registry\\Registry\\Machine\\SOFTWARE\\ path is not accessible in NT Application

akhilvsuku · January 6, 2024, 5:19pm

am writing a simple program that will update _LogApp _section in _\Registry\Machine\SOFTWARE\ _path. It is an NT Application and it runs before the startup.
_
void NtProcessStartup(IN PPEB peb)
{
// it is important to declare all variables at the beginning

NTSTATUS status;


wchar_t* commands = (wchar_t*)L"MyKeyEntry";
UNICODE_STRING keyPath;
UNICODE_STRING valueName;

status = RtlWriteRegistryValue(L"\\Registry\\Machine\\SOFTWARE\\",
    L"LogApp", L"Status", REG_MULTI_SZ,
    L"Debug", 5 * sizeof(wchar_t));

NtTerminateProcess(NtCurrentProcess(), 0);

}
_
This program is working as expected when giving the relative path \Registry\Machine\System but not working for \Registry\Machine\SOFTWARE.

I am suspect NT Application which I am running doesn’t have the access to the reg path \Registry\Machine\SOFTWARE\. How can I update \Registry\Machine\SOFTWARE\.

Dejan_Maksimovic · January 6, 2024, 6:06pm

What does “before startup” mean? IIRC, Software hive is not loaded as early
as the System hive, so that may be the reason.
You can confirm by running the app when the desktop is loaded with the
exact same paths.

MBond2 · January 6, 2024, 11:34pm

IIRC some parts of the registry are loaded more than once as part of the boot sequence. This will be a huge job no matter what

Tim_Roberts · January 7, 2024, 1:26am

Right. The HLKM\System hive is mounted first thing, so the boot sequence can find the components it needs. The HKLM\Software hive isn’t loaded until much later in boot.