ZwQueryKey

The ZwQueryKey routine provides data about the class of a key, and the number and sizes of its subkeys.

NTSTATUS 
  ZwQueryKey(
    IN HANDLE  KeyHandle,
    IN KEY_INFORMATION_CLASS  KeyInformationClass,
    OUT PVOID  KeyInformation,
    IN ULONG  Length,
    OUT PULONG  ResultLength
    );

Parameters

KeyHandle

Handle to the registry key to be queried. This handle is created by a successful call to ZwCreateKey or ZwOpenKey.

KeyInformationClass

Specifies a KEY_INFORMATION_CLASS value that determines the type of information returned in the KeyInformation buffer.

KeyInformation

Pointer to a caller-allocated buffer to receive the requested data.

Length

Specifies the size, in bytes, of the KeyInformation buffer.

ResultLength

Pointer to a variable that receives the size, in bytes, of the key information. If the ZwQueryKey routine returns STATUS_SUCCESS, callers can use the value of this variable to determine the amount of data returned. If the routine returns STATUS_BUFFER_OVERFLOW or STATUS_BUFFER_TOO_SMALL, callers can use the value of this variable to determine the size of buffer required to hold the key information.

Headers

Declared in wdm.h and ntddk.h. Include wdm.h or ntddk.h.

Return Value

ZwQueryKey returns STATUS_SUCCESS on success, or the appropriate error code on failure. Possible error code values include:

STATUS_BUFFER_OVERFLOW

The buffer supplied is too small, and only partial data has been written to the buffer. *ResultLength is set to the minimum size required to hold the requested information.

STATUS_BUFFER_TOO_SMALL

The buffer supplied is too small, and no data has been written to the buffer. *ResultLength is set to the minimum size required to hold the requested information.

STATUS_INVALID_PARAMETER

The KeyInformationClass parameter is not a valid KEY_INFORMATION_CLASS value.

Comments

The KeyHandle handle passed to ZwQueryKey must have been opened with the KEY_QUERY_KEY DesiredAccess flag set for this call to succeed. For a description of possible values for DesiredAccess, see ZwCreateKey.

ZwQueryKey returns information about the size of the value entries, the number of subkeys, and the length of their names that its caller can use to allocate buffers for registry data.

For example, a successful caller of ZwQueryKey might allocate a buffer for a subkey, call ZwEnumerateKey to get the name of the subkey, and pass that name to an RtlXxxRegistry routine.

Callers of ZwQueryKey must be running at IRQL = PASSIVE_LEVEL.

See Also

KEY_BASIC_INFORMATION, KEY_FULL_INFORMATION, KEY_INFORMATION_CLASS, KEY_NODE_INFORMATION, ZwClose, ZwEnumerateKey, ZwOpenKey