RegNtPreDeleteValueKey monitoring

0ueldz4 · April 22, 2015, 11:53am

Hello everyone,

I’m trying to make a registry monitor using RegNt functions as shown below:

case RegNtPreDeleteKey:
deleteKey = (PREG_DELETE_KEY_INFORMATION)Argument2;
ntStatus = ObQueryNameString(deleteKey->Object, (POBJECT_NAME_INFORMATION)objName, 0, &RetLength);

if (ntStatus == STATUS_INFO_LENGTH_MISMATCH)
{
objName = ExAllocatePoolWithTag(NonPagedPool, RetLength, ‘0uel’);
ntStatus = ObQueryNameString(deleteKey->Object, (POBJECT_NAME_INFORMATION)objName, RetLength, &RetLength);

if (NT_SUCCESS(ntStatus))
{
RtlCopyUnicodeString(&regPath, objName);
DbgPrint(“[pid:%d] deleteKey: %wZ\n”, pid, &regPath);
}

ExFreePoolWithTag(objName, ‘0uel’);
}

break;

As you can see I get this case executed when I create a key value and even when I delete it.

So my question is, is it normal that this case gets executed even when I create a key value ? Elsewhere, how can I monitor the creation so I can’t differentiate it from the deletion one ?

Thanks in advance.

OSR_Community_User · April 23, 2015, 5:48am

Firstly are you talking about keys or values? It’s a bit unclear because you talk about values but the code you’ve posted relates just to keys.

Anyway, I’d suggest this is either because you’re missing a break after one of the cases in your switch statement or, more likely, you’re using regedit to test this and when you create and name a key using regedit what happens is something like:

You create a key with a name such as ‘New Key #1’.
You rename the key to whatever you want it to be called.
Instead of renaming ‘New Key #1’ regedit actually creates a new key with your new name and deletes ‘New Key #1’.

Hence, even when you think you’re only creating a key, regedit actually does delete one behind the scenes. From memory, this aspect of regedit’s behaviour varies between different OS versions but it should be easy to determine if this is happening by looking at the names of keys that are being created and deleted.

0ueldz4 · April 23, 2015, 6:30am

Hey ISL,

In fact, I was talking about values but did post keys. Sorry for that. Here is the new version.

case RegNtPreDeleteValueKey:
deleteValueKey = (PREG_DELETE_VALUE_KEY_INFORMATION)Argument2;
ntStatus = ObQueryNameString(deleteValueKey->Object, (POBJECT_NAME_INFORMATION)objName, 0, &RetLength);

if (ntStatus == STATUS_INFO_LENGTH_MISMATCH)
{
objName = ExAllocatePoolWithTag(NonPagedPool, RetLength, ‘0uel’);
ntStatus = ObQueryNameString(deleteValueKey->Object, (POBJECT_NAME_INFORMATION)objName, RetLength, &RetLength);

if (NT_SUCCESS(ntStatus))
{
RtlCopyUnicodeString(&regPath, objName);
DbgPrint(“[pid:%d] delete key: %wZ valuename: %wZ\n”, pid, &regPath, deleteValueKey->ValueName);
}

ExFreePoolWithTag(objName, ‘0uel’);
}

break;
}

Yes I’m doing tests with regedit, but all I get when I create a value is the execution of this statement. I think I need to monitor setvalue RegNt function too.

Thanks for your help.

OSR_Community_User · April 23, 2015, 6:39am

Monitoring for the SetValue case as well sounds like a good idea. It might also help you test your driver more precisely if you write your own user mode app which performs specific registry operations using RegSetValueEx etc, it should only take a few minutes to create something basic.

Good luck!

Phil_Barila · April 23, 2015, 11:22am

This is patently untrue since sometime in the Windows XP lifetime. Keys are currently renamed, not copied and deleted.

That wasn’t always true, but it became true a long time ago.

The myth persists, however …

Phil

Not speaking for LogRhythm
Phil Barila | Senior Software Engineer
720.881.5364 (w)
LogRhythm, Inc.
The Security Intelligence Company
A LEADER in Gartner’s SIEM Magic Quadrant (2012-2014)
Perfect 5-Star Rating in SC Magazine (2009-2014)
BEST SIEM: Information Security Magazine & SearchSecurity.com 2014 Readers’ Choice Awards

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@baesystemsdetica.com
Sent: Thursday, April 23, 2015 3:47 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] RegNtPreDeleteValueKey monitoring

Firstly are you talking about keys or values? It’s a bit unclear because you talk about values but the code you’ve posted relates just to keys.

Anyway, I’d suggest this is either because you’re missing a break after one of the cases in your switch statement or, more likely, you’re using regedit to test this and when you create and name a key using regedit what happens is something like:

You create a key with a name such as ‘New Key #1’.
You rename the key to whatever you want it to be called.
Instead of renaming ‘New Key #1’ regedit actually creates a new key with your new name and deletes ‘New Key #1’.

Hence, even when you think you’re only creating a key, regedit actually does delete one behind the scenes. From memory, this aspect of regedit’s behaviour varies between different OS versions but it should be easy to determine if this is happening by looking at the names of keys that are being created and deleted.

OSR_Community_User · April 23, 2015, 12:17pm

I did say in my post that the behaviour varies between OS versions…