How to access HKCR,HKCU Registry key by ZwOpenKey?

Chong · February 23, 2005, 3:25pm

Hi, All

Is it possible to access the HKEY_CURRENT_USER and HKEY_CLASS_ROOT
registry keys from Kernel mode using ZwCreateKey/ZwOpenKey? And how to do
it? Many Thanks.

Chong

OSR_Community_User · February 24, 2005, 3:54am

not like if you were in user mode,
HKEY_CURRENT_USER is \Registry\User\S-ID
where S-ID is user GUID you should find out by yourself (tokens etc.)

HKEY_CLASS_ROOT is more complicated, its actual merge of :
\Registry\Machine\Software\Classes and \Registry\User\S-ID\Software\Classes
this merge is done in user mode by Windows , so in kernel mode this key does
not exist

Regards,
Max

----- Original Message -----
From: “Chong”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Wednesday, February 23, 2005 10:25 PM
Subject: [ntdev] How to access HKCR,HKCU Registry key by ZwOpenKey?

> Hi, All
>
> Is it possible to access the HKEY_CURRENT_USER and HKEY_CLASS_ROOT
> registry keys from Kernel mode using ZwCreateKey/ZwOpenKey? And how to do
> it? Many Thanks.
>
>
>
> Chong
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@secureol.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Ray_Trent · February 24, 2005, 4:44pm

You can only do it in the context of a known user-mode thread (or roll
your own using SIDs like Max suggested, but there are pitfalls there,
especially on domain member machines). So have a user-mode app/service
call an IOCTL into the driver and open it in your IOCTL handler. This
only works reliably if you’re the top driver on the stack, so always
create your own device object to use just for this kind of purpose (and
other API purposes, usually).

Chong wrote:

Hi, All

Is it possible to access the HKEY_CURRENT_USER and HKEY_CLASS_ROOT
registry keys from Kernel mode using ZwCreateKey/ZwOpenKey? And how to do
it? Many Thanks.

Chong

–
…/ray..

Please remove “.spamblock” from my email address if you need to contact
me outside the newsgroup.

Maxim_S_Shatskih · February 25, 2005, 2:55pm

The second is \Registry\Machine\Software\Classes

The first is a bit strange. What user is current for a kernel module?
Services can run under different users, and there can be lots of different
desktops on Terminal Server. Many services run in the context where HKCU is
just not mounted at all.

Also note that time when this registry starts to be available. Very late.
It is mounted by SMSS, possibly after AUTOCHK.

So, it is a good idea for any drivers to never touch any registry except
the SYSTEM hive.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Chong”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Wednesday, February 23, 2005 11:25 PM
Subject: [ntdev] How to access HKCR,HKCU Registry key by ZwOpenKey?

> Hi, All
>
> Is it possible to access the HKEY_CURRENT_USER and HKEY_CLASS_ROOT
> registry keys from Kernel mode using ZwCreateKey/ZwOpenKey? And how to do
> it? Many Thanks.
>
>
>
> Chong
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Maxim_S_Shatskih · February 25, 2005, 3:20pm

The driver is usually provided with some user-mode software, which can do
all HKCU reads for it and provide it with the same info in IOCTL input buffer.

Also there is nothing which prevents you from using SID-named subkeys in
your driver Service\Parameters key, and keep all information there. Also a good
way. The driver can access the caller’s SID in
Parameters.Create.SecurityContext in the MJ_CREATE path.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Ray Trent”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Friday, February 25, 2005 12:44 AM
Subject: Re:[ntdev] How to access HKCR,HKCU Registry key by ZwOpenKey?

> You can only do it in the context of a known user-mode thread (or roll
> your own using SIDs like Max suggested, but there are pitfalls there,
> especially on domain member machines). So have a user-mode app/service
> call an IOCTL into the driver and open it in your IOCTL handler. This
> only works reliably if you’re the top driver on the stack, so always
> create your own device object to use just for this kind of purpose (and
> other API purposes, usually).
>
> Chong wrote:
> > Hi, All
> >
> > Is it possible to access the HKEY_CURRENT_USER and HKEY_CLASS_ROOT
> > registry keys from Kernel mode using ZwCreateKey/ZwOpenKey? And how to do
> > it? Many Thanks.
> >
> >
> >
> > Chong
> >
> >
> >
>
> –
> …/ray..
>
> Please remove “.spamblock” from my email address if you need to contact
> me outside the newsgroup.
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Ray_Trent · February 28, 2005, 2:09pm

Maxim S. Shatskih wrote:

The driver is usually provided with some user-mode software, which can do
all HKCU reads for it and provide it with the same info in IOCTL input buffer.

This is certainly true too, especially if your use of the registry isn’t
too complicated. Since you have to write a user-mode app to send the
IOCTL anyway, it’s often easier to just have it send the settings
(assuming there aren’t too many, and they don’t vary from platform to
platform too much).

We found it advantageous (for OEM configurability reasons) to have the
user portion of the registry be a mirror of the HKLM “defaults” section.
If you have an architecture like this, it’s better for maintainability
to have all the code in one place, which needs to be the kernel since
the defaults get read by the driver during boot, while the user settings
only can be loaded once the user is logged in (and active… Fast User
Switching throws wrenches in all of this). Bleah.

Also there is nothing which prevents you from using SID-named subkeys in
your driver Service\Parameters key, and keep all information there. Also a good
way. The driver can access the caller’s SID in
Parameters.Create.SecurityContext in the MJ_CREATE path.

Having gone down that path, yes, it’s technically possible to do this,
but there are a bunch of corner cases that behave in, shall we say,
unexpected ways. The most common of these is a domain-member laptop
that’s currently not connected to the domain. The mirroring of the
registry between the domain controller and the local cached version
introduces several “complications” (read: horrible hair-pulling,
impossible to debug, nightmares that turn out to be avoided if you
just open HKCU in the context of a user thread.

…/ray..

Please remove “.spamblock” from my email address if you need to contact
me outside the newsgroup.