RegNtKeyHandleClose question

OSR_Community_User · March 23, 2007, 12:30pm

I am trying to write a registry filter driver for XP using the registry
callback mechanism. When I intercept the RegNtKeyHandleClose call, I
want to find out the handle it closes. According to MSDN, this callback
function passes back the structure REG_KEY_HANDLE_CLOSE_INFORMATION as
the parameter, and the first member (Object) of the structure is a
pointer to a pointer to the registry key object being closed. So, I
dereference the first pointer, which should give me the pointer to the
registry key object. However, I found that the pointer value is the same
for all RegNtKeyHandleClose calls.

What did I miss here? Is there a better way to track this information?

My ultimate goal is to be able to match registry objects opened (using
RegNtPostOpenKey or RegNtPostCreateKey) to those being closed (through
RegNtkeyHandleClose)

Thanks,

Hao

OSR_Community_User · March 23, 2007, 2:44pm

I did some more debugging, and I believe that the MSDN documentation on
RegNtKeyHandleClose call
(http://msdn2.microsoft.com/en-us/library/aa491584.aspx) is incorrect.
The first parameter Object of the structure is a POINTER to a registry
object, NOT a POINTER to a POINTER to a registry object. I hope someone
from Microsoft can confirm this.

Thanks,

Hao

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Hao Wang
Sent: Friday, March 23, 2007 11:30 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] RegNtKeyHandleClose question

I am trying to write a registry filter driver for XP using the registry
callback mechanism. When I intercept the RegNtKeyHandleClose call, I
want to find out the handle it closes. According to MSDN, this callback
function passes back the structure REG_KEY_HANDLE_CLOSE_INFORMATION as
the parameter, and the first member (Object) of the structure is a
pointer to a pointer to the registry key object being closed. So, I
dereference the first pointer, which should give me the pointer to the
registry key object. However, I found that the pointer value is the same
for all RegNtKeyHandleClose calls.

What did I miss here? Is there a better way to track this information?

My ultimate goal is to be able to match registry objects opened (using
RegNtPostOpenKey or RegNtPostCreateKey) to those being closed (through
RegNtkeyHandleClose)

Thanks,

Hao

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Lyndon_J_Clarke-2 · March 23, 2007, 5:07pm

You seem to be correct. You could submit feedback to Microsoft from the WDK
page. I’ve always found microsoft repsonsive and appreciative to
constructive documentation feedback.

Good luck!
Lyndon

“Hao Wang” wrote in message news:xxxxx@ntdev…

I did some more debugging, and I believe that the MSDN documentation on
RegNtKeyHandleClose call
(http://msdn2.microsoft.com/en-us/library/aa491584.aspx) is incorrect. The
first parameter Object of the structure is a POINTER to a registry object,
NOT a POINTER to a POINTER to a registry object. I hope someone from
Microsoft can confirm this.

Thanks,
Hao