Reading an INI file from the kernel driver (?)

Posted on 2006-11-26
Last Modified: 2011-09-20
Hi, I've read the question/answers located here:
and in general I'm aware that in the kernel mode driver you are not allowed to use CreateFile.

But, I need to read the ini file (or registry if possible) at the system startup (when the driver loads for the first time). How is this possible, if it is :)

Thanx a lot.
P.S. I've placed the 500 points for this because I think it's worth that amount.
Question by:nepostojeci_email
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 48

Accepted Solution

AlexFM earned 168 total points
ID: 18014190
To read file in kernel mode see the following functions:

I don't think that there are functions for handling ini files in kernel mode.

Usually driver-related data is kept in the Registry. The following functions can be used to access Registry:
... other functions

Do you have Walter Oney's book "Programming the Microsoft Windows Driver Model"? It contains working samples for these topics. This is possibly the only drivers book which contains really working sample code, I suggest you to buy it.
If you don't have this book, make search for these functions in
LVL 48

Expert Comment

ID: 18014305
LVL 86

Assisted Solution

jkr earned 166 total points
ID: 18014664
Accessing registry keys without Win32 APIs is way different. Sysinternals had some code that demonstrated how to do this, however, that is no longer available online. The scoop is to

    NTSTATUS ntStatus;

    WCHAR awcBaseKey [] = L"\\Registry\\Machine\\SOFTWARE\\MyProduct";
    WCHAR awcDataKey [] = L"MySettingsSubKey";
    HANDLE hBaseKey = NULL;
    HANDLE hDataKey = NULL;

    ULONG ulDisposition;

    // Open the base key

    KeyName.Buffer = awcBaseKey;
    KeyName.Length = (USHORT) wcslen (awcBaseKey) * sizeof (WCHAR);

    InitializeObjectAttributes(&oa, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL);

    ntStatus = ZwCreateKey(&hBaseKey, KEY_ALL_ACCESS, &oa, 0,  NULL, REG_OPTION_NON_VOLATILE, &ulDisposition);

    if(!NT_SUCCESS (ntStatus)) {

        // error

    __try {

        // Open the storage key

        DataKeyName.Buffer = awcDataKey;
        DataKeyName.Length = (USHORT) (wcslen (awcDataKey)) * sizeof (WCHAR);

        InitializeObjectAttributes (&oa, &DataKeyName, OBJ_CASE_INSENSITIVE, hBaseKey, NULL);

        ntStatus = ZwCreateKey (&hDataKey, KEY_ALL_ACCESS, &oa, 0, NULL, REG_OPTION_NON_VOLATILE, &ulDisposition);

        if(!NT_SUCCESS (ntStatus)) {

            // error


    } __finally {

        ZwClose (hBaseKey);

    WCHAR awcDataValue[]    = L"MySettings";


    __try {

        // Read the stored value

        ValueName.Buffer = awcDataValue;
        ValueName.Length = (USHORT) (wcslen (awcDataValue)) * sizeof (WCHAR);
        ULONG ulNeeded;

        size_t szkvi = sizeof (KEY_VALUE_PARTIAL_INFORMATION);
        pkvi = (KEY_VALUE_PARTIAL_INFORMATION*) new BYTE [szkvi];

        ZeroMemory (pkvi, sizeof (KEY_VALUE_PARTIAL_INFORMATION));
        pkvi->Type = REG_BINARY;

        // Query necessary size first
        ntStatus = ZwQueryValueKey (hDataKey, &ValueName, KeyValuePartialInformation, pkvi, (ULONG) szkvi, &ulNeeded);

        //  Not present
        if (STATUS_OBJECT_NAME_NOT_FOUND == ntStatus) {

            // error


        if (ntStatus != STATUS_BUFFER_TOO_SMALL && ntStatus != STATUS_BUFFER_OVERFLOW) {

            // error


        delete [] pkvi;
        szkvi = sizeof (KEY_VALUE_PARTIAL_INFORMATION) + ulNeeded;
        pkvi = (KEY_VALUE_PARTIAL_INFORMATION*) new BYTE [szkvi];
        ZeroMemory (pkvi, szkvi);
        pkvi->Type = REG_BINARY;

        // Finally, read value
        ntStatus = ZwQueryValueKey (hDataKey, &ValueName, KeyValuePartialInformation, pkvi, (ULONG) szkvi, &ulNeeded);

        if(!NT_SUCCESS (ntStatus)) {

            // error


    } __finally {

        delete [] pkvi;

        ZwClose (hDataKey);
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 30

Assisted Solution

Axter earned 166 total points
ID: 18014829
>>WCHAR awcBaseKey [] = L"\\Registry\\Machine\\SOFTWARE\\MyProduct";

Instead of using a string literal, you could use the path that is passed in to the DriverEntry function.
DriverEntry(IN PDRIVER_OBJECT DriverObject,
                  IN PUNICODE_STRING RegistryPath) // ***** use this value ******

This value will change according to your driver, so it makes it a little more portable.
Example reg path:

In my GetRegistrySettings function, I have a static variable that stores the RegistryPath value, so that the function can be called again from outside of DriverEntry without knowning the path value.

VOID GetRegistrySettings (IN PUNICODE_STRING RegistryPath_Input)
      OBJECT_ATTRIBUTES attributes;
      HANDLE driverRegKey;
      NTSTATUS status;
      ULONG resultLength;
      UNICODE_STRING valueName;
      UCHAR bufferPath[MAX_PATH * sizeof(WCHAR)] = {0};
      WCHAR *buffer = (WCHAR *)bufferPath;

      static UNICODE_STRING RegistryPath = {0, 0, 0}; // ****** Make sure this is STATIC *****

      if (RegistryPath_Input == NULL && RegistryPath.Buffer == NULL)
            return; //Should never reach this point unless NULL value passed first time called

      if (RegistryPath.Buffer == NULL)
            RegistryPath.Buffer = ExAllocatePoolWithTag(NonPagedPool,  (RegistryPath_Input->MaximumLength + 2) * sizeof(WCHAR), '6_H');
            if (RegistryPath.Buffer == NULL)
            RegistryPath.Length                        = RegistryPath_Input->Length;
            RegistryPath.MaximumLength            = RegistryPath_Input->MaximumLength;
            wcsncpy(RegistryPath.Buffer,RegistryPath_Input->Buffer, RegistryPath.Length      / 2 );
            RegistryPath.Buffer[RegistryPath_Input->Length / 2] = 0;

      InitializeObjectAttributes( &attributes,
            NULL );

      status = ZwOpenKey( &driverRegKey,
            &attributes );

      if (!NT_SUCCESS( status )) {

      RtlInitUnicodeString( &valueName, L"DEBUG_LOGGING_ON" );
      status = ZwQueryValueKey( driverRegKey,
            &resultLength );

      if (NT_SUCCESS( status ))
            if (((PKEY_VALUE_PARTIAL_INFORMATION) bufferPath)->Data[0] == 'Y')
                  GXHSM_DIAG_MODE_ON = TRUE;
                  RelLoggingInfo("Turning on DiagMode\n");
                  GXHSM_DIAG_MODE_ON = FALSE;
                  DbgPrintInfo("DiagMode is OFF\n");

You could easily change the above function so as to take a second argument that would specify the specific registry field to retrieve.
LVL 30

Expert Comment

ID: 18014860
I have macros that use the global GXHSM_DIAG_MODE_ON for determining if logging occurs.
#if DBG //Dbg macros only log when debug version is compiled

#define DbgPrintInfo                        DbgPrint( "%p: (%5.5i) [%s] [Info]", KeGetCurrentThread(), __LINE__, __FUNCTION__);DbgPrint

//The Release log macros always log on debug version, and only log on release when switch is turned on
#define RelLoggingErrCond                  DbgPrint( "(%5.5i) [%s] [Error Condition ~~~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint
#define RelLoggingWarn                        DbgPrint( "(%5.5i) [%s] [Warning ~~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint
#define RelLoggingInfo                        DbgPrint( "(%5.5i) [%s] [Info ~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint

#else //Release macros log only when GXHSM_DIAG_MODE_ON is set to true

#define RelLoggingErrCond                  if (GXHSM_DIAG_MODE_ON) DbgPrint( "(%5.5i) [%s] [Error Condition ~~~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint
#define RelLoggingWarn                        if (GXHSM_DIAG_MODE_ON) DbgPrint( "(%5.5i) [%s] [Warning ~~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint
#define RelLoggingInfo                        if (GXHSM_DIAG_MODE_ON) DbgPrint( "(%5.5i) [%s] [Info ~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint

//This macro does nothing in release mode
#define DbgPrintInfo if (1);else DbgPrint

#endif // end DBG

If you use DebugView from Sysinternals, you can easily view above logging without having to boot the machine in special mode.
With my dirver, I'm able to turn the logging on and off without having to reboot the machine.

Author Comment

ID: 18014995
Thanks a lot guys, these answers were very helpful for me.
Let me just try out these and I'll close this question.
Thanks for your help.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Errors will happen. It is a fact of life for the programmer. How and when errors are detected have a great impact on quality and cost of a product. It is better to detect errors at compile time, when possible and practical. Errors that make their wa…
  Included as part of the C++ Standard Template Library (STL) is a collection of generic containers. Each of these containers serves a different purpose and has different pros and cons. It is often difficult to decide which container to use and …
The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.
The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question