When are registry callback object pointers invalid?

OSR_Community_User · January 28, 2013, 5:10am

Hi,

I’m currently writing a kernel mode filter driver to monitor registry activity (using CmRegisterCallback/CmRegisterCallbackEx) and am after some advice on interpreting the ‘REG_POST_OPERATION_INFORMATION’ structure, specifically within the context of handling a ‘RegNtPostCreateKeyEx’ event.

I can successfully process the ‘Object’ member using ‘ObQueryNameString’ to give me the name of the created key (which is what I’m after), however in some instances the ‘Status’ member is not equal to ‘STATUS_SUCCESS’ which according to the Microsoft documentation (link below) means that the Object pointer is invalid.

http://msdn.microsoft.com/en-gb/library/windows/hardware/ff548191(v=vs.85).aspx

Checking the ‘Status’ member before using the ‘Object’ pointer is enough for me to
avoid the BSOD. However, when the object pointer is invalid I’m obviously unable to obtain the name of the key that has been created which is a problem.

The Microsoft documentation isn’t clear about why these Object pointers are sometimes invalid and under which circumstances it will happen and I’d like to know which key creation events I’m going to miss because of this. Can anybody shed any light on this?

Apologies if this is a daft question, I’m new to driver writing and could really use a steer in the right direction!

Thanks

Daniel_Terhell · January 28, 2013, 5:47am

>Checking the ‘Status’ member before using the ‘Object’ pointer is enough

for me to
avoid the BSOD. However, when the object pointer is invalid I’m obviously
unable to obtain the name of the key that has been created which is a
>problem.

If the operation failed why do you expect a key to be created ? Or do you
actually see a key created while NT_SUCCESS(Status) is TRUE but not equal to
STATUS_SUCCESS ?

//Daniel

OSR_Community_User · January 28, 2013, 5:55am

Thanks for the quick reply.

I’m assuming that a key has been created because I’ve received a callback. Might this not be the case? If another application or driver tries to create a key and fails should I still expect to receive a post create key event?

OSR_Community_User · January 28, 2013, 6:10am

After re-reading the documentation I think you’ve pointed me in the right direction. Looking at the XP version of the structure (REG_POST_CREATE_KEY_INFORMATION), MSDN says that the structure ‘contains the result of an ATTEMPT to create a registry key’ which must mean that the events I’m seeing are simply failed attempts to create registry keys.

Thanks again.