How to test that a given registry key
is volatile (by handle from user mode, or by
object pointer in kernel mode)?
– pa
What are you doing that would cause you to need to make this determination?
- S
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
Sent: Tuesday, January 27, 2009 9:04 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] detecting volatile registry keys?
How to test that a given registry key
is volatile (by handle from user mode, or by
object pointer in kernel mode)?
– pa
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
A legal way is to call Zw/RegSaveKey on its parent key and then reimport the
created file in a temporary key and see if it contains the key in question.
Volatile keys are in memory only and will never be saved to disk.
The old fashioned way to create a non-volatile subkey of the key to see if
that returns ERROR_CHILD_MUST_BE_VOLATILE is no longer functional, since
Win2000 or XP this just creates a volatile subkey even if not specified.
Other methods that I’m aware of rely on undocumented object manager and
configuration manager structures.
//Daniel
“Pavel A.” wrote in message news:xxxxx@ntdev…
> How to test that a given registry key
> is volatile (by handle from user mode, or by
> object pointer in kernel mode)?
>
>
> – pa
>
Skywing wrote:
What are you doing that would cause you to need to make this determination?
Something like just-in-time replication of registry changes.
If the key is volatile, I must indicate this in the copy.
I hoped that ZwQueryObject returns different values
in PUBLIC_OBJECT_BASIC_INFORMATION.Attributes for
normal and volatile keys, but no dice.
Thank you.
Pavel
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
Sent: Tuesday, January 27, 2009 9:04 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] detecting volatile registry keys?How to test that a given registry key
is volatile (by handle from user mode, or by
object pointer in kernel mode)?– pa
Another method I overlooked, on Vista and later you can register a callback
with CmRegisterCallbackEx. Then you can create a subkey of the key and check
for the volatile flag in the CreateOptions of the REG_CREATE_KEY_INFORMATION
structure (for RegNtPreCreateKeyEx).
For pre Win2000 you can use the ERROR/STATUS_CHILD_MUST_BE VOLATILE method
described in my other post.
This means you can limit your hacking to XP/2003 only and possibly some
editions of Windows 2000. Call ObOpenObjectByName, the CreateOptions can be
found in the ParseContext structure returned.
//Daniel
“Pavel A.” wrote in message news:xxxxx@ntdev…
> Skywing wrote:
>> What are you doing that would cause you to need to make this
>> determination?
>>
>
> Something like just-in-time replication of registry changes.
> If the key is volatile, I must indicate this in the copy.
>
> I hoped that ZwQueryObject returns different values
> in PUBLIC_OBJECT_BASIC_INFORMATION.Attributes for
> normal and volatile keys, but no dice.
>
> Thank you.
>
> Pavel
>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
>> Sent: Tuesday, January 27, 2009 9:04 AM
>> To: Windows System Software Devs Interest List
>> Subject: [ntdev] detecting volatile registry keys?
>>
>> How to test that a given registry key
>> is volatile (by handle from user mode, or by
>> object pointer in kernel mode)?
>>
>>
>> – pa
>>
>
Thank you, Daniel.
Cm callback will work if these keys are created when my driver runs,
but I hoped to find how to test keys that already existed.
–pa
xxxxx@resplendence.com wrote:
Another method I overlooked, on Vista and later you can register a
callback with CmRegisterCallbackEx. Then you can create a subkey of the
key and check for the volatile flag in the CreateOptions of the
REG_CREATE_KEY_INFORMATION structure (for RegNtPreCreateKeyEx).For pre Win2000 you can use the ERROR/STATUS_CHILD_MUST_BE VOLATILE
method described in my other post.This means you can limit your hacking to XP/2003 only and possibly some
editions of Windows 2000. Call ObOpenObjectByName, the CreateOptions can
be found in the ParseContext structure returned.//Daniel
“Pavel A.” wrote in message news:xxxxx@ntdev…
>> Skywing wrote:
>>> What are you doing that would cause you to need to make this
>>> determination?
>>>
>>
>> Something like just-in-time replication of registry changes.
>> If the key is volatile, I must indicate this in the copy.
>>
>> I hoped that ZwQueryObject returns different values
>> in PUBLIC_OBJECT_BASIC_INFORMATION.Attributes for
>> normal and volatile keys, but no dice.
>>
>> Thank you.
>>
>> Pavel
>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
>>> Sent: Tuesday, January 27, 2009 9:04 AM
>>> To: Windows System Software Devs Interest List
>>> Subject: [ntdev] detecting volatile registry keys?
>>>
>>> How to test that a given registry key
>>> is volatile (by handle from user mode, or by
>>> object pointer in kernel mode)?
>>>
>>>
>>> – pa
>>>
>>
>
>
“Pavel A.” wrote in message news:xxxxx@ntdev…
> Thank you, Daniel.
> Cm callback will work if these keys are created when my driver runs,
> but I hoped to find how to test keys that already existed.
>
> --pa
>
Yes, create a temporary non volatile subkey of the key that already exists
and delete that afterwards. So if the new key is volatile, the existing key
is volatile too. If the new key is non volatile, the existing key is non
volatile either.
It is never possible to create a non-volatile subkey of a volatile key. . On
the newer (since Win2000) operating systems, when you create a subkey of a
volatile key, it becomes a volatile subkey regardless of the CreateOptions
(and does not return STATUS_CHILD_MUST_BE_VOLATILE). To play safe and for
compatibility with older OS you can check for this error status regardless.
//Daniel
There exists no stable interface to do this that I know of, aside from trying to deploy observable-side-effect hacks as Daniel suggested.
? S
-----Original Message-----
From: Pavel A.
Sent: Tuesday, January 27, 2009 13:35
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] detecting volatile registry keys?
Thank you, Daniel.
Cm callback will work if these keys are created when my driver runs,
but I hoped to find how to test keys that already existed.
–pa
xxxxx@resplendence.com wrote:
> Another method I overlooked, on Vista and later you can register a
> callback with CmRegisterCallbackEx. Then you can create a subkey of the
> key and check for the volatile flag in the CreateOptions of the
> REG_CREATE_KEY_INFORMATION structure (for RegNtPreCreateKeyEx).
>
> For pre Win2000 you can use the ERROR/STATUS_CHILD_MUST_BE VOLATILE
> method described in my other post.
>
> This means you can limit your hacking to XP/2003 only and possibly some
> editions of Windows 2000. Call ObOpenObjectByName, the CreateOptions can
> be found in the ParseContext structure returned.
>
> //Daniel
>
>
>
>
> “Pavel A.” wrote in message news:xxxxx@ntdev…
>> Skywing wrote:
>>> What are you doing that would cause you to need to make this
>>> determination?
>>>
>>
>> Something like just-in-time replication of registry changes.
>> If the key is volatile, I must indicate this in the copy.
>>
>> I hoped that ZwQueryObject returns different values
>> in PUBLIC_OBJECT_BASIC_INFORMATION.Attributes for
>> normal and volatile keys, but no dice.
>>
>> Thank you.
>>
>> Pavel
>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
>>> Sent: Tuesday, January 27, 2009 9:04 AM
>>> To: Windows System Software Devs Interest List
>>> Subject: [ntdev] detecting volatile registry keys?
>>>
>>> How to test that a given registry key
>>> is volatile (by handle from user mode, or by
>>> object pointer in kernel mode)?
>>>
>>>
>>> – pa
>>>
>>
>
>
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Too bad. And no way to test if key is a link to another location (like
CurrentControlSet -> ControlSet001) ?
Thanks,
– pa
Skywing wrote:
There exists no stable interface to do this that I know of, aside from trying to deploy observable-side-effect hacks as Daniel suggested.
? S
-----Original Message-----
From: Pavel A.
> Sent: Tuesday, January 27, 2009 13:35
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] detecting volatile registry keys?
>
>
> Thank you, Daniel.
> Cm callback will work if these keys are created when my driver runs,
> but I hoped to find how to test keys that already existed.
>
> --pa
>
>
>
> xxxxx@resplendence.com wrote:
>> Another method I overlooked, on Vista and later you can register a
>> callback with CmRegisterCallbackEx. Then you can create a subkey of the
>> key and check for the volatile flag in the CreateOptions of the
>> REG_CREATE_KEY_INFORMATION structure (for RegNtPreCreateKeyEx).
>>
>> For pre Win2000 you can use the ERROR/STATUS_CHILD_MUST_BE VOLATILE
>> method described in my other post.
>>
>> This means you can limit your hacking to XP/2003 only and possibly some
>> editions of Windows 2000. Call ObOpenObjectByName, the CreateOptions can
>> be found in the ParseContext structure returned.
>>
>> //Daniel
>>
>>
>>
>>
>> “Pavel A.” wrote in message news:xxxxx@ntdev…
>>> Skywing wrote:
>>>> What are you doing that would cause you to need to make this
>>>> determination?
>>>>
>>> Something like just-in-time replication of registry changes.
>>> If the key is volatile, I must indicate this in the copy.
>>>
>>> I hoped that ZwQueryObject returns different values
>>> in PUBLIC_OBJECT_BASIC_INFORMATION.Attributes for
>>> normal and volatile keys, but no dice.
>>>
>>> Thank you.
>>>
>>> Pavel
>>>
>>>> -----Original Message-----
>>>> From: xxxxx@lists.osr.com
>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
>>>> Sent: Tuesday, January 27, 2009 9:04 AM
>>>> To: Windows System Software Devs Interest List
>>>> Subject: [ntdev] detecting volatile registry keys?
>>>>
>>>> How to test that a given registry key
>>>> is volatile (by handle from user mode, or by
>>>> object pointer in kernel mode)?
>>>>
>>>>
>>>> – pa
If you register a Cm callback, by the time you receive the key name,
normally all symbolic links have been resolved to their target path. If not
that would be new to me but you definitely receive the target path by
calling ObQueryNameString on an object pointer.
//Daniel
“Pavel A.” wrote in message news:xxxxx@ntdev…
Too bad. And no way to test if key is a link to another location (like
CurrentControlSet -> ControlSet001) ?
Thanks,
– pa
Skywing wrote:
> There exists no stable interface to do this that I know of, aside from
> trying to deploy observable-side-effect hacks as Daniel suggested.
>
> – S
>
> -----Original Message-----
> From: Pavel A.
> Sent: Tuesday, January 27, 2009 13:35
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] detecting volatile registry keys?
>
>
> Thank you, Daniel.
> Cm callback will work if these keys are created when my driver runs,
> but I hoped to find how to test keys that already existed.
>
> --pa
>
>
>
> xxxxx@resplendence.com wrote:
>> Another method I overlooked, on Vista and later you can register a
>> callback with CmRegisterCallbackEx. Then you can create a subkey of the
>> key and check for the volatile flag in the CreateOptions of the
>> REG_CREATE_KEY_INFORMATION structure (for RegNtPreCreateKeyEx).
>>
>> For pre Win2000 you can use the ERROR/STATUS_CHILD_MUST_BE VOLATILE
>> method described in my other post.
>>
>> This means you can limit your hacking to XP/2003 only and possibly some
>> editions of Windows 2000. Call ObOpenObjectByName, the CreateOptions can
>> be found in the ParseContext structure returned.
>>
>> //Daniel
>>
>>
>>
>>
>> “Pavel A.” wrote in message news:xxxxx@ntdev…
>>> Skywing wrote:
>>>> What are you doing that would cause you to need to make this
>>>> determination?
>>>>
>>> Something like just-in-time replication of registry changes.
>>> If the key is volatile, I must indicate this in the copy.
>>>
>>> I hoped that ZwQueryObject returns different values
>>> in PUBLIC_OBJECT_BASIC_INFORMATION.Attributes for
>>> normal and volatile keys, but no dice.
>>>
>>> Thank you.
>>>
>>> Pavel
>>>
>>>> -----Original Message-----
>>>> From: xxxxx@lists.osr.com
>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
>>>> Sent: Tuesday, January 27, 2009 9:04 AM
>>>> To: Windows System Software Devs Interest List
>>>> Subject: [ntdev] detecting volatile registry keys?
>>>>
>>>> How to test that a given registry key
>>>> is volatile (by handle from user mode, or by
>>>> object pointer in kernel mode)?
>>>>
>>>>
>>>> – pa
Same boat for that, as far as I know, unfortunately.
? S
-----Original Message-----
From: Pavel A.
Sent: Wednesday, January 28, 2009 02:29
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] detecting volatile registry keys?
Too bad. And no way to test if key is a link to another location (like
CurrentControlSet -> ControlSet001) ?
Thanks,
– pa
Skywing wrote:
> There exists no stable interface to do this that I know of, aside from trying to deploy observable-side-effect hacks as Daniel suggested.
>
> ? S
>
> -----Original Message-----
> From: Pavel A.
> Sent: Tuesday, January 27, 2009 13:35
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] detecting volatile registry keys?
>
>
> Thank you, Daniel.
> Cm callback will work if these keys are created when my driver runs,
> but I hoped to find how to test keys that already existed.
>
> --pa
>
>
>
> xxxxx@resplendence.com wrote:
>> Another method I overlooked, on Vista and later you can register a
>> callback with CmRegisterCallbackEx. Then you can create a subkey of the
>> key and check for the volatile flag in the CreateOptions of the
>> REG_CREATE_KEY_INFORMATION structure (for RegNtPreCreateKeyEx).
>>
>> For pre Win2000 you can use the ERROR/STATUS_CHILD_MUST_BE VOLATILE
>> method described in my other post.
>>
>> This means you can limit your hacking to XP/2003 only and possibly some
>> editions of Windows 2000. Call ObOpenObjectByName, the CreateOptions can
>> be found in the ParseContext structure returned.
>>
>> //Daniel
>>
>>
>>
>>
>> “Pavel A.” wrote in message news:xxxxx@ntdev…
>>> Skywing wrote:
>>>> What are you doing that would cause you to need to make this
>>>> determination?
>>>>
>>> Something like just-in-time replication of registry changes.
>>> If the key is volatile, I must indicate this in the copy.
>>>
>>> I hoped that ZwQueryObject returns different values
>>> in PUBLIC_OBJECT_BASIC_INFORMATION.Attributes for
>>> normal and volatile keys, but no dice.
>>>
>>> Thank you.
>>>
>>> Pavel
>>>
>>>> -----Original Message-----
>>>> From: xxxxx@lists.osr.com
>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
>>>> Sent: Tuesday, January 27, 2009 9:04 AM
>>>> To: Windows System Software Devs Interest List
>>>> Subject: [ntdev] detecting volatile registry keys?
>>>>
>>>> How to test that a given registry key
>>>> is volatile (by handle from user mode, or by
>>>> object pointer in kernel mode)?
>>>>
>>>>
>>>> – pa
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer