The ZwCreateKey call has an optional input parameter of a pointer to unicode string called ‘Class’. Does anyone know the purpose, use and possible strings for this parameter?
MSDN has the following info:
Class [in, optional]
Pointer to a Unicode string that contains the key’s object class. This information is used by the configuration manager.
Further, this information can be received through KEY_FULL_INFORMATION but once again the explanation in MSDN isn’t helpful:
Class
A string of Unicode characters naming the class of the key.
I intercepted a registry key create/open call in a driver to check when the Class parameter is not NULL. Here is one such intercept. I’m still at loss on its purpose and use.
1: kd> dt CreateOpenKeyInfo
Local var @ 0xfffff880099ba2e0 Type _REG_CREATE_KEY_INFORMATION*
0xfffff880099ba670 +0x000 CompleteName : 0xfffff880099ba960 _UNICODE_STRING “System\CurrentControlSet\Services\Tcpip\Parameters”
+0x008 RootObject : 0xfffff8a00229ca20 Void +0x010 ObjectType : 0xfffffa800226ef30 Void
+0x018 CreateOptions : 0
+0x020 Class : 0xfffff880099ba660 _UNICODE_STRING "Class" +0x028 SecurityDescriptor : (null) +0x030 SecurityQualityOfService : (null) +0x038 DesiredAccess : 0x20019 +0x03c GrantedAccess : 0 +0x040 Disposition : 0xfffff880099baa70 -> 0
+0x048 ResultObject : 0xfffff880099ba838 -\> (null) +0x050 CallContext : (null) +0x058 RootObjectContext : 0xfffff8a0028d1990 Void
+0x060 Transaction : (null)
+0x068 Reserved : 0x00000000`00000001 Void
Thanks in advance.
Vinod Mamtani