how to get full key path in the registry callback functions on Windows XP?

OSR_Community_User · August 10, 2004, 4:55am

I implement a file system filter driver based on registry callback mechanism
provided by MS.

For example, I filter some “RegDeleteValueKey” operations according to
specific key path and name I am interested, I do this like the following:

NTSTATUS RegistryCallback( IN PVOID CallbackContext, IN PVOID Argument1, IN
PVOID Argument2 )
{
REG_NOTIFY_CLASS Type;
PVOID pContext = CallbackContext;
Type = (REG_NOTIFY_CLASS)Argument1;
switch( Type )
{
case RegNtPreDeleteValueKey:
{
PREG_DELETE_VALUE_KEY_INFORMATION pDeleteValue =
(PREG_DELETE_VALUE_KEY_INFORMATION)Argument2;
UNICODE_STRING TargetRegistryName;
RtlInitUnicodeString(&TargetRegistryName,g_wRegPath);
if ( 0 ==
RtlCompareUnicodeString(pDeleteValue->ValueName,&TargetRegistryName,TRUE) )
{
return STATUS_ACCESS_DENIED;
}
}
break;
default:
break;
}
return STATUS_SUCCESS;
}
I found that pDeleteValue->ValueName is only the key name, not including
path,
How do I get full key path? what inside pDeleteValue->Object?

thanks!

OSR_Community_User · August 10, 2004, 6:26am

You need to use ObQueryNameString() on the value of pDelete->Object to
get the full path.

You need to be aware that ObQueryNameString() is undocumented. It has
the following prototype;

NTSTATUS NTAPI ObQueryNameString(void *Object, PUNICODE_STRING Name,
ULONG MaximumLength, PULONG ActualLength);

There may be a more legitimate way of ding the same thing but I am
unaware of it.

Also, you need to be aware of the potential for crashing your machine
when using this interface. For details search the archive of this
forum.

Cheers,

Douglas.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Holk Leng
Sent: 10 August 2004 09:52
To: Windows File Systems Devs Interest List
Subject: [ntfsd] how to get full key path in the registry callback
functions on Windows XP?

I implement a file system filter driver based on registry callback
mechanism
provided by MS.

For example, I filter some “RegDeleteValueKey” operations according to
specific key path and name I am interested, I do this like the
following:

NTSTATUS RegistryCallback( IN PVOID CallbackContext, IN PVOID Argument1,
IN
PVOID Argument2 )
{
REG_NOTIFY_CLASS Type;
PVOID pContext = CallbackContext;
Type = (REG_NOTIFY_CLASS)Argument1;
switch( Type )
{
case RegNtPreDeleteValueKey:
{
PREG_DELETE_VALUE_KEY_INFORMATION pDeleteValue =
(PREG_DELETE_VALUE_KEY_INFORMATION)Argument2;
UNICODE_STRING TargetRegistryName;
RtlInitUnicodeString(&TargetRegistryName,g_wRegPath);
if ( 0 ==
RtlCompareUnicodeString(pDeleteValue->ValueName,&TargetRegistryName,TRUE
) )
{
return STATUS_ACCESS_DENIED;
}
}
break;
default:
break;
}
return STATUS_SUCCESS;
}
I found that pDeleteValue->ValueName is only the key name, not including
path,
How do I get full key path? what inside pDeleteValue->Object?

thanks!

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@neverfailgroup.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · August 10, 2004, 10:56am

Use ObQueryNameString(pDeleteValue->Object,…)

Vitaly

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Holk Leng
Sent: Tuesday, August 10, 2004 4:52 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] how to get full key path in the registry callback
functions on Windows XP?

I implement a file system filter driver based on registry callback
mechanism provided by MS.

For example, I filter some “RegDeleteValueKey” operations according to
specific key path and name I am interested, I do this like the
following:

NTSTATUS RegistryCallback( IN PVOID CallbackContext, IN PVOID Argument1,
IN PVOID Argument2 ) {
REG_NOTIFY_CLASS Type;
PVOID pContext = CallbackContext;
Type = (REG_NOTIFY_CLASS)Argument1;
switch( Type )
{
case RegNtPreDeleteValueKey:
{
PREG_DELETE_VALUE_KEY_INFORMATION pDeleteValue =
(PREG_DELETE_VALUE_KEY_INFORMATION)Argument2;
UNICODE_STRING TargetRegistryName;
RtlInitUnicodeString(&TargetRegistryName,g_wRegPath);
if ( 0 ==
RtlCompareUnicodeString(pDeleteValue->ValueName,&TargetRegistryName,TRUE
) )
{
return STATUS_ACCESS_DENIED;
}
}
break;
default:
break;
}
return STATUS_SUCCESS;
}
I found that pDeleteValue->ValueName is only the key name, not including
path, How do I get full key path? what inside pDeleteValue->Object?

thanks!

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@relicore.com
To unsubscribe send a blank email to xxxxx@lists.osr.com