ZwQueryKey/ZwEnumerateKey return status as -1073741816

Hi,

I am facing problem to query/enumerate registry keys. I get return
status code as -1073741816 and the ResultLength as 0. I could not find
help about the status code= -1073741816. The same behavior happens for
the registry path of driver object (DriverEntry 2nd argument).

Am I wrong in some basic concept?

Please see my below mentioned code.

UNICODE_STRING acpiRegPath;

OBJECT_ATTRIBUTES oa;

HANDLE hkey = NULL;

PKEY_FULL_INFORMATION fip=NULL;

ULONG size,size1;

NTSTATUS status;

RtlInitUnicodeString(&acpiRegPath,L"\REGISTRY\MACHINE\HARDWARE\ACPI\
\RSDT");

InitializeObjectAttributes(&oa,&acpiRegPath,OBJ_CASE_INSENSITIVE ,NULL,
NULL);

status = ZwOpenKey(&hkey, KEY_READ , &oa);

if(NT_SUCCESS(status)){

status = ZwQueryKey(&hkey,KeyFullInformation
,NULL,0, &size); //Returns size=0, status= -1073741816

status = ZwEnumerateKey(&hkey,0,
KeyFullInformation, NULL,0,&size ); //Returns size=0, status=
-1073741816

if(size>0){

fip =
(PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool, size);

RtlZeroMemory(bip,size);

status = ZwEnumerateKey(&hkey,0,
KeyFullInformation, fip,size,&size1 );

}

}

ZwClose(hkey);

Please guide.

Thanks,

Aparna

Aparna,

I’m a little confused here. In your ZwQeuryKey call, why is your third
parameter set to NULL? The DDK states this third parameter as follows:

Second, in your code, the second parameter is KeyFullInformation. Did
you set this up correctly?
The DDK states about this parameter:

I believe you need to review the documentation.

M.

Aparna Argade wrote:

> Hi,
>
> I am facing problem to query/enumerate registry keys. I get return
> status code as -1073741816 and the ResultLength as 0. I could not find
> help about the status code= -1073741816. The same behavior happens for
> the registry path of driver object (DriverEntry 2^nd argument).
>
> Am I wrong in some basic concept?
>
> Please see my below mentioned code.
>
>
>
> UNICODE_STRING acpiRegPath;
>
> OBJECT_ATTRIBUTES oa;
>
> HANDLE hkey = NULL;
>
> PKEY_FULL_INFORMATION fip=NULL;
>
> ULONG size,size1;
>
> NTSTATUS status;
>
>
>
> RtlInitUnicodeString(&acpiRegPath,L"\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT");
>
> InitializeObjectAttributes(&oa,&acpiRegPath,OBJ_CASE_INSENSITIVE
> ,NULL, NULL);
>
>
>
> status = ZwOpenKey(&hkey, KEY_READ , &oa);
>
> if(NT_SUCCESS(status)){
>
> status = ZwQueryKey(&hkey,KeyFullInformation
> ,NULL,0, &size); //Returns size=0, status= -1073741816
>
> status = ZwEnumerateKey(&hkey,0,
> KeyFullInformation, NULL,0,&size ); //Returns size=0, status= -1073741816
>
> if(size>0){
>
> fip =
> (PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool, size);
>
> RtlZeroMemory(bip,size);
>
> status = ZwEnumerateKey(&hkey,0,
> KeyFullInformation, fip,size,&size1 );
>
> }
>
> }
>
> ZwClose(hkey);
>
>
>
> Please guide.
>
> Thanks,
>
> Aparna
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer</k112_c64ec9c8-1eda-495a-8b4a-566607e29a78.xml.htm>

In your ZwEnumerateKey call, the DDK states the 4th parameter is an OUT
also. Once again, you’ve set this too NULL. The Function is
prototyped as:

*NTSTATUS *
*ZwEnumerateKey(*
*IN HANDLE* /KeyHandle/*,*
*IN ULONG* /Index/*,*
*IN KEY_INFORMATION_CLASS* /KeyInformationClass/*,*
*OUT PVOID* /KeyInformation/*,*
*IN ULONG* /Length/*,*
*OUT PULONG* /ResultLength/
*);

M.
*
MM wrote:

Aparna,

I’m a little confused here. In your ZwQeuryKey call, why is your third
parameter set to NULL? The DDK states this third parameter as follows:

Second, in your code, the second parameter is KeyFullInformation. Did
you set this up correctly?
The DDK states about this parameter:

[quote]

/KeyInformationClass/
Specifies a KEY_INFORMATION_CLASS
<k112_c64ec9c8-1eda-495a-8b4a-566607e29a78.xml.htm> value that
> determines the type of information returned in the /KeyInformation/
> buffer.
>
[/quote]

>
> I believe you need to review the documentation.
>
> M.
>
>
>
>
>
>
> Aparna Argade wrote:
>
>> Hi,
>>
>> I am facing problem to query/enumerate registry keys. I get return
>> status code as -1073741816 and the ResultLength as 0. I could not
>> find help about the status code= -1073741816. The same behavior
>> happens for the registry path of driver object (DriverEntry 2^nd
>> argument).
>>
>> Am I wrong in some basic concept?
>>
>> Please see my below mentioned code.
>>
>>
>>
>> UNICODE_STRING acpiRegPath;
>>
>> OBJECT_ATTRIBUTES oa;
>>
>> HANDLE hkey = NULL;
>>
>> PKEY_FULL_INFORMATION fip=NULL;
>>
>> ULONG size,size1;
>>
>> NTSTATUS status;
>>
>>
>> RtlInitUnicodeString(&acpiRegPath,L"\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT");
>>
>>
>> InitializeObjectAttributes(&oa,&acpiRegPath,OBJ_CASE_INSENSITIVE
>> ,NULL, NULL);
>>
>>
>>
>> status = ZwOpenKey(&hkey, KEY_READ , &oa);
>>
>> if(NT_SUCCESS(status)){
>>
>> status = ZwQueryKey(&hkey,KeyFullInformation
>> ,NULL,0, &size); //Returns size=0, status= -1073741816
>>
>> status = ZwEnumerateKey(&hkey,0,
>> KeyFullInformation, NULL,0,&size ); //Returns size=0, status=
>> -1073741816
>>
>> if(size>0){
>>
>> fip =
>> (PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool, size);
>>
>> RtlZeroMemory(bip,size);
>>
>> status = ZwEnumerateKey(&hkey,0,
>> KeyFullInformation, fip,size,&size1 );
>>
>> }
>>
>> }
>>
>> ZwClose(hkey);
>>
>>
>>
>> Please guide.
>>
>> Thanks,
>>
>> Aparna
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></k112_c64ec9c8-1eda-495a-8b4a-566607e29a78.xml.htm>

Status is STATUS_INVALID_HANDLE, you have an additional ‘&’ in ZwQueryKey
and ZwEnumerateKey calls.

Apart from this there are some other bugs, as for example assuming
ExAllocatePoll will be successful.

Thanks,
mK

De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] En nombre de Aparna Argade
Enviado el: viernes, 24 de marzo de 2006 11:41
Para: Windows System Software Devs Interest List
Asunto: [ntdev] ZwQueryKey/ZwEnumerateKey return status as -1073741816

Hi,

I am facing problem to query/enumerate registry keys. I get return status
code as -1073741816 and the ResultLength as 0. I could not find help about
the status code= -1073741816. The same behavior happens for the registry
path of driver object (DriverEntry 2nd argument).

Am I wrong in some basic concept?

Please see my below mentioned code.

UNICODE_STRING acpiRegPath;

OBJECT_ATTRIBUTES oa;

HANDLE hkey = NULL;

PKEY_FULL_INFORMATION fip=NULL;

ULONG size,size1;

NTSTATUS status;

RtlInitUnicodeString(&acpiRegPath,L"\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT");

InitializeObjectAttributes(&oa,&acpiRegPath,OBJ_CASE_INSENSITIVE ,NULL,
NULL);

status = ZwOpenKey(&hkey, KEY_READ , &oa);

if(NT_SUCCESS(status)){

status = ZwQueryKey(&hkey,KeyFullInformation
,NULL,0, &size); //Returns size=0, status= -1073741816

status = ZwEnumerateKey(&hkey,0, KeyFullInformation,
NULL,0,&size ); //Returns size=0, status= -1073741816

if(size>0){

fip =
(PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool, size);

RtlZeroMemory(bip,size);

status = ZwEnumerateKey(&hkey,0,
KeyFullInformation, fip,size,&size1 );

}

}

ZwClose(hkey);

Please guide.

Thanks,

Aparna

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

Hi again,

It was my silly mistake to pass &hkey instead of hkey to ZwQueryKey/
ZwEnumerateKey. Compiler should not have accepted my earlier code.

Anyway, now I have another question.

The KEY_BASIC_INFORMATION contains Name as not null-terminated Unicode
characters. If I want to use Name to open that key then I need null
terminated Unicode string. What is the smart way to handle Name
parameter?

Regards,

Aparna

From: Aparna Argade
Sent: Friday, March 24, 2006 4:11 PM
To: ‘xxxxx@lists.osr.com’
Subject: ZwQueryKey/ZwEnumerateKey return status as -1073741816

Hi,

I am facing problem to query/enumerate registry keys. I get return
status code as -1073741816 and the ResultLength as 0. I could not find
help about the status code= -1073741816. The same behavior happens for
the registry path of driver object (DriverEntry 2nd argument).

Am I wrong in some basic concept?

Please see my below mentioned code.

UNICODE_STRING acpiRegPath;

OBJECT_ATTRIBUTES oa;

HANDLE hkey = NULL;

PKEY_FULL_INFORMATION fip=NULL;

ULONG size,size1;

NTSTATUS status;

RtlInitUnicodeString(&acpiRegPath,L"\REGISTRY\MACHINE\HARDWARE\ACPI\
\RSDT");

InitializeObjectAttributes(&oa,&acpiRegPath,OBJ_CASE_INSENSITIVE ,NULL,
NULL);

status = ZwOpenKey(&hkey, KEY_READ , &oa);

if(NT_SUCCESS(status)){

status = ZwQueryKey(&hkey,KeyFullInformation
,NULL,0, &size); //Returns size=0, status= -1073741816

status = ZwEnumerateKey(&hkey,0,
KeyFullInformation, NULL,0,&size ); //Returns size=0, status=
-1073741816

if(size>0){

fip =
(PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool, size);

RtlZeroMemory(bip,size);

status = ZwEnumerateKey(&hkey,0,
KeyFullInformation, fip,size,&size1 );

}

}

ZwClose(hkey);

Please guide.

Thanks,

Aparna

Why do you need a NULL terminated string? ZwQueryValueKey takes a PUNICODE_STRING. A UNICODE_STRING’s buffer does not need to be NULL, you just need to set the MaximumLength and Length fields properly during initialization.

d

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Aparna Argade
Sent: Friday, March 24, 2006 4:45 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] ZwQueryKey/ZwEnumerateKey return status as -1073741816

Hi again,
It was my silly mistake to pass &hkey instead of hkey to ZwQueryKey/ ZwEnumerateKey. Compiler should not have accepted my earlier code.
Anyway, now I have another question.
The KEY_BASIC_INFORMATION contains Name as not null-terminated Unicode characters. If I want to use Name to open that key then I need null terminated Unicode string. What is the smart way to handle Name parameter?
Regards,
Aparna

From: Aparna Argade
Sent: Friday, March 24, 2006 4:11 PM
To: ‘xxxxx@lists.osr.com’
Subject: ZwQueryKey/ZwEnumerateKey return status as -1073741816

Hi,
I am facing problem to query/enumerate registry keys. I get return status code as -1073741816 and the ResultLength as 0. I could not find help about the status code= -1073741816. The same behavior happens for the registry path of driver object (DriverEntry 2nd argument).
Am I wrong in some basic concept?
Please see my below mentioned code.

??? UNICODE_STRING??? acpiRegPath;
??? OBJECT_ATTRIBUTES??? oa;
??? HANDLE ??? hkey = NULL;
PKEY_FULL_INFORMATION?? ?? fip=NULL;
ULONG??? size,size1;
NTSTATUS status;
???
RtlInitUnicodeString(&acpiRegPath,L"\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT");
InitializeObjectAttributes(&oa,&acpiRegPath,OBJ_CASE_INSENSITIVE ,NULL, NULL);

??? status = ZwOpenKey(&hkey, KEY_READ , &oa);
??? if(NT_SUCCESS(status)){
??? status = ZwQueryKey(&hkey,KeyFullInformation ,NULL,0, &size);? ?//Returns size=0, status= -1073741816
??? status = ZwEnumerateKey(&hkey,0, KeyFullInformation, NULL,0,&size ); //Returns size=0, status= -1073741816
??? if(size>0){
??? fip = (PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool, size);
??? RtlZeroMemory(bip,size);
??? status = ZwEnumerateKey(&hkey,0, KeyFullInformation, fip,size,&size1 );
}
}
ZwClose(hkey);

Please guide.
Thanks,
Aparna

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Aparna Argade wrote:

Hi again,

It was my silly mistake to pass &hkey instead of hkey to ZwQueryKey/
ZwEnumerateKey. Compiler should not have accepted my earlier code.

HANDLE is defined as PVOID. A void* argument will silently accept any
pointer, even a void** or a void***. That’s why the user-mode include
files define HANDLE as a pointer to an incomplete structure.

When you print status codes, always use %08x instead of %d. All kernel
status codes are hex. In your case, you could have done this in a
calculator by figuring out 2^32 - 1073741816 and displaying the result
in hex. You would have got C0000008, which ntstatus.h would have told
you is STATUS_INVALID_HANDLE, as was pointed out.

Anyway, now I have another question.

The KEY_BASIC_INFORMATION contains Name as not null-terminated Unicode
characters. If I want to use Name to open that key then I need null
terminated Unicode string.

No, you don’t. You need a UNICODE_STRING, which is counted, not
zero-terminated.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

>help about the status code= -1073741816. The same behavior happens for

0xc0000008 - STATUS_INVALID_HANDLE

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

>characters. If I want to use Name to open that key then I need null

terminated Unicode string.

No, you will not. You will need OBJECT_ATTRIBUTES and the usual non-null
terminated UNICODE_STRING within it.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com