Hi, I am modifying registry calls through the RFM. I am currently working on RegNtPreOpenKeyEx, modifying the call and then calling ZwCreateKey. Following the stack frames I did not find any recursion. How does the RFM know not to call my handler function once again?
Regards,
Dmitry
I meant: ZwOpenKey. But this does not matter the flow is the same for all ZwXXX calls regarding registry manipulations.
Hi!
How does the RFM know not to call my handler function once again?
Before calling the callback, the configuration manager inserts the thread in
a list which indicates that the thread is in a callback.
When, you issue any registry call, the configuration manager finds the
thread in its list and knows that the registry function was called from a
callback.
So, basically the configuration manager performs the following before
calling the callback:
SomeInternalCmFunction (Some paramater)
{
If (thread present in list)
{
Don’t call callbacks;
}
Else
{
Insert thread in list;
Call callbacks;
}
}
Regards,
Ayush Gupta
Slight mistake…
Just adding a sentence… 
SomeInternalCmFunction (Some paramater)
{
If (thread present in list)
{
Don’t call callbacks;
}
Else
{
Insert thread in list;
Call callbacks;
REMOVE THREAD FROM LIST. // 
}
}
Regards,
Ayush Gupta
Thanks a lot for a rapid reply. Now the vague issue is clarified.
Dmitry.