I’ve been using ObQueryNameString to get full registry path from Object field in the structures supplied with various registry operations in registrycallback . However when it comes to REG_POST_CREATE_KEY_INFORMATION , it doesn’t work ( crashes the system ) .
I came across some material stating that Object in REG_POST_CREATE_KEY_INFORMATION is pointer to pointer to Object (whereas in other cases it is directly a pointer to the object ) . Is there any way of getting information from object in REG_POST_CREATE_KEY_INFORMATION.
Please let me know if some one knows about this.
Thank you in advance.
( P.S. I have searched for this in osr search but didn’t find any useful information )
I’ve been using ObQueryNameString to get full registry path from Object field in the structures supplied with various registry operations in registrycallback . However when it comes to REG_POST_CREATE_KEY_INFORMATION , it doesn’t work ( crashes the system ) .
I came across some material stating that Object in REG_POST_CREATE_KEY_INFORMATION is pointer to pointer to Object (whereas in other cases it is directly a pointer to the object ) . Is there any way of getting information from object in REG_POST_CREATE_KEY_INFORMATION.
Please let me know if some one knows about this.
Thank you in advance.
( P.S. I have searched for this in osr search but didn’t find any useful information )
You should only need to perform the ObQueryNameString() lookup for the
root object, if it exists. Otherwise you use the CompleteName from the
PreCreate information. Of course you use both if there is a RootObject
and a CompleteName.
Pete
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit: http://www.osr.com/seminars
Yes, that’s not a documentation error, the Object member is a pointer to a
pointer to the object.
//Daniel
wrote in message news:xxxxx@ntfsd… > … I came across some material stating that Object in > REG_POST_CREATE_KEY_INFORMATION is pointer to pointer to Object (whereas > in other cases it is directly a pointer to the object ) . > ( P.S. I have searched for this in osr search but didn’t find any useful > information ) >
Sorry to jump in but I think the OP is doing this for XP. I am assuming this based on his query “REG_PRE_CREATE_KEY_INFORMATION doesn’t give full path” some days ago where he mentions that he is doing it for XP.
And in XP, the root object is not present. Moreover, IIRC, when i had developed a registry filter for XP few years back, I had faced a similar problem. And there have been discussions as to how broken the callback mechanism is in Windows XP.
Regards,
Ayush
— On Wed, 18/2/09, Peter Scott wrote:
> From: Peter Scott > Subject: Re: [ntfsd] ObQueryNameString doesn’t work with REG_POST_CREATE_KEY_INFORMATION > To: “Windows File Systems Devs Interest List” > Date: Wednesday, 18 February, 2009, 10:33 PM > xxxxx@yahoo.com wrote: > > I’ve been using > ObQueryNameString to get full registry path from Object > field in the structures supplied with various registry > operations in registrycallback . However when it comes to > REG_POST_CREATE_KEY_INFORMATION , it doesn’t work ( > crashes the system ) . > > I came across some material stating > that Object in REG_POST_CREATE_KEY_INFORMATION is pointer to > pointer to Object (whereas in other cases it is directly a > pointer to the object ) . Is there any way of getting > information from object in REG_POST_CREATE_KEY_INFORMATION. > Please let me know if some one knows about > this. Thank you in advance. > > > > ( P.S. I have searched for this in osr search but > didn’t find any useful information ) > > You should only need to perform the ObQueryNameString() > lookup for the root object, if it exists. Otherwise you use > the CompleteName from the PreCreate information. Of course > you use both if there is a RootObject and a CompleteName. > > Pete > > > — > > NTFSD is sponsored by OSR > > > > For our schedule of debugging and file system seminars > > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > > > To unsubscribe, visit the List Server section of OSR > Online at http://www.osronline.com/page.cfm?name=ListServer > > – Kernel Drivers > Windows File System and Device Driver Consulting > www.KernelDrivers.com > 866.263.9295 > > — > NTFSD is sponsored by OSR > > For our schedule of debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online > at http://www.osronline.com/page.cfm?name=ListServer
Sorry to jump in but I think the OP is doing this for XP. I am assuming this based on his query “REG_PRE_CREATE_KEY_INFORMATION doesn’t give full path” some days ago where he mentions that he is doing it for XP.
And in XP, the root object is not present. Moreover, IIRC, when i had developed a registry filter for XP few years back, I had faced a similar problem. And there have been discussions as to how broken the callback mechanism is in Windows XP.
You are correct. For any pre-Vista implementation of registry filtering
I have always reverted to the non-CM method;i.e. patching the
appropriate Zwxxx APIs.
Pete
Regards,
Ayush
— On Wed, 18/2/09, Peter Scott wrote: > >> From: Peter Scott >> Subject: Re: [ntfsd] ObQueryNameString doesn’t work with REG_POST_CREATE_KEY_INFORMATION >> To: “Windows File Systems Devs Interest List” >> Date: Wednesday, 18 February, 2009, 10:33 PM >> xxxxx@yahoo.com wrote: >>> I’ve been using >> ObQueryNameString to get full registry path from Object >> field in the structures supplied with various registry >> operations in registrycallback . However when it comes to >> REG_POST_CREATE_KEY_INFORMATION , it doesn’t work ( >> crashes the system ) . >>> I came across some material stating >> that Object in REG_POST_CREATE_KEY_INFORMATION is pointer to >> pointer to Object (whereas in other cases it is directly a >> pointer to the object ) . Is there any way of getting >> information from object in REG_POST_CREATE_KEY_INFORMATION. >> Please let me know if some one knows about >> this. Thank you in advance. >>> ( P.S. I have searched for this in osr search but >> didn’t find any useful information ) >> >> You should only need to perform the ObQueryNameString() >> lookup for the root object, if it exists. Otherwise you use >> the CompleteName from the PreCreate information. Of course >> you use both if there is a RootObject and a CompleteName. >> >> Pete >> >>> — >>> NTFSD is sponsored by OSR >>> >>> For our schedule of debugging and file system seminars >>> (including our new fs mini-filter seminar) visit: >> http://www.osr.com/seminars >>> To unsubscribe, visit the List Server section of OSR >> Online at http://www.osronline.com/page.cfm?name=ListServer >> >> – Kernel Drivers >> Windows File System and Device Driver Consulting >> www.KernelDrivers.com >> 866.263.9295 >> >> — >> NTFSD is sponsored by OSR >> >> For our schedule of debugging and file system seminars >> (including our new fs mini-filter seminar) visit: >> http://www.osr.com/seminars >> >> To unsubscribe, visit the List Server section of OSR Online >> at http://www.osronline.com/page.cfm?name=ListServer > > > Download prohibited? No problem. CHAT from any browser, without download. Go to http://in.webmessenger.yahoo.com/ > > — > NTFSD is sponsored by OSR > > For our schedule of debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
– Kernel Drivers Windows File System and Device Driver Consulting www.KernelDrivers.com 866.263.9295
