My file system filter driver needs to read an unknown number of strings
from the registry at start-up.
These are in the key
\Registry\Machine\System\CurrentControlSet\Services\FileSystemFilterDriv
er\Directories.
I am trying to call ZwEnumerateValue key in a loop until this returns
STATUS_NO_MORE_ENTRIES.
How do I extract the registry data for each value into a unicode string?
Here is my code:
VOID
ReadDriverParameters (
IN PUNICODE_STRING RegistryPath
)
{
OBJECT_ATTRIBUTES attributes;
OBJECT_ATTRIBUTES oa;
HANDLE driverRegKey;
HANDLE driverParamsRegKey;
NTSTATUS status;
UNICODE_STRING subDirName;
ULONG i;
PKEY_VALUE_BASIC_INFORMATION dirInfo = NULL;
PAGED_CODE();
//Get a handle to the registry root path for our driver
InitializeObjectAttributes( &attributes,
RegistryPath,
OBJ_CASE_INSENSITIVE,
NULL,
NULL );
status = ZwOpenKey( &driverRegKey,
KEY_READ,
&attributes );
//The drivers parameters are in a sub-key named Directories
RtlInitUnicodeString( &subDirName, L"Directories" );
//Open the Directories sub-key
InitializeObjectAttributes( &oa,
&subDirName,
OBJ_CASE_INSENSITIVE,
driverRegKey, //HANDLE
NULL );
//Open the subkey and get a handle to it
status = ZwOpenKey( &driverParamsRegKey,
KEY_READ,
&oa );
if (!NT_SUCCESS( status ))
{
DbgPrint(“!!! FileSystemFilterDriver.sys – failed to open directories
registry sub-key %X\n”,status);
return;
}
//Loop through the sub-key and read all the directory names
i = 0;
while (TRUE)
{
NTSTATUS status;
ULONG nbytes;
status = ZwEnumerateValueKey(
driverParamsRegKey,
i,
KeyValueBasicInformation,
dirInfo,
sizeof(dirInfo),
&nbytes
);
if (status == STATUS_NO_MORE_ENTRIES) {
DbgPrint(“!!! FileSystemFilterDriver.sys – ReadDriverParameters -
STATUS_NO_MORE_ENTRIES\n”);
break;
}
if (status == STATUS_BUFFER_OVERFLOW) {
DbgPrint(“!!! FileSystemFilterDriver.sys – failed to read directories -
STATUS_BUFFER_OVERFLOW\n”);
i++;
continue;
}
//Store the name from DirInfo into a UNICODE_STRING
//Read the next value
i++;
}
// Close the registry handle
ZwClose(driverParamsRegKey);
}
Jonathan Oliver
WinST
BAE Systems Insyte
********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************