Question on renaming a registry key

NTFSD
1

We are writing a registry filter that needs to redirect all calls for a particular set of registry keys to a different registry path. As such we need to rename a registry key from kernel mode. How do we do that? We are seeing a call ZwRenameKey/NtRenameKey in user mode from ntdll.dll, but it is not exported in kernel mode.?

Thanks,
Preeta?

2

Isn’t this basically what the user mode RegOverridePredefKey API does? If
so, you could write a usermode service that does the redirection.

“Preetha Sinha” wrote in message
news:xxxxx@ntfsd…
We are writing a registry filter that needs to redirect all calls for a
particular set of registry keys to a different registry path. As such we
need to rename a registry key from kernel mode. How do we do that? We are
seeing a call ZwRenameKey/NtRenameKey in user mode from ntdll.dll, but it is
not exported in kernel mode.

Thanks,
Preeta

3

No, that API just swaps which real key handle is passed up to the kernel when advapi32 encounters one of the HKEY_LOCAL_MACHINE (or other) predefined manifest constants.

If the OP needs to redirect deeper than the “predefined handles” (which are a purely user mode advapi32 thing), then this will not be granular enough.

Additionally, it would not catch calls to the raw system services, as done by some system DLLs.

  • S

-----Original Message-----
From: Jeff Henkels
Sent: Friday, October 24, 2008 16:01
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Question on renaming a registry key

Isn’t this basically what the user mode RegOverridePredefKey API does? If
so, you could write a usermode service that does the redirection.

“Preetha Sinha” wrote in message
news:xxxxx@ntfsd…
We are writing a registry filter that needs to redirect all calls for a
particular set of registry keys to a different registry path. As such we
need to rename a registry key from kernel mode. How do we do that? We are
seeing a call ZwRenameKey/NtRenameKey in user mode from ntdll.dll, but it is
not exported in kernel mode.

Thanks,
Preeta


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com