I need to match the path of a registry hive with a file on disk to
determine if they are one and the same. I am currently doing this via
the entries in hivelist, eg:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1\WINDOWS\system3
2\config\system
I then loop through QueryDosDevice with drive letters a to z which
matches the above perfectly when not using dynamic disks, but for the
above entries I get identifiers like:
\Device\HarddiskDmVolumes\MachineNameDg0\Volume1
instead. I believe that the function NtQuerySymbolicLinkObject is
supposed to be able to resolve this, but it appears to be deprecated
“[This function may be altered or unavailable in the future.]” so I’m
reluctant to use it in a product which will likely have a long life.
Is there a better way to resolve the registry hive location, given an
identifier like ‘\REGISTRY\MACHINE\SYSTEM’?
Thanks
James