Creating Registry Hive under HKLM

Hi All,
I tried to create registry hive under \Registry\Machine by using following code:
{
OBJECT_ATTRIBUTES ObjectAttributes;
OBJECT_ATTRIBUTES ObjectAttributes2;
UNICODE_STRING FileName = {0};
UNICODE_STRING HKLM = {0};

RtlInitUnicodeString(&FileName, L"\??\C:\THKLM.reg");
InitializeObjectAttributes( &ObjectAttributes, &FileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE , NULL, NULL );

RtlInitUnicodeString(&uniHKLM, L"\REGISTRY\MACHINE");
InitializeObjectAttributes( &ObjectAttributes2, &HKLM,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE , NULL, NULL );

AdjustPrivilege(SE_RESTORE_PRIVILEGE, TRUE);
AdjustPrivilege(SE_BACKUP_PRIVILEGE, TRUE);
ntStatus = ZwLoadKey(&ObjectAttributes2, &ObjectAttributes);
}

AdjustPrivilege is the same function which is prvide in OSR in link
http://www.osronline.com/article.cfm?article=23

I have used undocumented ZwloadKey and have adjusted privileges too but after running this I am getting error -1073741790 or 0XC0000022.

Can any one guide me what I am doing wrong here?

You are using an undocumented function call so this may stop to work at any
time. Consider doing this in usermode instead.

RtlInitUnicodeString(&FileName, L"\??\C:\THKLM.reg");

You cannot import text file registry files with this function, only binary
registry hive files created with saveKey* routines.

RtlInitUnicodeString(&uniHKLM, L"\REGISTRY\MACHINE");
InitializeObjectAttributes( &ObjectAttributes2, &HKLM, OBJ_CASE_INSENSITIVE
| OBJ_KERNEL_HANDLE , NULL, NULL );

Note that you have not showed us where you declared uniHKLM and that you are
not assigning that string to ObjectAttributes2.

//Daniel

wrote in message news:xxxxx@ntfsd…

Hi All,
I tried to create registry hive under \Registry\Machine by using
following code:
{
OBJECT_ATTRIBUTES ObjectAttributes;
OBJECT_ATTRIBUTES ObjectAttributes2;
UNICODE_STRING FileName = {0};
UNICODE_STRING HKLM = {0};

RtlInitUnicodeString(&FileName, L"\??\C:\THKLM.reg");
InitializeObjectAttributes( &ObjectAttributes, &FileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE , NULL, NULL );

RtlInitUnicodeString(&uniHKLM, L"\REGISTRY\MACHINE");
InitializeObjectAttributes( &ObjectAttributes2, &HKLM,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE , NULL, NULL );

AdjustPrivilege(SE_RESTORE_PRIVILEGE, TRUE);
AdjustPrivilege(SE_BACKUP_PRIVILEGE, TRUE);
ntStatus = ZwLoadKey(&ObjectAttributes2, &ObjectAttributes);
}

AdjustPrivilege is the same function which is prvide in OSR in link
http://www.osronline.com/article.cfm?article=23

I have used undocumented ZwloadKey and have adjusted privileges too but
after running this I am getting error -1073741790 or 0XC0000022.

Can any one guide me what I am doing wrong here?

> RtlInitUnicodeString(&FileName, L"\??\C:\THKLM.reg");

Is that a file that has been created by exporting from regedit?
Because RegLoadKey or NtLoadKey can only map registry hives.

L.

This file not exported from registry. And if you see Regloadkey documentation it clearly says that " If file does not exist, a file is created with the specified name.". I have tried this myself from user mode and it is working perfectly in user mode. Just having problem in kernel mode and it is requirement of the project.
~Eris

>This file not exported from registry.

The file extension suggested this to be a text file.

if file does not exist, a file is created with the specified

That is documentation for RegLoadKey not for ZwLoadKey. I expect this to be
the luxury that the API layer provides.

//Daniel

wrote in message news:xxxxx@ntfsd…

This file not exported from registry. And if you see Regloadkey
documentation it clearly says that " If file does not exist, a file is
created with the specified name.". I have tried this myself from user mode
and it is working perfectly in user mode. Just having problem in kernel mode
and it is requirement of the project.
~Eris

Daniel is correct this the creation of the file is a user space item
only. Also, there were changes in how things worked (slight but
depending on what you are doing significant) between XP and later OS’es.
So even if you find documentation on the web for the call from one of
the sites that attempts to document undocumented calls, it is likely to
be wrong!

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@resplendence.com” wrote in message
news:xxxxx@ntfsd:

> >This file not exported from registry.
>
> The file extension suggested this to be a text file.
>
> >if file does not exist, a file is created with the specified
>
> That is documentation for RegLoadKey not for ZwLoadKey. I expect this to be
> the luxury that the API layer provides.
>
> //Daniel
>
>
>
> wrote in message news:xxxxx@ntfsd…
>
> This file not exported from registry. And if you see Regloadkey
> documentation it clearly says that " If file does not exist, a file is
> created with the specified name.". I have tried this myself from user mode
> and it is working perfectly in user mode. Just having problem in kernel mode
> and it is requirement of the project.
> ~Eris

Did you look up that error code? You may be surprised to learn that most
of us have not memorized nterr.h in its entirety, and it is an expected
courtesy that you would at least give us the text of the error message.

What problem are you trying to solve that you think the creation of an
entire hive (as opposed to just a new key) is going to solve?

Since ZwLoadKey is undocumented, why do you think that using it will
create a new hive?

So I suspect that the first thing you are doing wrong is trying to create
a new hive, and the second thing you are doing wrong is using an
undocumented call to do it. At the next level, I suspect that trying to
read a key from a nonexistent hive is a problem; at the user API level
there are different calls to read a key and write a key.
joe

Hi All,
I tried to create registry hive under \Registry\Machine by using
following code:
{
OBJECT_ATTRIBUTES ObjectAttributes;
OBJECT_ATTRIBUTES ObjectAttributes2;
UNICODE_STRING FileName = {0};
UNICODE_STRING HKLM = {0};

RtlInitUnicodeString(&FileName, L"\??\C:\THKLM.reg");
InitializeObjectAttributes( &ObjectAttributes, &FileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE , NULL, NULL );

RtlInitUnicodeString(&uniHKLM, L"\REGISTRY\MACHINE");
InitializeObjectAttributes( &ObjectAttributes2, &HKLM,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE , NULL, NULL );

AdjustPrivilege(SE_RESTORE_PRIVILEGE, TRUE);
AdjustPrivilege(SE_BACKUP_PRIVILEGE, TRUE);
ntStatus = ZwLoadKey(&ObjectAttributes2, &ObjectAttributes);
}

AdjustPrivilege is the same function which is prvide in OSR in link
http://www.osronline.com/article.cfm?article=23

I have used undocumented ZwloadKey and have adjusted privileges too but
after running this I am getting error -1073741790 or 0XC0000022.

Can any one guide me what I am doing wrong here?

---

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

And you are absolutely certain, beyond a shadow of a doubt, that the
undocumented NtLoadKey has the identical semantics of RegLoadKey? And
what kind of project has a requirement of using an undocumented function
for its success?
joe

This file not exported from registry. And if you see Regloadkey
documentation it clearly says that " If file does not exist, a file is
created with the specified name.". I have tried this myself from user
mode and it is working perfectly in user mode. Just having problem in
kernel mode and it is requirement of the project.
~Eris

---

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

0xC0000022 is STATUS_ACCESS_DENIED. I would suspect that you might not have the privilege. Yes, I know you call Adjust Privilege, but could you check that it actually succeeds? Because to enable a privilege, it must be granted first. Therefore, calling the above code in a normal user context will just fail.

> 0xC0000022 is STATUS_ACCESS_DENIED. I would suspect that you might not have the privilege.

This should be STATUS_PRIVILEGE_NOT_HELD

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com