Denying registry activity/invalid UNICODE_STRING

I have a filter that is allowing/denying various things.
One of the things is selected registry key creations.

The filter ‘goes by the book’ on Vista (i.e. the callback)
but uses hooks on W2K & XP.

I have a test situation where my filter returns
STATUS_ACCESS_DENIED in response to a RegCreateKeyEx()
call by some other application.

This causes the O/S to repeat the call. I’m not sure yet
what (if anything) has been changed or why this happens.

On Vista, I seem to get the same information on the
2nd call and I repeat the STATUS_ACCESS_DENIED and
everything works as expected (i.e. the app’s
RegCreateKeyEx() fails).

On W2K & XP, the 2nd call has the OpenInfo->ObjectName
UNICODE_STRING in an invalid state:
Length is good.
Buffer is good. Buffer contents are correct.
MaximumLength is zero.

If I pass this 2nd call to the O/S as-is - my filter
is just passing it on - the O/S creates the key and
returns STATUS_SUCCESS.

What are you supposed to do with an invalid
UNICODE_STRING?

Has anyone seen this sort of thing elsewhere?

(It’s possible that the UNICODE_STRING contains
stale data and the O/S is using some other mechanism
to pass the new key name. The handle value is the same
in both calls)

Thanks for your consideration,
Mickey.

MaximumLength usually does not come in to play unless the contents of the
string are changed. Generally you should make sure not to change the
behavior of the operating system. If a call with a string of zero
MaximumLength normally succeeds it is not the business of your hook to
decide that the parameters are invalid.

If you are in a post operation callback you definitely have an advantage. If
the call you are monitoring succeeds you know that everything is OK. If you
have to do things before the call completes it’s your business to first
probe the user mode parameters and mimic the operating system behavior.
That is to say all sort of applications are calling all sorts of system
services either intentionally or unintentionally with invalid parameters and
you have to make sure that nothing going to break. BTW the email addresses
from which you sent me messages are all bouncing.

//Daniel

“Mickey Lane” wrote in message news:xxxxx@ntfsd…
>I have a filter that is allowing/denying various things.
> One of the things is selected registry key creations.
>
> The filter ‘goes by the book’ on Vista (i.e. the callback)
> but uses hooks on W2K & XP.
>
> I have a test situation where my filter returns
> STATUS_ACCESS_DENIED in response to a RegCreateKeyEx()
> call by some other application.
>
> This causes the O/S to repeat the call. I’m not sure yet
> what (if anything) has been changed or why this happens.
>
> On Vista, I seem to get the same information on the
> 2nd call and I repeat the STATUS_ACCESS_DENIED and
> everything works as expected (i.e. the app’s
> RegCreateKeyEx() fails).
>
> On W2K & XP, the 2nd call has the OpenInfo->ObjectName
> UNICODE_STRING in an invalid state:
> Length is good.
> Buffer is good. Buffer contents are correct.
> MaximumLength is zero.
>
> If I pass this 2nd call to the O/S as-is - my filter
> is just passing it on - the O/S creates the key and
> returns STATUS_SUCCESS.
>
> What are you supposed to do with an invalid
> UNICODE_STRING?
>
> Has anyone seen this sort of thing elsewhere?
>
> (It’s possible that the UNICODE_STRING contains
> stale data and the O/S is using some other mechanism
> to pass the new key name. The handle value is the same
> in both calls)
>
> Thanks for your consideration,
> Mickey.
>

Hello Daniel

I re-read the UNICODE_STRING help and my understanding of the
thing seems to be correct. I still don’t understand how
MaximumLength can ever be less than Length and the structure
still be legal.

I’m still working on it.

re your:
> If a call with a string of zero MaximumLength normally
> succeeds it is not the business of your hook to decide
> that the parameters are invalid.

I certainly agree. My hook routine is a long sequence of
checks to see if I can understand what’s going on with the
call. If I can make it all the way to the end, the routine
might return status denied otherwise it passes the entire
argument string on to the O/S ‘as is’ and returns the O/S
status to the user. I don’t generally post-process.

I was one of these checks that started this whole thing.

re the e-mail addresses: I don’t know what to say. I don’t
have any of Earthlink’s filters turned on. I hope we can
get this sorted out. Anyone should be able to send mail to
this (xxxxx@earthlink.net) address.

Mickey.

xxxxx@resplendence.com wrote:

MaximumLength usually does not come in to play unless the contents of
the string are changed. Generally you should make sure not to change the
behavior of the operating system. If a call with a string of zero
MaximumLength normally succeeds it is not the business of your hook to
decide that the parameters are invalid.

If you are in a post operation callback you definitely have an
advantage. If the call you are monitoring succeeds you know that
everything is OK. If you have to do things before the call completes
it’s your business to first probe the user mode parameters and mimic the
operating system behavior. That is to say all sort of applications are
calling all sorts of system services either intentionally or
unintentionally with invalid parameters and you have to make sure that
nothing going to break. BTW the email addresses from which you sent me
messages are all bouncing.

//Daniel

“Mickey Lane” wrote in message news:xxxxx@ntfsd…
>> I have a filter that is allowing/denying various things.
>> One of the things is selected registry key creations.
>>
>> The filter ‘goes by the book’ on Vista (i.e. the callback)
>> but uses hooks on W2K & XP.
>>
>> I have a test situation where my filter returns
>> STATUS_ACCESS_DENIED in response to a RegCreateKeyEx()
>> call by some other application.
>>
>> This causes the O/S to repeat the call. I’m not sure yet
>> what (if anything) has been changed or why this happens.
>>
>> On Vista, I seem to get the same information on the
>> 2nd call and I repeat the STATUS_ACCESS_DENIED and
>> everything works as expected (i.e. the app’s
>> RegCreateKeyEx() fails).
>>
>> On W2K & XP, the 2nd call has the OpenInfo->ObjectName
>> UNICODE_STRING in an invalid state:
>> Length is good.
>> Buffer is good. Buffer contents are correct.
>> MaximumLength is zero.
>>
>> If I pass this 2nd call to the O/S as-is - my filter
>> is just passing it on - the O/S creates the key and
>> returns STATUS_SUCCESS.
>>
>> What are you supposed to do with an invalid
>> UNICODE_STRING?
>>
>> Has anyone seen this sort of thing elsewhere?
>>
>> (It’s possible that the UNICODE_STRING contains
>> stale data and the O/S is using some other mechanism
>> to pass the new key name. The handle value is the same
>> in both calls)
>>
>> Thanks for your consideration,
>> Mickey.
>>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@earthlink.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>