In our kernel mode driver, we need to load an offline registry hive file so we can extract information from its keys. In user mode, we would use RegLoadKey() or RegLoadAppKey(). I’ve found the Rtl and Zw functions that permit access to registries, but I cannot find the equivalent for mounting/dismounting an offline registry hive so we can examine it. Once it has been mounted, then we can use the Rtl and Zw functions to extract data from it. Is this possible in kernel mode? If so, can you please tell me where I can find information?
Thank you for replying! Is ZwLoadKey an undocumented function? I didn’t see it at MSDN. From what I have found on the Internet, it seems like it is what I need… But, we have a commercial product and are forbidded from using undocumented functions… There must be a way to do this in kernel mode since we are dealing with registries. I looked at ZwOpenFile, but it only deals with registry keys, not registry files. I would appreciate any more ideas!
Thank you for the information about ZwLoadKey() and its history! Since ZwLoadKey and ZwLoadKey2 are the only functions that I can find that load an offline registry hive and Win32 functions actually use them to accomplish this task, AND another person noted that ZwLoadKey has been static for a long time, I think that it is safe for us to use it. From what I have read, it is a perfect fit for what we need to do… If we discover that MS removes it in the future, we can explore other alternatives. I really don’t want to have to build a bridge if I can safely walk on water!!!
If you care about undocumented DDIs, why not implement your logic in user
app, and build a communicate mechanism between app and driver. I think this
is not complex.
2011/3/4
> Hi Dmitriy, > > Thank you for the information about ZwLoadKey() and its history! Since > ZwLoadKey and ZwLoadKey2 are the only functions that I can find that load an > offline registry hive and Win32 functions actually use them to accomplish > this task, AND another person noted that ZwLoadKey has been static for a > long time, I think that it is safe for us to use it. From what I have read, > it is a perfect fit for what we need to do… If we discover that MS > removes it in the future, we can explore other alternatives. I really don’t > want to have to build a bridge if I can safely walk on water!!! > > Thanks for the help! > > Mike > > > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
From what I have found on the Internet, it seems like it is what I need… But, we have a commercial product and are forbidded from using undocumented functions… 
