print out ZwQueryValueKey parameters with DbgPrint

OSR_Community_User · June 21, 2007, 3:15am

Hi all,

I need to print out with DbgPrint the parameters of ZwQueryValueKey(hkey, &valname, KeyValuePartialInformation, &value,
sizeof(value), &junk);

Could someone please help me to print it out (especially I need value parameter).

Thanks,

Andrey

OSR_Community_User · June 21, 2007, 5:13pm

You’re new at this, I guessing. This isn’t really what this list if
for, but I’ll cut you a break and give you a jumpstart. I’m assuming
that you are a little overwhelmed by all the Registry nomenclature. If
you’re confused by KdPrint, the syntax of which is almost identical to
printf(), you’re on your own and need to drop back to step 1 before
writing a driver; it will be a disaster.

Relevant documentation:

WDK: ZwQueryValueKeEx

struct KEY_VALUE_PARTIAL_INFORMATION

{

ULONG TitleIndex;

ULONG Type;

ULONG DataLength;

UCHAR Data[1];

};

The WDK has a lot of structures that have something along the lines of
“UCHAR Data[1]; // Variable size” for a last member. As the comment
indicates, it is used to specify, by convention only, a structure with a
variable sized last member. In the case of
KEY_VALUE_PARTIAL_INFORMATION, Data contains the actual registry data
that is read. Its size is stored in DataLength. The reason that it is
variable is that the size will vary depending of the value of Type, and
for some values of Type, the data itself. For the most part, there are
really only three to five types that probably have an use in a
KdPrint(): REG_DWORD, REG_SZ, REG_MULTI_SZ, and, depending on what
you’re doing, REG_BINARY. REG_DWORD means that the data is a four byte,
little endian integer (conventionally treated as unsigned). REG_SZ
means that the data is a NULL terminated UNICODE string (not a
UNICODE_STRING, but rather of the type L"This is a test"). REG_MULTI_SZ
is an array of REG_SZ’s, terminated with an additional NULL (L"\0").
REG_EXPAND_SZ means that, in theory, the data contains environment
variables that need to be expanded. In practice, this convention is
totally unreliable, and in a KdPrint in the kernel is best ignored, even
if it is accurate. Although not generally terribly useful, the nice
thing about implementing a routine to handle REG_BINARY is that you can
use it to display any type with very little additional effort; the
downside is that REG_BINARY values tend to be long enough to be useless
to dump, and values treated as REG_BINARY suffer the same usability
problem.

The others, fall in to one of three of catgories. The first is types
that aren’t really used commonly (most of them I have never seen used):

REG_DWORD_LITTLE_ENDIAN

REG_DWORD_BIG_ENDIAN

These are both to my knowledge essentially non-existent. That being
said, they are both very easy to implement, so you might as well.

The second are complex aggregate types that encapsulate resource
requirements. While not exactly cardinal types, this is basically the
registry’s original purpose. Unless you have specific interest in any
of these, just ignore them:

REG_RESOURCE_LIST

REG_RESOURCE_REQUIREMENTS_LIST

REG_FULL_RESOURCE_DESCRIPTOR

The last category is for the undocumented. Just ignore it.

REG_LINK

The general usage pattern for these types of structures is something
like this:

unsigned char * buffer = NULL;

KEY_VALUE_PARTIAL_INFORMATION * value = NULL;

ULONG sizeOfBuffer = 0;

NTSTATUS RC = ZwQueryValueKey(handle, valueName,
KeyValuePartialInformation, (PVOID) buffer, sizeOfBuffer, &
sizeOfBuffer);

if (RC == STATUS_BUFFER_TO_SMALL)

{

buffer = (unsigned char *) ExAllocatePool(NonPagedPool, sizeOfBuffer);

if (buffer)

{

RC = ZwQueryValueKey(handle, valueName, KeyValuePartialInformation,
(PVOID) buffer, sizeOfBuffer, & sizeOfBuffer);

if (NT_SUCCESS(RC))

{

value = (KEY_VALUE_PARTIAL_INFORMATION *) buffer;

////

//// THIS IS ONE EXAMPLE FOR THE CASE OF REG_DWORD.

////

if (data->Type == REG_DWORD)

KdPrint(“value.Data: 0x%.08X (%d)\n”, * (DWORD *) &
value->Data[0], * (DWORD *) & value->Data[0]);

else

.

}

So, that’s what it all boils down to. The other cases (REG_SZ), et. c.
all work like REG_DWORD.

Please note that while I have done this more times than I can count,
none of the above is actual code, you I wouldn’t advise cutting and
pasting.

Hope this helps,

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Andrey
Kamchatnikov
Sent: Thursday, June 21, 2007 03:14
To: Windows System Software Devs Interest List
Subject: [ntdev] print out ZwQueryValueKey parameters with DbgPrint

Hi all,

I need to print out with DbgPrint the parameters of
ZwQueryValueKey(hkey, &valname, KeyValuePartialInformation, &value,
sizeof(value), &junk);

Could someone please help me to print it out (especially I need value
parameter).

Thanks,

Andrey

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer