KPP is introduced and even if problem is not in KPP indeed, it is disallowed solution by microsoft, so any hooks on x64 will be ended up with UNTRUSTED pop up. > Any ideas how to achieve it on x64 xp?
Assuming we’ve got Callback on registrys.
Is is possible to determine in context of which thread/process my callback is working?
Can I safely assume that callback works in context of thread that requested registry operation (and then call PsGetCurrentProcess())?
If not then is it possible (if so then how) to determine procId/threadId of process/thread that requested reguistry operation?