Loading Registry hive at boot-time

NTFSD
1

Hi,
I want to load my own customized registry hive using a driver at boot-time. I used to do this using KeServiceDescriptorTable and hooking to ZwLoadKey. I knew this was wrong, but it worked. Now, obviously, I’m stuck, as this doesn’t work on 64-bit Windows.
Is there any legitimate way of doing such thing? Any alternative to ZwLoadKey that I’m overlooking?

2

The registry hooking might help you. See CmRegisterCallBack() and following thread.

http://www.osronline.com/showThread.cfm?link=67144

Regards,
Bronislav Gabrhelik

3

Thanks for the quick reply.

CmRegisterCallBack can register a callback function to be called when any
registry operation is performed. But I don’t wan’t to monitor an operation,
I want to actually perform the LoadKey operation. Similar to what NtLoadKey
or ZwLoadKey perform.

http://www.osronline.com/showThread.cfm?link=2987
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Key/NtLoadKey.html

These cannot be used as the driver hooking doesn’t work on 64-bit windows
(vista and above at least).

On Mon, Dec 6, 2010 at 2:03 PM, wrote:

> The registry hooking might help you. See CmRegisterCallBack() and following
> thread.
>
> http://www.osronline.com/showThread.cfm?link=67144
>
> Regards,
> Bronislav Gabrhelik
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


N. Lalit Vidyadhar Sharma

4

ZwLoadKey is exported function so you can call it directly:

extern “C” NTSYSAPI NTSTATUS ZwLoadKey( IN POBJECT_ATTRIBUTES TargetKey, IN
POBJECT_ATTRIBUTES SourceFile );

ZwLoadKey( … );

I’m not sure if you can mount it at boot-time (or if it’s even safe)… but
I’d postpone it until you really need it (e.g. when your application runs),
loading the other keys before the system is ready may not be right…

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Monday, December 06, 2010 9:21 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Loading Registry hive at boot-time

Hi,
I want to load my own customized registry hive using a driver at boot-time.
I used to do this using KeServiceDescriptorTable and hooking to ZwLoadKey. I
knew this was wrong, but it worked. Now, obviously, I’m stuck, as this
doesn’t work on 64-bit Windows.

Is there any legitimate way of doing such thing? Any alternative to
ZwLoadKey that I’m overlooking?

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

> I want to load my own customized registry hive using a driver at boot-time. I used to do this using

KeServiceDescriptorTable and hooking to ZwLoadKey. I knew this was wrong, but it worked.

This is not guaranteed to work.

Move your data to SYSTEM hive instead.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

6

Hi,
I removed the service descriptor table stuff and added the definition
NTSYSAPI NTSTATUS ZwLoadKey(IN POBJECT_ATTRIBUTES TargetKey, IN
POBJECT_ATTRIBUTES SourceFile );

And it worked on 64-bit Windows 7 (thanks Kurtin)!

This is not guaranteed to work.

Not guaranteed because ZwLoadKey is undocumented (and can vanish due to a
patch)? or something else?

N. Lalit Vidyadhar Sharma
aka: ‘Lalli’
lalitnv.blogspot.com
xxxxx@gmail.com