Hi,
We are facing a problem with RtlQueryRegistryValues. The function (RtlQueryRegistryValues) return the registry value as NULL, but the same function is working fine with REG_DWORD.
Please let us know what is wrong with the code.
/*************/
paramTable[0].QueryRoutine = NULL;
paramTable[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
paramTable[0].Name = L"\Logon User Name";
paramTable[0].EntryContext = &PCName;
paramTable[0].DefaultType = REG_SZ;
paramTable[0].DefaultData = L"";
paramTable[0].DefaultLength = 0;
paramTable[1].QueryRoutine = NULL;
paramTable[1].Flags = 0;
paramTable[1].Name = NULL;
paramTable[1].EntryContext = NULL;
status=RtlQueryRegistryValues(RTL_REGISTRY_USER, L"Software\Microsoft\Windows\CurrentVersion\Explorer", ¶mTable[0], NULL,NULL);
/***************/
Thanks and Regards,
Srinivasa Raghavan.
Try
status=RtlQueryRegistryValues(RTL_REGISTRY_USER,
L"Software\Microsoft\Windows\CurrentVersion\Explorer", paramTable, NULL,
NULL);
See declaration of RtlQueryRegistryValues.
Andrey Gunko
soft Xpansion Ukraine Ltd.
Programmer
Powered by eKnow-how
Artjoma St. 118B … 83048 Donetsk … Tel/Fax: +38 062 3818874 …
Internet: [www.soft-xpansion.com]
|-----Original Message-----
|From: xxxxx@lists.osr.com
|[mailto:xxxxx@lists.osr.com] On Behalf Of
|xxxxx@patni.com
|Sent: Thursday, December 21, 2006 4:55 PM
|To: Windows File Systems Devs Interest List
|Subject: [ntfsd] Pblm with RtlQueryRegistryValues
|
|Hi,
|
|We are facing a problem with RtlQueryRegistryValues. The
|function (RtlQueryRegistryValues) return the registry value
|as NULL, but the same function is working fine with REG_DWORD.
|
|Please let us know what is wrong with the code.
|
|/*************/
|paramTable[0].QueryRoutine = NULL;
|paramTable[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
|paramTable[0].Name = L"\Logon User Name";
|paramTable[0].EntryContext = &PCName;
|paramTable[0].DefaultType = REG_SZ; paramTable[0].DefaultData
| = L"“; paramTable[0].DefaultLength = 0;
|
|paramTable[1].QueryRoutine = NULL;
|paramTable[1].Flags = 0;
|paramTable[1].Name = NULL;
|paramTable[1].EntryContext = NULL;
|
|status=RtlQueryRegistryValues(RTL_REGISTRY_USER,
|L"Software\Microsoft\Windows\CurrentVersion\Explorer”,
| ¶mTable[0], NULL,NULL);
|
|/***************/
|
|Thanks and Regards,
|Srinivasa Raghavan.
|
|—
|Questions? First check the IFS FAQ at
|https://www.osronline.com/article.cfm?id=17
|
|You are currently subscribed to ntfsd as:
|xxxxx@maus.donetsk.ua To unsubscribe send a blank email to
|xxxxx@lists.osr.com
Thanks Andrey, but both the declarations produce the same result,
Note:The Aim is to get the Current logged on user name from the “\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Logon User Name”.
{
status=RtlQueryRegistryValues(RTL_REGISTRY_USER,L"Software\Microsoft\Windows\CurrentVersion\Explorer", paramTable, NULL,NULL);
(and)
status=RtlQueryRegistryValues(RTL_REGISTRY_USER, “Software\Microsoft\Windows\CurrentVersion\Explorer”, ¶mTable[0], NULL,NULL);
}.
The function RtlQueryRegistryValues() is working fine now for REG_SZ after removing the slash in paramTable[0].Name.
Modified the below code:
changed (paramTable[0].Name = L"\FileFindBandHook"
to (paramTable[0].Name = L"FileFindBandHook";
The RtlQueryRegistryValues() return “empty”, Length and the MaximumLength of the string to be 0 & 2 respectively. This is happening only if I mention “Logon User Name” in the paramTable[0].Name. And the same function RtlQueryRegistryValues() is working fine with other strings(i.e “paramTable[0].Name = L"FileFindBandHook” string).
I need to know how to overcome this situation, or is there is any other method or path to achieve the same. We are having this issue for a long time. Any information is highly appreciated. Thanks a lot.
Thanks and Regards,
Srinivasa Raghavan.
A slash before a value name makes no sense and the suggestion of Gunko only
induces ambiguous coding. My guess is that you are not calling this in the
context of a user process that HKCU maps to another hive in which “Logon
user name” is not available. Anyway, you are only querying one value, why
not use ZwQueryValue instead ?
/Daniel
wrote in message news:xxxxx@ntfsd…
> Thanks Andrey, but both the declarations produce the same result,
>
> Note:The Aim is to get the Current logged on user name from the
> “\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Logon
> User Name”.
>
> {
> status=RtlQueryRegistryValues(RTL_REGISTRY_USER,L"Software\Microsoft\Windows\CurrentVersion\Explorer",
> paramTable, NULL,NULL);
> (and)
> status=RtlQueryRegistryValues(RTL_REGISTRY_USER,
> “Software\Microsoft\Windows\CurrentVersion\Explorer”, ¶mTable[0],
> NULL,NULL);
> }.
>
> The function RtlQueryRegistryValues() is working fine now for REG_SZ after
> removing the slash in paramTable[0].Name.
>
> Modified the below code:
> ================
>
> changed (paramTable[0].Name = L"\FileFindBandHook" to
> (paramTable[0].Name = L"FileFindBandHook";
>
> The RtlQueryRegistryValues() return “empty”, Length and the MaximumLength
> of the string to be 0 & 2 respectively. This is happening only if I
> mention “Logon User Name” in the paramTable[0].Name. And the same function
> RtlQueryRegistryValues() is working fine with other strings(i.e
> “paramTable[0].Name = L"FileFindBandHook” string).
>
> I need to know how to overcome this situation, or is there is any other
> method or path to achieve the same. We are having this issue for a long
> time. Any information is highly appreciated. Thanks a lot.
>
> Thanks and Regards,
> Srinivasa Raghavan.
>
>
Thank you very much daniel!
The function ZwQueryValueKey() is working fine for HKLM, but the same is not working for HKCU. I am getting the error’s as STATUS_OBJECT_NAME_INVALID and STATUS_OBJECT_NAME_NOT_FOUND while opening the registry itself (HKCU) using ZwOpenKey().
Is there is any other way to map the HKEY_CURRENT_USER(HKCU) like the one for HKLM(which is mapped to “\Registry\Machine\”).
Note: I am getting the Currently logged in username if I access the registry in HKLM(i.e “\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”).
Please let me know where i am going wrong with the code.
here below is the code:
{
#define SECURE_LAYER_USER_PATH_M L"\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"
RtlInitUnicodeString(&GetUsrFile, SECURE_LAYER_USER_PATH_M );
/* Initializing the object attributes */
InitializeObjectAttributes(&GetUsrAttr, &GetUsrFile, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
/* Call to open the Registry key */
status = ZwOpenKey(&GetUsrHandle, KEY_QUERY_VALUE, &GetUsrAttr);
if(!NT_SUCCESS(status))
{
DbgPrint(“Inside Open Key Err User Name %x”,status);
// Error Opening Key
RtlStringCbPrintfW(ErrorMsg, ERROR_MSG_SIZE, ERROR_MSG_FORMAT, L"Error Opening Key");
}
Thanks and Regards,
Srinivasa Raghavan.
I would not rely on HKCU in the driver. For instance, it is not accessible
from system thread context, or from the service’s thread context if the service
had not called RegLoadCurrentUser.
Why are you using HKCU in the driver?
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> Thank you very much daniel!
>
> The function ZwQueryValueKey() is working fine for HKLM, but the same is not
working for HKCU. I am getting the error’s as STATUS_OBJECT_NAME_INVALID and
STATUS_OBJECT_NAME_NOT_FOUND while opening the registry itself (HKCU) using
ZwOpenKey().
>
> Is there is any other way to map the HKEY_CURRENT_USER(HKCU) like the one for
HKLM(which is mapped to “\Registry\Machine\”).
>
> Note: I am getting the Currently logged in username if I access the registry
in HKLM(i.e “\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\”).
>
> Please let me know where i am going wrong with the code.
>
> here below is the code:
> ===============
>
> {
> #define SECURE_LAYER_USER_PATH_M
L"\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
“
>
> RtlInitUnicodeString(&GetUsrFile, SECURE_LAYER_USER_PATH_M );
>
> /* Initializing the object attributes /
> InitializeObjectAttributes(&GetUsrAttr, &GetUsrFile, OBJ_CASE_INSENSITIVE |
OBJ_KERNEL_HANDLE, NULL, NULL);
>
> / Call to open the Registry key */
> status = ZwOpenKey(&GetUsrHandle, KEY_QUERY_VALUE, &GetUsrAttr);
>
> if(!NT_SUCCESS(status))
> {
> DbgPrint(“Inside Open Key Err User Name %x”,status);
> // Error Opening Key
> RtlStringCbPrintfW(ErrorMsg, ERROR_MSG_SIZE, ERROR_MSG_FORMAT, L"Error
Opening Key”);
>
> }
>
> Thanks and Regards,
> Srinivasa Raghavan.
>
Thanks for the information,
The intention is to log the Currently logged-in User name to a log file from the minifilter.
Thanks and Regards,
Srinivasa Raghavan
Which logged-in user? The person at the keyboard and mouse? The 500 people
connected via terminal services? This is not MS-DOS. In any case, knowing
the user at the keyboard doesn’t mean the IRP you have seen was sent on
their behalf.
wrote in message news:xxxxx@ntfsd…
> Thanks for the information,
>
> The intention is to log the Currently logged-in User name to a log file
> from the minifilter.
>
> Thanks and Regards,
> Srinivasa Raghavan
>
Why doing this? If you’re a minifilter, then only the users who access some
files are interesting to you. Log their SIDs, or pass them to the user-mode
service via inverted call, so it will log their domain\username combinations.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> Thanks for the information,
>
> The intention is to log the Currently logged-in User name to a log file from
the minifilter.
>
> Thanks and Regards,
> Srinivasa Raghavan
>