ZwCreateKey returns random return value

Anupam_Godbole · April 26, 2007, 7:10am

I am wrtting a driver that monitors the changes made to the registry. In the RegNtPostCreateKey notification I want to check whether the key exists. To do this I tried using ZwCreateKey, ZwOpenKey and RtlCheckRegistryKey. But all these functions return random values which are not defined in NTSTATUS.H

What might be the reason for the above problem?

Thanks in advance,
Anupam Godbole

OSR_Community_User · April 26, 2007, 11:40am

What do you mean by “random”? Do you mean “doesn’t look like a valid NTSTATUS value”, for example 0x85e40c89? Or just not listed in ntstatus.h, but still looks like a valid status code?

Have you tried using “!error nnnnnnnn” in WinDbg (replacing nnnnnnnn with your error code, of course)? Also, NTDLL.DLL contains a message catalog for NTSTATUS codes. You can use this by calling the Win32 function FormatMessage, passing FORMAT_MESSAGE_FROM_HMODULE, and passing GetModuleByName(“NTDLL.DLL”) as the lpSource parameter. For example:

BOOL GetNtStatusText(NTSTATUS Status, LPTSTR Buffer, INT MaxLength)
{
HINSTANCE Ntdll = GetModuleHandle(_T(“NTDLL.DLL”));
INT Length = FormatMessage(
FORMAT_MESSAGE_FROM_HMODULE
Ntdll,
(DWORD)Status,
LANG_NEUTRAL,
Buffer,
MaxLength,
NULL);
if (Length == 0) {
// lookup failed
return FALSE;
}

// FormatMessage does NOT terminate the string.
if (Length < MaxLength)
Buffer[Length] = 0;
else
Buffer[MaxLength - 1] = 0;

return TRUE;
}

This is only usable from user-mode, of course. There are zillions of little utilities for looking up error codes; this is just a tiny little function that my fingers memorized a long time ago.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, April 26, 2007 7:08 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] ZwCreateKey returns random return value

I am wrtting a driver that monitors the changes made to the registry. In the RegNtPostCreateKey notification I want to check whether the key exists. To do this I tried using ZwCreateKey, ZwOpenKey and RtlCheckRegistryKey. But all these functions return random values which are not defined in NTSTATUS.H

What might be the reason for the above problem?

Thanks in advance,
Anupam Godbole

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Anupam_Godbole · April 27, 2007, 3:03am

The return value is surely not a valid NTSTATUS (for eg. 0x80879e0c). The code that i have written works fine in DriverEntry but doesnt work in RegistryCallback rountine.
DriverEntry is called in the system process context while the RegistryCallback is called in the user process context. Might that be the reason for return of random value.
I also checked the current IRQL, both DriverEntry and RegistryCallback are running at PASSIVE_LEVEL.