Hello, I found very interesting behaviour in my driver. I have a code
RtlInitUnicodeString(&usRegPath, L"\Registry\Machine\SAM");
ob.Length = sizeof(OBJECT_ATTRIBUTES);
ob.ObjectName = &usRegPath;
ob.RootDirectory = NULL;
ob.SecurityQualityOfService = NULL;
ob.SecurityDescriptor = NULL;
ob.Attributes = OBJ_CASE_INSENSITIVE;
status = ZwOpenKey(&hKey, KEY_ALL_ACCESS, &ob);
…
status = ZwQueryKey(hKey, KeyBasicInformation, KeyInformation, Length, &resultLength);
and as a result I get CMI-CreateHive in Name section. When I enter !handle in WinDbg on a hKey I see that the name there is the one that I expect. Did anyone had this problem and is there a way to get the information with the original name?