reading key value through ZwqueryValuekey

OSR_Community_User · August 14, 2006, 12:10am

Hi,
I am very new to driver developement.
I am soppose to read a registry value through the driver.
the key:seed and value:0x2348b231.(REG_SZ)
I have written the code to read the registry value but it is printing only a single character.
can anyone help me in reading the entire value.
Here is the code.It wouldbe fine if you can add the code to read the entire value.
This code has some irrelevant declarions which are not used and can be ignored

Naveen

#include <ntddk.h>
#define CMI_DEVICE_PATH L"\Registry\Machine\Software\bmc\wDsc\configuration\PROM"
#define MAX_CMI_DEVICE_NAME_LENGTH 50
typedef struct DEV_EXT
{
UNICODE_STRING SymLink;
void *pBuff;
ULONG BuffSize;
}DEV_EXT;

TopOfNTMemory()
{
NTSTATUS status;
OBJECT_ATTRIBUTES obj;
HANDLE key;
ULONG size, i, j, temp;

UNICODE_STRING name, value;
WCHAR string[20] = L"Seed";
PCM_RESOURCE_LIST resList;

PKEY_VALUE_PARTIAL_INFORMATION keyData,vpip;
ULONG PhysMemTop = 0;
size=0;
RtlInitUnicodeString(&name,L"\Registry\Machine\Software\bmc\wDsc\configuration\PROM");
DbgPrint(“Hello inside function\n”);
InitializeObjectAttributes(&obj, &name, OBJ_CASE_INSENSITIVE, NULL, NULL);
RtlInitUnicodeString(&value, string);
status = ZwOpenKey(&key, KEY_QUERY_VALUE, &obj);

if (NT_SUCCESS(status))
{
DbgPrint(“Hello driver sucess\n”);
status = ZwQueryValueKey(key, &value, KeyValuePartialInformation, NULL, 0, &size);
if ( size == 0)
{
DbgPrint(“ZwQueryValueKey 1 failed\n”);
}
vpip = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool, size);
if (!vpip)
{
DbgPrint(“vpip 1 failed\n”);
}

status = ZwQueryValueKey(key, &value, KeyValuePartialInformation,vpip, size, &size);
if (!NT_SUCCESS(status))
{
DbgPrint(“ZWquery failed 2 failed\n”);
}
resList = (PCM_RESOURCE_LIST)vpip->Data;
DbgPrint(“value %s\n”,vpip->Data);
ExFreePool(vpip);

(VOID)ZwClose(key);

}

if (!NT_SUCCESS(status))
{
DbgPrint(“Hello driver ntfs\n”);
}

}

void myUnload(PDRIVER_OBJECT pDrvObj)
{
DbgPrint(“Hello driver unload\n”);
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pStr)
{
ULONG ulStopDataTransmissionOnSuspend ;
BOOLEAN fOptionDetermined = FALSE;
ANSI_STRING Ansi;
NTSTATUS status;
UNICODE_STRING DevName;
UNICODE_STRING SymLink;
PDEVICE_OBJECT pDevObj;
DEV_EXT *pe;
PVOID handle;
PVOID buffer;
UNICODE_STRING gRegistryPath;
RTL_QUERY_REGISTRY_TABLE QueryTable[10];
RtlInitUnicodeString(&gRegistryPath,CMI_DEVICE_PATH);
RtlInitUnicodeString(&DevName, L"\device\myDev");
RtlInitUnicodeString(&SymLink, L"\??\mySymLink");
DbgPrint(“Hello new driver\n”);
TopOfNTMemory();
RtlUnicodeStringToAnsiString(&Ansi, pStr, TRUE);
DbgPrint(“Driver Path : %s”, Ansi.Buffer);
RtlFreeAnsiString(&Ansi);
pDrvObj->DriverUnload = myUnload;
return STATUS_SUCCESS;
}</ntddk.h>

Doron_Holan · August 14, 2006, 10:31am

To be robust, this
WCHAR
string[20] = L"Seed";
Should be
WCHAR string
= L"Seed";

In fact, you don’t need this at all
RtlInitUnicodeString(&value, L"Seed");

You are getting one char b/c you are printing a Unicode string as ANSI
DbgPrint(“value %s\n”,vpip->Data);
Should be
DbgPrint(“value %S\n”,vpip->Data);

Now, that is assuming the string is null terminated, if not you will
blow up.

More importantly, the reg path you are reading from (which curiously
enough you create a #define but then use the string itself later)

#define CMI_DEVICE_PATH
L"\Registry\Machine\Software\bmc\wDsc\configuration\PROM"

Is not available at boot. The software key is only loaded later in the
boot process (around the time the machine goes GUI/high resolution).

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@rediffmail.com
Sent: Sunday, August 13, 2006 9:10 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] reading key value through ZwqueryValuekey

Hi,
I am very new to driver developement.
I am soppose to read a registry value through the driver.
the key:seed and value:0x2348b231.(REG_SZ)
I have written the code to read the registry value but it is printing
only a single character.
can anyone help me in reading the entire value.
Here is the code.It wouldbe fine if you can add the code to read the
entire value.
This code has some irrelevant declarions which are not used and can be
ignored

Naveen

#include <ntddk.h>
#define CMI_DEVICE_PATH
L"\Registry\Machine\Software\bmc\wDsc\configuration\PROM"
#define MAX_CMI_DEVICE_NAME_LENGTH 50
typedef struct DEV_EXT
{
UNICODE_STRING SymLink;
void *pBuff;
ULONG BuffSize;
}DEV_EXT;

TopOfNTMemory()
{
NTSTATUS status;
OBJECT_ATTRIBUTES obj;
HANDLE key;
ULONG size, i,
j, temp;

UNICODE_STRING name, value;
WCHAR
string[20] = L"Seed";
PCM_RESOURCE_LIST resList;

PKEY_VALUE_PARTIAL_INFORMATION keyData,vpip;
ULONG
PhysMemTop = 0;
size=0;

RtlInitUnicodeString(&name,L"\Registry\Machine\Software\bmc\wDsc\c
onfiguration\PROM");
DbgPrint(“Hello inside function\n”);
InitializeObjectAttributes(&obj, &name, OBJ_CASE_INSENSITIVE,
NULL, NULL);
RtlInitUnicodeString(&value, string);
status = ZwOpenKey(&key, KEY_QUERY_VALUE, &obj);

if (NT_SUCCESS(status))
{
DbgPrint(“Hello driver sucess\n”);
status = ZwQueryValueKey(key, &value,
KeyValuePartialInformation, NULL, 0, &size);
if ( size == 0)
{
DbgPrint(“ZwQueryValueKey 1 failed\n”);
}
vpip = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,
size);
if (!vpip)
{
DbgPrint(“vpip 1 failed\n”);
}

status = ZwQueryValueKey(key, &value,
KeyValuePartialInformation,vpip, size, &size);
if (!NT_SUCCESS(status))
{
DbgPrint(“ZWquery failed 2 failed\n”);
}
resList = (PCM_RESOURCE_LIST)vpip->Data;
DbgPrint(“value %s\n”,vpip->Data);
ExFreePool(vpip);

(VOID)ZwClose(key);

}

if (!NT_SUCCESS(status))
{
DbgPrint(“Hello driver ntfs\n”);
}

}

void myUnload(PDRIVER_OBJECT pDrvObj)
{
DbgPrint(“Hello driver unload\n”);
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pStr)
{
ULONG ulStopDataTransmissionOnSuspend ;
BOOLEAN fOptionDetermined = FALSE;
ANSI_STRING Ansi;
NTSTATUS status;
UNICODE_STRING DevName;
UNICODE_STRING SymLink;
PDEVICE_OBJECT pDevObj;
DEV_EXT *pe;
PVOID handle;
PVOID buffer;
UNICODE_STRING gRegistryPath;
RTL_QUERY_REGISTRY_TABLE QueryTable[10];
RtlInitUnicodeString(&gRegistryPath,CMI_DEVICE_PATH);
RtlInitUnicodeString(&DevName, L"\device\myDev");
RtlInitUnicodeString(&SymLink, L"\??\mySymLink");
DbgPrint(“Hello new driver\n”);
TopOfNTMemory();
RtlUnicodeStringToAnsiString(&Ansi, pStr, TRUE);
DbgPrint(“Driver Path : %s”, Ansi.Buffer);
RtlFreeAnsiString(&Ansi);
pDrvObj->DriverUnload = myUnload;
return STATUS_SUCCESS;
}

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</ntddk.h>

OSR_Community_User · August 14, 2006, 10:45am

" DbgPrint(“value %s\n”,vpip->Data);
ExFreePool(vpip);"

The string is a wide char string. You are printing using %s. Try %S.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@rediffmail.com
Sent: Monday, August 14, 2006 12:10 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] reading key value through ZwqueryValuekey

Hi,
I am very new to driver developement.
I am soppose to read a registry value through the driver.
the key:seed and value:0x2348b231.(REG_SZ)
I have written the code to read the registry value but it is printing
only a single character.
can anyone help me in reading the entire value.
Here is the code.It wouldbe fine if you can add the code to read the
entire value.
This code has some irrelevant declarions which are not used and can be
ignored

Naveen

#include <ntddk.h>
#define CMI_DEVICE_PATH
L"\Registry\Machine\Software\bmc\wDsc\configuration\PROM"
#define MAX_CMI_DEVICE_NAME_LENGTH 50
typedef struct DEV_EXT
{
UNICODE_STRING SymLink;
void *pBuff;
ULONG BuffSize;
}DEV_EXT;

TopOfNTMemory()
{
NTSTATUS status;
OBJECT_ATTRIBUTES obj;
HANDLE key;
ULONG size, i,
j, temp;

UNICODE_STRING name, value;
WCHAR
string[20] = L"Seed";
PCM_RESOURCE_LIST resList;

PKEY_VALUE_PARTIAL_INFORMATION keyData,vpip;
ULONG
PhysMemTop = 0;
size=0;

RtlInitUnicodeString(&name,L"\Registry\Machine\Software\bmc\wDsc\c
onfiguration\PROM");
DbgPrint(“Hello inside function\n”);
InitializeObjectAttributes(&obj, &name, OBJ_CASE_INSENSITIVE,
NULL, NULL);
RtlInitUnicodeString(&value, string);
status = ZwOpenKey(&key, KEY_QUERY_VALUE, &obj);

if (NT_SUCCESS(status))
{
DbgPrint(“Hello driver sucess\n”);
status = ZwQueryValueKey(key, &value,
KeyValuePartialInformation, NULL, 0, &size);
if ( size == 0)
{
DbgPrint(“ZwQueryValueKey 1 failed\n”);
}
vpip = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,
size);
if (!vpip)
{
DbgPrint(“vpip 1 failed\n”);
}

status = ZwQueryValueKey(key, &value,
KeyValuePartialInformation,vpip, size, &size);
if (!NT_SUCCESS(status))
{
DbgPrint(“ZWquery failed 2 failed\n”);
}
resList = (PCM_RESOURCE_LIST)vpip->Data;
DbgPrint(“value %s\n”,vpip->Data);
ExFreePool(vpip);

(VOID)ZwClose(key);

}

if (!NT_SUCCESS(status))
{
DbgPrint(“Hello driver ntfs\n”);
}

}

void myUnload(PDRIVER_OBJECT pDrvObj)
{
DbgPrint(“Hello driver unload\n”);
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pStr)
{
ULONG ulStopDataTransmissionOnSuspend ;
BOOLEAN fOptionDetermined = FALSE;
ANSI_STRING Ansi;
NTSTATUS status;
UNICODE_STRING DevName;
UNICODE_STRING SymLink;
PDEVICE_OBJECT pDevObj;
DEV_EXT *pe;
PVOID handle;
PVOID buffer;
UNICODE_STRING gRegistryPath;
RTL_QUERY_REGISTRY_TABLE QueryTable[10];
RtlInitUnicodeString(&gRegistryPath,CMI_DEVICE_PATH);
RtlInitUnicodeString(&DevName, L"\device\myDev");
RtlInitUnicodeString(&SymLink, L"\??\mySymLink");
DbgPrint(“Hello new driver\n”);
TopOfNTMemory();
RtlUnicodeStringToAnsiString(&Ansi, pStr, TRUE);
DbgPrint(“Driver Path : %s”, Ansi.Buffer);
RtlFreeAnsiString(&Ansi);
pDrvObj->DriverUnload = myUnload;
return STATUS_SUCCESS;
}

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</ntddk.h>

OSR_Community_User · August 15, 2006, 11:50pm

Hi
Thanks a lot .It worked!!!

-Naveen

OSR_Community_User · August 16, 2006, 8:46am

Please note Doron’s comments concerning the null termination (or lack
thereof) of the returned wchar string. The safest way to deal with the
returned value is to use the length returned in size and convert the
data returned into a UNICOCE_STRING object. (%wZ will print
UNICODE_STRINGs.)

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@rediffmail.com
Sent: Tuesday, August 15, 2006 11:51 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] reading key value through ZwqueryValuekey

Hi
Thanks a lot .It worked!!!

-Naveen

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Doron_Holan · August 16, 2006, 1:40pm

AFAIK, for a REG_SZ returned by ZwQueryValueKey, it will be a NULL
terminated string. At least, I have made that assumption in the past.
I should look in the reg code to see if that is guaranteed by the API or
not.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
Sent: Wednesday, August 16, 2006 5:46 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] reading key value through ZwqueryValuekey

Please note Doron’s comments concerning the null termination (or lack
thereof) of the returned wchar string. The safest way to deal with the
returned value is to use the length returned in size and convert the
data returned into a UNICOCE_STRING object. (%wZ will print
UNICODE_STRINGs.)

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@rediffmail.com
Sent: Tuesday, August 15, 2006 11:51 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] reading key value through ZwqueryValuekey

Hi
Thanks a lot .It worked!!!

-Naveen

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Skywing · August 16, 2006, 3:16pm

Not guaranteed. A simple test program proves that it doesn’t specially null
terminate strings. Any program or driver that relies on ZwQueryValueKey
null terminating strings is buggy at best and may introduce security holes
at worst. The string is only null terminated if the program that set the
value null terminated it; this isn’t enforced by the kernel and so you
cannot trust it.

–

int __cdecl wmain(int ac, wchar_t** av)
{
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING ObjectName, CurrentUserPath, Suffix,
ValueName;
WCHAR Buf[1024];
CHAR Data [16];
UCHAR ValueBuf [
sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(Buf) ];
ULONG DataSize, ReturnLength;
HANDLE Key;
NTSTATUS Status;
PKEY_VALUE_PARTIAL_INFORMATION ValueInformation;

if (!NT_SUCCESS(RtlFormatCurrentUserKeyPath(&CurrentUserPath)))
{
return 0;
}

DataSize = sizeof(Data);

ObjectName.Buffer = Buf;
ObjectName.Length = 0;
ObjectName.MaximumLength = sizeof(Buf);

RtlFillMemory(Data, DataSize, 0xFF);

RtlInitUnicodeString(&Suffix,
L"\Test");
RtlInitUnicodeString(&ValueName,
L"StringValue");

RtlCopyUnicodeString(&ObjectName,
&CurrentUserPath);
RtlFreeUnicodeString(&CurrentUserPath);

RtlAppendUnicodeStringToString(&ObjectName,
&Suffix);

InitializeObjectAttributes(&ObjectAttributes,
&ObjectName,
OBJ_CASE_INSENSITIVE,
0,
0);

Status = NtOpenKey(&Key,
KEY_SET_VALUE | KEY_QUERY_VALUE,
&ObjectAttributes);

if (!NT_SUCCESS(Status))
{
wprintf(L"NtOpenKey failed - %x\n",
Status);
return 0;
}

Status = NtSetValueKey(Key,
&ValueName,
0,
REG_SZ,
Data,
DataSize);

if (!NT_SUCCESS(Status))
{
wprintf(L"NtSetValueKey failed - %x\n",
Status);
NtClose(Key);
return 0;
}

ValueInformation = (PKEY_VALUE_PARTIAL_INFORMATION)ValueBuf;

Status = NtQueryValueKey(Key,
&ValueName,
KeyValuePartialInformation,
ValueInformation,
sizeof(ValueBuf),
&ReturnLength);

NtClose(Key);

if (!NT_SUCCESS(Status))
{
wprintf(L"NtQueryValueKey failed - %x\n",
Status);
return 0;
}

dumphex((char*)ValueInformation->Data,
(int)ValueInformation->DataLength, -1); // or any function to do a hexdump.
return 0;
}

–

Output (assuming you create the “Test” key in HKCU for the program):

C:\Dev\CVS\TestApp\release>testapp
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff …

Easy to confirm via regedit “edit binary data” that there is no null
terminator included as well.

–
Ken Johnson (Skywing)
Windows SDK MVP

“Doron Holan” wrote in message
news:xxxxx@ntdev…
AFAIK, for a REG_SZ returned by ZwQueryValueKey, it will be a NULL
terminated string. At least, I have made that assumption in the past.
I should look in the reg code to see if that is guaranteed by the API or
not.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
Sent: Wednesday, August 16, 2006 5:46 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] reading key value through ZwqueryValuekey

Please note Doron’s comments concerning the null termination (or lack
thereof) of the returned wchar string. The safest way to deal with the
returned value is to use the length returned in size and convert the
data returned into a UNICOCE_STRING object. (%wZ will print
UNICODE_STRINGs.)

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@rediffmail.com
Sent: Tuesday, August 15, 2006 11:51 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] reading key value through ZwqueryValuekey

Hi
Thanks a lot .It worked!!!

-Naveen

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · August 16, 2006, 3:44pm

That is my experience as well. You have to pay attention to the returned
length.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Wednesday, August 16, 2006 3:12 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] reading key value through ZwqueryValuekey

Not guaranteed. A simple test program proves that it doesn’t specially
null
terminate strings. Any program or driver that relies on ZwQueryValueKey

null terminating strings is buggy at best and may introduce security
holes
at worst. The string is only null terminated if the program that set
the
value null terminated it; this isn’t enforced by the kernel and so you
cannot trust it.

–

int __cdecl wmain(int ac, wchar_t** av)
{
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING ObjectName, CurrentUserPath, Suffix,
ValueName;
WCHAR Buf[1024];
CHAR Data [16];
UCHAR ValueBuf [
sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(Buf) ];
ULONG DataSize, ReturnLength;
HANDLE Key;
NTSTATUS Status;
PKEY_VALUE_PARTIAL_INFORMATION ValueInformation;

if (!NT_SUCCESS(RtlFormatCurrentUserKeyPath(&CurrentUserPath)))
{
return 0;
}

DataSize = sizeof(Data);

ObjectName.Buffer = Buf;
ObjectName.Length = 0;
ObjectName.MaximumLength = sizeof(Buf);

RtlFillMemory(Data, DataSize, 0xFF);

RtlInitUnicodeString(&Suffix,
L"\Test");
RtlInitUnicodeString(&ValueName,
L"StringValue");

RtlCopyUnicodeString(&ObjectName,
&CurrentUserPath);
RtlFreeUnicodeString(&CurrentUserPath);

RtlAppendUnicodeStringToString(&ObjectName,
&Suffix);

InitializeObjectAttributes(&ObjectAttributes,
&ObjectName,
OBJ_CASE_INSENSITIVE,
0,
0);

Status = NtOpenKey(&Key,
KEY_SET_VALUE | KEY_QUERY_VALUE,
&ObjectAttributes);

if (!NT_SUCCESS(Status))
{
wprintf(L"NtOpenKey failed - %x\n",
Status);
return 0;
}

Status = NtSetValueKey(Key,
&ValueName,
0,
REG_SZ,
Data,
DataSize);

if (!NT_SUCCESS(Status))
{
wprintf(L"NtSetValueKey failed - %x\n",
Status);
NtClose(Key);
return 0;
}

ValueInformation = (PKEY_VALUE_PARTIAL_INFORMATION)ValueBuf;

Status = NtQueryValueKey(Key,
&ValueName,
KeyValuePartialInformation,
ValueInformation,
sizeof(ValueBuf),
&ReturnLength);

NtClose(Key);

if (!NT_SUCCESS(Status))
{
wprintf(L"NtQueryValueKey failed - %x\n",
Status);
return 0;
}

dumphex((char*)ValueInformation->Data,
(int)ValueInformation->DataLength, -1); // or any function to do a
hexdump.
return 0;
}

–

Output (assuming you create the “Test” key in HKCU for the program):

C:\Dev\CVS\TestApp\release>testapp
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff …

Easy to confirm via regedit “edit binary data” that there is no null
terminator included as well.

–
Ken Johnson (Skywing)
Windows SDK MVP

“Doron Holan” wrote in message
news:xxxxx@ntdev…
AFAIK, for a REG_SZ returned by ZwQueryValueKey, it will be a NULL
terminated string. At least, I have made that assumption in the past.
I should look in the reg code to see if that is guaranteed by the API or
not.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
Sent: Wednesday, August 16, 2006 5:46 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] reading key value through ZwqueryValuekey

Please note Doron’s comments concerning the null termination (or lack
thereof) of the returned wchar string. The safest way to deal with the
returned value is to use the length returned in size and convert the
data returned into a UNICOCE_STRING object. (%wZ will print
UNICODE_STRINGs.)

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@rediffmail.com
Sent: Tuesday, August 15, 2006 11:51 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] reading key value through ZwqueryValuekey

Hi
Thanks a lot .It worked!!!

-Naveen

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer