Registry changes made at system start time disappear

Jeff_Bromberger · July 13, 2005, 4:15pm

Hello,

I have a driver that starts at SERVICE_SYSTEM_START (1) with a group of
“Base” and a tag value that puts it first in the Base group.

At the point that the driver loads, only the HKLM\SYSTEM portion of the
registry is available. I need to modify other portions of the registry so
I first load the remaining hives (not all of them, just the ones I need). I
determine the paths of the on-disk hives and the keys upon which to mount
them by enumerating HKLM\SYSTEM\CurrentControlSet\Control\hivelist. Each
hive is loaded by calling ZwLoadKey().

After these steps I can query and modify the registry without any errors. I
then unload the hives by calling ZwUnloadKey() on each one and the system
continues to boot. A brief instant later the system reloads the hives and
the GUI comes up (If I don’t unload the hives, the system crashes when it
gets to this step).

Everything is perfect for read-only operations, but all of my sets, creates
and deletes, which all returned STATUS_SUCCESS, are missing once the system
finishes booting. I tried calling ZwFlushKey() after each update and that
didn’t change things. I also tried using ZwLoadKey2() instead of
ZwLoadKey() and specifying the REG_NO_LAZY_FLUSH flag, but again, the
results were the same.

Is there some other magic flag (or syscall) that I’m missing or is it the
time at which I’m trying to do this that’s causing the problem?

Any insight would be great!

Thanks,
Jeff

OSR_Community_User · July 13, 2005, 5:07pm

Here is my insight, which I suspect you are not going to like: don’t do
this.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jeff B
Sent: Wednesday, July 13, 2005 4:15 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Registry changes made at system start time disappear

Hello,

I have a driver that starts at SERVICE_SYSTEM_START (1) with a group of
“Base” and a tag value that puts it first in the Base group.

At the point that the driver loads, only the HKLM\SYSTEM portion of the
registry is available. I need to modify other portions of the registry
so
I first load the remaining hives (not all of them, just the ones I
need). I
determine the paths of the on-disk hives and the keys upon which to
mount
them by enumerating HKLM\SYSTEM\CurrentControlSet\Control\hivelist.
Each
hive is loaded by calling ZwLoadKey().

After these steps I can query and modify the registry without any
errors. I
then unload the hives by calling ZwUnloadKey() on each one and the
system
continues to boot. A brief instant later the system reloads the hives
and
the GUI comes up (If I don’t unload the hives, the system crashes when
it
gets to this step).

Everything is perfect for read-only operations, but all of my sets,
creates
and deletes, which all returned STATUS_SUCCESS, are missing once the
system
finishes booting. I tried calling ZwFlushKey() after each update and
that
didn’t change things. I also tried using ZwLoadKey2() instead of
ZwLoadKey() and specifying the REG_NO_LAZY_FLUSH flag, but again, the
results were the same.

Is there some other magic flag (or syscall) that I’m missing or is it
the
time at which I’m trying to do this that’s causing the problem?

Any insight would be great!

Thanks,
Jeff

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Jeff_Bromberger · July 13, 2005, 10:17pm

I almost put “please don’t say not to try to do this” in my first post

I really don’t have any choice – I need to modify registry values before
the system comes up, that is the #1 requirement of the whole driver… Is
there any actual technical reason why this shouldn’t be done? I realize
it’s not “good form” but certainly there must be some way to pull this off?

Thanks,
Jeff

“Roddy, Mark” wrote in message news:xxxxx@ntdev…
Here is my insight, which I suspect you are not going to like: don’t do
this.

OSR_Community_User · July 14, 2005, 2:59am

Jeff,

you wrote on Thursday, July 14, 2005, 04:18:10:

JB> I really don’t have any choice – I need to modify registry values before
JB> the system comes up, that is the #1 requirement of the whole driver…

How early in the boot process do these changes really have to be made?
What about trying to do this from a native application (autochk like),
this at least runs before the Win32 subsystem.

–
Ralf.

OSR_Community_User · July 14, 2005, 11:15am

As is so common on this list, you have a proposed solution to a problem
that you haven’t revealed, and you want us to tell you how to make it work.
As is almost always the case, your proposed solution is fragile (at best)
or unworkable.

If you told us the problem, we could probably assist you in finding a
solution that isn’t so fragile/unworkable.

Phil

Philip D. Barila
Seagate Technology LLC
(720) 684-1842

“Jeff B”
dustries.com> To
Sent by: “Windows System Software Devs
bounce-213991-643 Interest List”
xxxxx@lists.osr.com
No Phone Info cc
Available
Subject
Re:[ntdev] Registry changes made at
07/13/2005 08:18 system start time disappear
PM

Please respond to
“Windows System
Software Devs
Interest List”
com>

I almost put “please don’t say not to try to do this” in my first post

I really don’t have any choice – I need to modify registry values before
the system comes up, that is the #1 requirement of the whole driver… Is
there any actual technical reason why this shouldn’t be done? I realize
it’s not “good form” but certainly there must be some way to pull this off?

Thanks,
Jeff

“Roddy, Mark” wrote in message news:xxxxx@ntdev…
Here is my insight, which I suspect you are not going to like: don’t do
this.

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@seagate.com
To unsubscribe send a blank email to xxxxx@lists.osr.com