I don’t known if there is a documented way to do this, but you
can hook NtCreateKey, NtOpenKey and track handles to get your name.
Remember that NtOpenKey may be relative to other HKEY.
Regards,
Fernando Roberto da Silva.
-----Mensagem original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] Em nome de F Lace
Enviada em: quinta-feira, 25 de agosto de 2005 11:50
Para: Windows System Software Devs Interest List
Assunto: [ntdev] string representation of an HKEY
Does anyone know how to obtain the string representation of a key from
an HKEY handle, from both a driver and user mode app?
Thanks
~flace
There is almost no reason to hook anything, but this is got to be one of the
stupidest reasons ever. At least if the guy is going to do this, point him
to the CmRegisterCallback routines of current OS’es.
Hooking as has been stated in so many discussions on this group, is just a
good way to crash. Fortunately, Microsoft is making it harder and harder to
hook.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Fernando Roberto” wrote in message news:xxxxx@ntdev… F Lace,
I don’t known if there is a documented way to do this, but you can hook NtCreateKey, NtOpenKey and track handles to get your name. Remember that NtOpenKey may be relative to other HKEY.
Regards, Fernando Roberto da Silva.
-----Mensagem original----- De: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] Em nome de F Lace Enviada em: quinta-feira, 25 de agosto de 2005 11:50 Para: Windows System Software Devs Interest List Assunto: [ntdev] string representation of an HKEY
Does anyone know how to obtain the string representation of a key from an HKEY handle, from both a driver and user mode app? Thanks ~flace
This API would be perfect for me, but I need to do that in
Windows NT 4.0 and later. Is there some documented way to do this?
(From DDK)
Comments
This routine is available only on Microsoft Windows XP and later
operating systems.
Thanks,
Fernando Roberto da Silva.
-----Mensagem original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] Em nome de Don Burn
Enviada em: quinta-feira, 25 de agosto de 2005 12:17
Para: Windows System Software Devs Interest List
Assunto: Re:[ntdev] string representation of an HKEY
There is almost no reason to hook anything, but this is got to be one of
the
stupidest reasons ever. At least if the guy is going to do this, point
him
to the CmRegisterCallback routines of current OS’es.
Hooking as has been stated in so many discussions on this group, is just
a
good way to crash. Fortunately, Microsoft is making it harder and
harder to
hook.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Fernando Roberto” wrote in message news:xxxxx@ntdev… F Lace,
I don’t known if there is a documented way to do this, but you can hook NtCreateKey, NtOpenKey and track handles to get your name. Remember that NtOpenKey may be relative to other HKEY.
Regards, Fernando Roberto da Silva.
-----Mensagem original----- De: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] Em nome de F Lace Enviada em: quinta-feira, 25 de agosto de 2005 11:50 Para: Windows System Software Devs Interest List Assunto: [ntdev] string representation of an HKEY
Does anyone know how to obtain the string representation of a key from an HKEY handle, from both a driver and user mode app? Thanks ~flace
Nope, for that you have to hook. Just remember that once you hook, never
unhook. While Regmon did when the source was distributed, all you need is
another hooking driver to cause a disaster. Also, use extreme care with
your hooking. While the registry routines are pretty simple, some of the
other system calls require a lot of care to hook correctly. This is why we
beat up on people who hook, it is all too common to mess up the system.
Even worse I know of hooking drivers that create an environment that when
the crash occurs it is likely to be another driver that is believed to be at
fault.
If possible either have two drivers one for NT and 2000, and the other for
XP+ or check for the presence of the Cm routines, and use them if available.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Fernando Roberto” wrote in message news:xxxxx@ntdev… Thanks Don,
This API would be perfect for me, but I need to do that in Windows NT 4.0 and later. Is there some documented way to do this?
(From DDK) Comments This routine is available only on Microsoft Windows XP and later operating systems.
Thanks, Fernando Roberto da Silva.
-----Mensagem original----- De: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] Em nome de Don Burn Enviada em: quinta-feira, 25 de agosto de 2005 12:17 Para: Windows System Software Devs Interest List Assunto: Re:[ntdev] string representation of an HKEY
There is almost no reason to hook anything, but this is got to be one of the stupidest reasons ever. At least if the guy is going to do this, point him to the CmRegisterCallback routines of current OS’es.
Hooking as has been stated in so many discussions on this group, is just a good way to crash. Fortunately, Microsoft is making it harder and harder to hook.
– Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting Remove StopSpam from the email to reply
“Fernando Roberto” wrote in message news:xxxxx@ntdev… F Lace,
I don’t known if there is a documented way to do this, but you can hook NtCreateKey, NtOpenKey and track handles to get your name. Remember that NtOpenKey may be relative to other HKEY.
Regards, Fernando Roberto da Silva.
-----Mensagem original----- De: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] Em nome de F Lace Enviada em: quinta-feira, 25 de agosto de 2005 11:50 Para: Windows System Software Devs Interest List Assunto: [ntdev] string representation of an HKEY
Does anyone know how to obtain the string representation of a key from an HKEY handle, from both a driver and user mode app? Thanks ~flace
On 8/25/05, Don Burn wrote: > There is almost no reason to hook anything, but this is got to be one of the > stupidest reasons ever. At least if the guy is going to do this, point him > to the CmRegisterCallback routines of current OS’es. >
This seems to be usable only in the kernel mode, is there an extension of this into user mode too? Is hooking the only way to go in the user mode?
> Hooking as has been stated in so many discussions on this group, is just a > good way to crash. Fortunately, Microsoft is making it harder and harder to > hook. > >
I have not used hooking before although I have read about it. Can you elaborate on Microsoft making hooking harder? They still seem to have Detours around, so I am wondering what is Microsoft making harder.
Also, you mention hooking is a good way to crash, but if it turns out I do have to use hooking, I would appreciate knowing tips to carefully write hooks.