ZwOpenKeyEx failed when open symbolic link key

Hi,
I was writing a registry filter driver in Win 7 and encountered a very strange behavior when opening symbolic link key(“HKLM\Software\Wow6432Node\Classes”), which linked to key “HKLM\Software\Classes\Wow6432Node”. I used ZwOpenKeyEx API to open the key, it returned STATUS_OBJECT_NAME_NOT_FOUND (0xC0000034). However, the key did exist and regedit.exe could open it correctly. The code was listed below:

UNICODE_STRING RegKeyName;

RtlInitUnicodeString(&RegKeyName, L"HKLM\Software\Wow6432Node\Classes");

InitializeObjectAttributes( &RegKeyAttributes,
&RegKeyName,
OBJ_CASE_INSENSITIVE|
OBJ_KERNEL_HANDLE,
NULL,
PSecurityDescriptor );

Status = ZwOpenKeyEx(&Key,
KEY_READ,
&RegKeyAttributes,
REG_OPTION_OPEN_LINK);

I also tried setting the OBJ_OPENLINK flag in RegKeyAttributes.Attributes but had no luck, the result is still the same.

Any help will be highly appreciated, Thanks!

Hi, Jason.

You should use "\Registry\Machine" instead of “HKLM”.
See the link below.

https://msdn.microsoft.com/en-us/library/ff560909.aspx

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br/en

Thanks for point it out. However, it’s actually my typo in the previous message, the path in my code is “\Registry\Machine\Software\Wow6432Node\Classes”, not “HKLM.…”.

BTW, I also tried use ZwOpenKey API without REG_OPTION_OPEN_LINK flag but still have the same result (0xC0000034).

Any clue?

Thanks!

This node exists only on 64 bit systems. Do you build for 64 bit kernel?

Yes, it’s built for Win 7 x64 target.

I have solved this issue after some debugging. It turned out to be the Length field was not correct in the unicode string “RegKeyName”, which is quite wield.

Actually the “RegKeyName” in above code came from CM callback parameter (PREG_OPEN_KEY_INFORMATION)POpenInfo->CompleteName. However, the length(0xFE) of this Unicode string(CompleteName) was larger than the actual size (0x5C), which caused the key open failure issue.

So why was the (PREG_OPEN_KEY_INFORMATION)POpenInfo->CompleteName->Length not correct?

the CompleteName is correct unicode string. or you wrong look on it Length, or Length already was damaged by you or another filter. however CompleteName is out parameter (for object manager) and used only in post callback if REG_POST_OPERATION_INFORMATION.Status == STATUS_REPARSE true input key pat is (RootObject, RemainingName)