Mangled Registry handles

Vladimir_Chtchetkine-2 · March 10, 2009, 7:22pm

This one makes me curious… In my registry hook (no Cm, old plain hook) I see handles to the registry keys coming mangled: the handle that I see for (at least) ZwClose comes ORed with 0x2, simething like 0x192 instead of 0x190. I wander what does this mean and also can I just clear that bit before I pass that I/O down to the actual ZwXxx handler, or I should preserve it as something meaningful fo Zw handler?

Ken_Johnson · March 10, 2009, 7:31pm

The two low order bits of an EX HANDLE are reserved as tag bits and aren’t part of the “real” handle value.

See the comments about OBJ_HANDLE_TAGBITS in ntdef.h in the WDK.

You should not clear tag bits willy-nilly before passing them down as a general rule. However, if you are performing tracking on a per-HANDLE basis, then you need to shift off the tag bits to uniquely identify a HANDLE in a lookup table you maintain, though.

S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, March 10, 2009 4:22 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Mangled Registry handles

This one makes me curious… In my registry hook (no Cm, old plain hook) I see handles to the registry keys coming mangled: the handle that I see for (at least) ZwClose comes ORed with 0x2, simething like 0x192 instead of 0x190. I wander what does this mean and also can I just clear that bit before I pass that I/O down to the actual ZwXxx handler, or I should preserve it as something meaningful fo Zw handler?

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · March 12, 2009, 5:26pm

The kernel ignores 2 junior bits in the handles

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> This one makes me curious… In my registry hook (no Cm, old plain hook) I see handles to the registry keys coming mangled: the handle that I see for (at least) ZwClose comes ORed with 0x2, simething like 0x192 instead of 0x190. I wander what does this mean and also can I just clear that bit before I pass that I/O down to the actual ZwXxx handler, or I should preserve it as something meaningful fo Zw handler?
>