ZwEnumerateKey

The ZwEnumerateKey routine returns information about the subkeys of an open registry key.

NTSTATUS 
  ZwEnumerateKey(
    IN HANDLE  KeyHandle,
    IN ULONG  Index,
    IN KEY_INFORMATION_CLASS  KeyInformationClass,
    OUT PVOID  KeyInformation,
    IN ULONG  Length,
    OUT PULONG  ResultLength
    );

Parameters

KeyHandle

Handle to the registry key whose subkeys are to be enumerated. This handle is created by a successful call to ZwCreateKey or ZwOpenKey.

Index

Specifies the zero-based index of the subkey for which the information is requested.

KeyInformationClass

Specifies a KEY_INFORMATION_CLASS value that determines the type of information to be received by the KeyInformation buffer.

KeyInformation

Pointer to a caller-allocated buffer to receive the requested data. The KeyInformationClass parameter determines the type of data provided.

Length

Specifies the size, in bytes, of the KeyInformation buffer.

ResultLength

Pointer to a variable that receives the size, in bytes, of the registry key information. If the ZwEnumerateKey routine returns STATUS_SUCCESS, callers can use the value of this variable to determine the amount of data returned. If the routine returns STATUS_BUFFER_OVERFLOW or STATUS_BUFFER_TOO_SMALL, callers can use the value of this variable to determine the size of buffer required to hold the key information.

Headers

Declared in wdm.h and ntddk.h. Include wdm.h or ntddk.h.

Return Value

ZwEnumerateKey returns STATUS_SUCCESS on success, or the appropriate error code on failure. Possible error code values include:

STATUS_BUFFER_OVERFLOW

The buffer supplied is too small, and only partial data has been written to the buffer. *ResultLength is set to the minimum size required to hold the requested information.

STATUS_BUFFER_TOO_SMALL

The buffer supplied is too small, and no data has been written to the buffer. *ResultLength is set to the minimum size required to hold the requested information.

STATUS_INVALID_PARAMETER

The KeyInformationClass parameter is not a valid KEY_INFORMATION_CLASS value.

STATUS_NO_MORE_ENTRIES

The Index value is out of range for the registry key specified by KeyHandle. For example, if a key has n subkeys, then for any value greater than n-1the routine returns STATUS_NO_MORE_ENTRIES.

Comments

The KeyHandle passed to ZwEnumerateKey must have been opened with the KEY_ENUMERATE_SUB_KEYS DesiredAccess flag set for this call to succeed. For a description of possible values for DesiredAccess, see ZwCreateKey.

The Index parameter is simply a way to select among subkeys of the key referred to by the KeyHandle. Two calls to ZwEnumerateKey with the same Index are not guaranteed to return the same result.

Callers of ZwEnumerateKey must be running at IRQL = PASSIVE_LEVEL.

See Also

KEY_BASIC_INFORMATION, KEY_FULL_INFORMATION, KEY_INFORMATION_CLASS, KEY_NODE_INFORMATION, RtlCheckRegistryKey, RtlCreateRegistryKey, RtlDeleteRegistryValue, RtlQueryRegistryValues, RtlWriteRegistryValue, ZwCreateKey, ZwEnumerateValueKey, ZwOpenKey