Filtering registry values

OSR_Community_User · August 16, 2005, 8:12am

Context:

Registry callback for RegNtSetValueKey (wxp) or RegNtPreSetValueKey (wnet+)

You get:

typedef struct _REG_SET_VALUE_KEY_INFORMATION {
PVOID Object;
PUNICODE_STRING ValueName;
ULONG TitleIndex;
ULONG Type;
PVOID Data;
ULONG DataSize;

Where:

Members
Object
Pointer to the registry key object for the key whose value entry is
about to be changed.

How do I convert a “pointer to the registry key object” to the “key
handle” needed by:

NTSTATUS
ZwQueryValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG Length,
OUT PULONG ResultLength

The mechanism for getting a handle via ZwOpenKey needs a path. All I’ve
got is a key name.

Regards,
Mickey.

Don_Burn_1 · August 16, 2005, 8:36am

Well you might take a look at ObOpenObjectByPointer.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Mickey Lane” wrote in message news:xxxxx@ntfsd…
> Context:
>
> Registry callback for RegNtSetValueKey (wxp) or RegNtPreSetValueKey
> (wnet+)
>
> You get:
>
> typedef struct _REG_SET_VALUE_KEY_INFORMATION {
> PVOID Object;
> PUNICODE_STRING ValueName;
> ULONG TitleIndex;
> ULONG Type;
> PVOID Data;
> ULONG DataSize;
>
> Where:
>
> Members
> Object
> Pointer to the registry key object for the key whose value entry is
> about to be changed.
>
> How do I convert a “pointer to the registry key object” to the “key
> handle” needed by:
>
> NTSTATUS
> ZwQueryValueKey(
> IN HANDLE KeyHandle,
> IN PUNICODE_STRING ValueName,
> IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
> OUT PVOID KeyValueInformation,
> IN ULONG Length,
> OUT PULONG ResultLength
>
> The mechanism for getting a handle via ZwOpenKey needs a path. All I’ve
> got is a key name.
>
> Regards,
> Mickey.
>
>

Lyndon_J_Clarke-2 · August 16, 2005, 8:40am

AFAIK translation between object and handle is one way handle -> object. You
could, with performance considerations, perhaps ObOpenObjectByPointer …
ZwClose?

“Mickey Lane” wrote in message news:xxxxx@ntfsd…
> Context:
>
> Registry callback for RegNtSetValueKey (wxp) or RegNtPreSetValueKey
> (wnet+)
>
> You get:
>
> typedef struct _REG_SET_VALUE_KEY_INFORMATION {
> PVOID Object;
> PUNICODE_STRING ValueName;
> ULONG TitleIndex;
> ULONG Type;
> PVOID Data;
> ULONG DataSize;
>
> Where:
>
> Members
> Object
> Pointer to the registry key object for the key whose value entry is
> about to be changed.
>
> How do I convert a “pointer to the registry key object” to the “key
> handle” needed by:
>
> NTSTATUS
> ZwQueryValueKey(
> IN HANDLE KeyHandle,
> IN PUNICODE_STRING ValueName,
> IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
> OUT PVOID KeyValueInformation,
> IN ULONG Length,
> OUT PULONG ResultLength
>
> The mechanism for getting a handle via ZwOpenKey needs a path. All I’ve
> got is a key name.
>
> Regards,
> Mickey.
>
>

OSR_Community_User · August 16, 2005, 10:20am

That works perfect!

Well, sort of. It’s in the ntifs headers and the other registry
filtering stuff (i.e. CmRegisterCallback) is in the ntddk headers. I had
separate source files based on the two different headers since they
can’t coexist. I like to avoid copying prototypes into my code.

I’ll get over it though.

Thanks,
Mickey.

Don Burn wrote:

Well you might take a look at ObOpenObjectByPointer.

OSR_Community_User · August 31, 2005, 8:08am

Picking up a thread from a couple of weeks ago…

I asked about converting a “pointer to a registry key object” to a “key
handle”

and Don Burn answered:

Well you might take a look at ObOpenObjectByPointer.

That worked great. I used the handle to open the value and get the
contents for my filter operation. I went on to other things.

During some regression testing, I now find in the log:

*** ZwQueryValueKey failed
NtStatus = 0x8061AA47
Handle = 0x80000EC0
Value name = Level 1 Value
Buffer pointer = 0x8665EC18
Buffer size in bytes = 1000
Buffer[0] = 0x00000000
ResultLength = 0

Two questions. What in the heck is an NTSTATUS of 0x8061AA47? I can’t
find anything even close. Second, is a HANDLE with the msb set legit?

Regards,
Mickey.

OSR_Community_User · August 31, 2005, 10:58am

I believe that a handle with that bit set means that
it is a kernel mode handle.

No idea on the ntstatus though…

— Mickey Lane wrote:

> Picking up a thread from a couple of weeks ago…
>
> I asked about converting a “pointer to a registry
> key object” to a “key
> handle”
>
> and Don Burn answered:
>
> >Well you might take a look at
> ObOpenObjectByPointer.
>
> That worked great. I used the handle to open the
> value and get the
> contents for my filter operation. I went on to other
> things.
>
> During some regression testing, I now find in the
> log:
>
> *** ZwQueryValueKey failed
> NtStatus = 0x8061AA47
> Handle = 0x80000EC0
> Value name = Level 1 Value
> Buffer pointer = 0x8665EC18
> Buffer size in bytes = 1000
> Buffer[0] = 0x00000000
> ResultLength = 0
>
> Two questions. What in the heck is an NTSTATUS of
> 0x8061AA47? I can’t
> find anything even close. Second, is a HANDLE with
> the msb set legit?
>
> Regards,
> Mickey.
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>