Changing the driver is the only option. First you can’t hook on 64-bit,
second your hooks are probably incorrect since almost every
implementation out there is broken. Finally, there are a lot of
registry calls, and you haven’t hit all you need, for instance ZwSaveKey
and its friends can bypass most of what you are doing.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@komodia.com” wrote in message
news:xxxxx@ntdev:
> Hi,
>
> I got a driver which protects my software registry entries using SSDT hooking, it hooks ZwOpenKey and ZwCreateKey and it protects agains changes/deletes to keys and values by changing the permissions to read only on the protected keys.
>
> I found out that on Windows 7 32bit, values aren’t protected, it seems that somehow the application that access the registry gets a handle to the key from another function which I can’t locate and thus it’s able to delete values.
>
> I know there’s a registry filter workframe but changing my whole driver at this point is not an option. Any ideas on the unknown registry function?
>
> Thanks,
> Barak