problem: ZwQueryValueKey returns c0000034

NTDEV
1

Hi,

I have a problem with ZwQueryValueKey function,

status = ZwQueryValueKey(hkey, &valname, KeyValuePartialInformation, &value, sizeof(value), &junk);

status=c0000034;

Have someone any idea what I’m doing wrong?

Here is the peace of the code:

HANDLE hkey;

status = IoOpenDeviceRegistryKey(pdo, PLUGPLAY_REGKEY_DEVICE, KEY_READ, &hkey);

DbgPrint(“IoOpenDeviceRegistryKey:%08x\n”,status);

UNICODE_STRING valname;

RtlInitUnicodeString(&valname, L"CardNum");

DbgPrint(“ZwQueryValueKey valname = %wZ”, &valname);

KEY_VALUE_PARTIAL_INFORMATION value;

ULONG junk;

status = ZwQueryValueKey(hkey, &valname, KeyValuePartialInformation, &value, sizeof(value), &junk);

DbgPrint(“ZwQueryValueKey:%08x\n”,status);

ULONG Type = *(PULONG) value.Data;

DbgPrint(“ZwQueryValueKey:%08x\n”,Type);

ZwClose(hkey);

Thank you,

2

Even if the value was there, this code is not sufficient. Look at the
definition KEY_VALUE_PARTIAL_INFORMATION. The array of bytes at the end
(Data[1]) is not large enough to query for a ULONG.

typedef struct _KEY_VALUE_PARTIAL_INFORMATION {

ULONG TitleIndex;

ULONG Type;

ULONG DataLength;

UCHAR Data[1]; // Variable size

} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;

If you know the type is REG_DWORD, allocate a buffer of
sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(ULONG) and use that
instead of a KEY_VALUE_PARTIAL_INFORMATION structure on the stack.

d

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Andrey
Kamchatnikov
Sent: Thursday, June 21, 2007 8:22 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] problem: ZwQueryValueKey returns c0000034

Hi,

I have a problem with ZwQueryValueKey function,

status = ZwQueryValueKey(hkey, &valname, KeyValuePartialInformation,
&value, sizeof(value), &junk);

status=c0000034;

Have someone any idea what I’m doing wrong?

Here is the peace of the code:

HANDLE hkey;

status = IoOpenDeviceRegistryKey(pdo, PLUGPLAY_REGKEY_DEVICE, KEY_READ,
&hkey);

DbgPrint(“IoOpenDeviceRegistryKey:%08x\n”,status);

UNICODE_STRING valname;

RtlInitUnicodeString(&valname, L"CardNum");

DbgPrint(“ZwQueryValueKey valname = %wZ”, &valname);

KEY_VALUE_PARTIAL_INFORMATION value;

ULONG junk;

status = ZwQueryValueKey(hkey, &valname, KeyValuePartialInformation,
&value, sizeof(value), &junk);

DbgPrint(“ZwQueryValueKey:%08x\n”,status);

ULONG Type = *(PULONG) value.Data;

DbgPrint(“ZwQueryValueKey:%08x\n”,Type);

ZwClose(hkey);

Thank you,

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

0xC0000034 - a quick look at NTSTATUS.H translates this to
STATUS_OBJECT_NAME_NOT_FOUND.

perhaps you are not asking for what you think you are asking for.

Is “CardNum” actually under PLUGPLAY_REGKEY_DEVICE or under
PLUGPLAY_REGKEY_DRIVER?

And of course I am assuming you realize that KEY_VALUE_PARTIAL_INFORMATION
is really just the ‘header’ of a variable length datastructure you need to
pass to this routine if you are actually interested in the Data field.
Otherwise when you finally do get the correct parent key and find the
“CardNum” value, you are going to get back STATUS_BUFFER_OVERFLOW. The Type
and DataLength fields will be filled in and valid but Data will only have
the default 1 byte of what you are trying to read which is very unlikely to
be what you expect.

There are *many* examples of how to read registry data in the WDK/DDK
samples. Perhaps you might just use “Search” on *.c for ZwQueryValueKey()
to get plenty of examples of how to read the registry.

And duck because here come all of the p*ssed off RTFM answers …

-dave

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Andrey Kamchatnikov
Sent: Thursday, June 21, 2007 11:22 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] problem: ZwQueryValueKey returns c0000034

Hi,

I have a problem with ZwQueryValueKey function,

status = ZwQueryValueKey(hkey, &valname, KeyValuePartialInformation, &value,
sizeof(value), &junk);

status=c0000034;

Have someone any idea what I’m doing wrong?

Here is the peace of the code:

HANDLE hkey;

status = IoOpenDeviceRegistryKey(pdo, PLUGPLAY_REGKEY_DEVICE, KEY_READ,
&hkey);

DbgPrint(“IoOpenDeviceRegistryKey:%08x\n”,status);

UNICODE_STRING valname;

RtlInitUnicodeString(&valname, L"CardNum");

DbgPrint(“ZwQueryValueKey valname = %wZ”, &valname);

KEY_VALUE_PARTIAL_INFORMATION value;

ULONG junk;

status = ZwQueryValueKey(hkey, &valname, KeyValuePartialInformation,
&value, sizeof(value), &junk);

DbgPrint(“ZwQueryValueKey:%08x\n”,status);

ULONG Type = *(PULONG) value.Data;

DbgPrint(“ZwQueryValueKey:%08x\n”,Type);

ZwClose(hkey);

Thank you,

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer