Hi,
I was writing a registry filter driver in Win 7 and encountered a very strange behavior when opening symbolic link key(“HKLM\Software\Wow6432Node\Classes”), which linked to key “HKLM\Software\Classes\Wow6432Node”. I used ZwOpenKeyEx API to open the key, it returned STATUS_OBJECT_NAME_NOT_FOUND (0xC0000034). However, the key did exist and regedit.exe could open it correctly. The code was listed below:
Thanks for point it out. However, it’s actually my typo in the previous message, the path in my code is “\Registry\Machine\Software\Wow6432Node\Classes”, not “HKLM.…”.
BTW, I also tried use ZwOpenKey API without REG_OPTION_OPEN_LINK flag but still have the same result (0xC0000034).
I have solved this issue after some debugging. It turned out to be the Length field was not correct in the unicode string “RegKeyName”, which is quite wield.
Actually the “RegKeyName” in above code came from CM callback parameter (PREG_OPEN_KEY_INFORMATION)POpenInfo->CompleteName. However, the length(0xFE) of this Unicode string(CompleteName) was larger than the actual size (0x5C), which caused the key open failure issue.
So why was the (PREG_OPEN_KEY_INFORMATION)POpenInfo->CompleteName->Length not correct?
the CompleteName is correct unicode string. or you wrong look on it Length, or Length already was damaged by you or another filter. however CompleteName is out parameter (for object manager) and used only in post callback if REG_POST_OPERATION_INFORMATION.Status == STATUS_REPARSE true input key pat is (RootObject, RemainingName)