I’m trying to figure out a way to tell if the key that was just opened is a link. I originally thought I would be able to the look at the PreInformation->CreateOptions, but I am finding that to not be correct. Basically anyone that happened to open the key with the Attributes OBJ_OPENLINK set will cause that CreateOptions to say the key is link even though it is not.
So is there a way to tell in the post information or a call that can be issued that will allow me to know that the key is an actual link. I’m trying to avoid looking for the SymbolicLinkValue in the post, as it is kind of expensive.
We couldn’t find a way to work around this. We found that the PreInformation->CreateOptions would report a key as a link even in cases where the OBJ_OPENLINK was not requested. In fact we found that if the ZwOpenKeyEx is called to open any key and the caller sets the OpenOptions to have REG_OPTION_OPEN_LINK, the post will always say the key is a link even when it is not a link.
So we worked around the issue by checking for the SymbolicLinkValue in the post and only treat the key as a link if we find the value.
I’m attaching the code we use here in case anyone needs it in the future.
if ( NT_SUCCESS( status ) )
{
UNICODE_STRING ValueName = RTL_CONSTANT_STRING( L"SymbolicLinkValue" );
status = ZwQueryValueKey(h, &ValueName, KeyValuePartialInformation,
&ValueInfo, ValueSize, &len);
if (status == STATUS_BUFFER_TOO_SMALL)
{
// we know the value exists, we just didn’t give it enough data
keyFound = TRUE;
}