Reading an INI file from the kernel driver (?)

Posted on 2006-11-26
Last Modified: 2011-09-20
Hi, I've read the question/answers located here:
and in general I'm aware that in the kernel mode driver you are not allowed to use CreateFile.

But, I need to read the ini file (or registry if possible) at the system startup (when the driver loads for the first time). How is this possible, if it is :)

Thanx a lot.
P.S. I've placed the 500 points for this because I think it's worth that amount.
Question by:nepostojeci_email
LVL 48

Accepted Solution

AlexFM earned 168 total points
ID: 18014190
To read file in kernel mode see the following functions:

I don't think that there are functions for handling ini files in kernel mode.

Usually driver-related data is kept in the Registry. The following functions can be used to access Registry:
... other functions

Do you have Walter Oney's book "Programming the Microsoft Windows Driver Model"? It contains working samples for these topics. This is possibly the only drivers book which contains really working sample code, I suggest you to buy it.
If you don't have this book, make search for these functions in
LVL 48

Expert Comment

ID: 18014305
LVL 86

Assisted Solution

jkr earned 166 total points
ID: 18014664
Accessing registry keys without Win32 APIs is way different. Sysinternals had some code that demonstrated how to do this, however, that is no longer available online. The scoop is to

    NTSTATUS ntStatus;

    WCHAR awcBaseKey [] = L"\\Registry\\Machine\\SOFTWARE\\MyProduct";
    WCHAR awcDataKey [] = L"MySettingsSubKey";
    HANDLE hBaseKey = NULL;
    HANDLE hDataKey = NULL;

    ULONG ulDisposition;

    // Open the base key

    KeyName.Buffer = awcBaseKey;
    KeyName.Length = (USHORT) wcslen (awcBaseKey) * sizeof (WCHAR);

    InitializeObjectAttributes(&oa, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL);

    ntStatus = ZwCreateKey(&hBaseKey, KEY_ALL_ACCESS, &oa, 0,  NULL, REG_OPTION_NON_VOLATILE, &ulDisposition);

    if(!NT_SUCCESS (ntStatus)) {

        // error

    __try {

        // Open the storage key

        DataKeyName.Buffer = awcDataKey;
        DataKeyName.Length = (USHORT) (wcslen (awcDataKey)) * sizeof (WCHAR);

        InitializeObjectAttributes (&oa, &DataKeyName, OBJ_CASE_INSENSITIVE, hBaseKey, NULL);

        ntStatus = ZwCreateKey (&hDataKey, KEY_ALL_ACCESS, &oa, 0, NULL, REG_OPTION_NON_VOLATILE, &ulDisposition);

        if(!NT_SUCCESS (ntStatus)) {

            // error


    } __finally {

        ZwClose (hBaseKey);

    WCHAR awcDataValue[]    = L"MySettings";


    __try {

        // Read the stored value

        ValueName.Buffer = awcDataValue;
        ValueName.Length = (USHORT) (wcslen (awcDataValue)) * sizeof (WCHAR);
        ULONG ulNeeded;

        size_t szkvi = sizeof (KEY_VALUE_PARTIAL_INFORMATION);
        pkvi = (KEY_VALUE_PARTIAL_INFORMATION*) new BYTE [szkvi];

        ZeroMemory (pkvi, sizeof (KEY_VALUE_PARTIAL_INFORMATION));
        pkvi->Type = REG_BINARY;

        // Query necessary size first
        ntStatus = ZwQueryValueKey (hDataKey, &ValueName, KeyValuePartialInformation, pkvi, (ULONG) szkvi, &ulNeeded);

        //  Not present
        if (STATUS_OBJECT_NAME_NOT_FOUND == ntStatus) {

            // error


        if (ntStatus != STATUS_BUFFER_TOO_SMALL && ntStatus != STATUS_BUFFER_OVERFLOW) {

            // error


        delete [] pkvi;
        szkvi = sizeof (KEY_VALUE_PARTIAL_INFORMATION) + ulNeeded;
        pkvi = (KEY_VALUE_PARTIAL_INFORMATION*) new BYTE [szkvi];
        ZeroMemory (pkvi, szkvi);
        pkvi->Type = REG_BINARY;

        // Finally, read value
        ntStatus = ZwQueryValueKey (hDataKey, &ValueName, KeyValuePartialInformation, pkvi, (ULONG) szkvi, &ulNeeded);

        if(!NT_SUCCESS (ntStatus)) {

            // error


    } __finally {

        delete [] pkvi;

        ZwClose (hDataKey);
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

LVL 30

Assisted Solution

Axter earned 166 total points
ID: 18014829
>>WCHAR awcBaseKey [] = L"\\Registry\\Machine\\SOFTWARE\\MyProduct";

Instead of using a string literal, you could use the path that is passed in to the DriverEntry function.
DriverEntry(IN PDRIVER_OBJECT DriverObject,
                  IN PUNICODE_STRING RegistryPath) // ***** use this value ******

This value will change according to your driver, so it makes it a little more portable.
Example reg path:

In my GetRegistrySettings function, I have a static variable that stores the RegistryPath value, so that the function can be called again from outside of DriverEntry without knowning the path value.

VOID GetRegistrySettings (IN PUNICODE_STRING RegistryPath_Input)
      OBJECT_ATTRIBUTES attributes;
      HANDLE driverRegKey;
      NTSTATUS status;
      ULONG resultLength;
      UNICODE_STRING valueName;
      UCHAR bufferPath[MAX_PATH * sizeof(WCHAR)] = {0};
      WCHAR *buffer = (WCHAR *)bufferPath;

      static UNICODE_STRING RegistryPath = {0, 0, 0}; // ****** Make sure this is STATIC *****

      if (RegistryPath_Input == NULL && RegistryPath.Buffer == NULL)
            return; //Should never reach this point unless NULL value passed first time called

      if (RegistryPath.Buffer == NULL)
            RegistryPath.Buffer = ExAllocatePoolWithTag(NonPagedPool,  (RegistryPath_Input->MaximumLength + 2) * sizeof(WCHAR), '6_H');
            if (RegistryPath.Buffer == NULL)
            RegistryPath.Length                        = RegistryPath_Input->Length;
            RegistryPath.MaximumLength            = RegistryPath_Input->MaximumLength;
            wcsncpy(RegistryPath.Buffer,RegistryPath_Input->Buffer, RegistryPath.Length      / 2 );
            RegistryPath.Buffer[RegistryPath_Input->Length / 2] = 0;

      InitializeObjectAttributes( &attributes,
            NULL );

      status = ZwOpenKey( &driverRegKey,
            &attributes );

      if (!NT_SUCCESS( status )) {

      RtlInitUnicodeString( &valueName, L"DEBUG_LOGGING_ON" );
      status = ZwQueryValueKey( driverRegKey,
            &resultLength );

      if (NT_SUCCESS( status ))
            if (((PKEY_VALUE_PARTIAL_INFORMATION) bufferPath)->Data[0] == 'Y')
                  GXHSM_DIAG_MODE_ON = TRUE;
                  RelLoggingInfo("Turning on DiagMode\n");
                  GXHSM_DIAG_MODE_ON = FALSE;
                  DbgPrintInfo("DiagMode is OFF\n");

You could easily change the above function so as to take a second argument that would specify the specific registry field to retrieve.
LVL 30

Expert Comment

ID: 18014860
I have macros that use the global GXHSM_DIAG_MODE_ON for determining if logging occurs.
#if DBG //Dbg macros only log when debug version is compiled

#define DbgPrintInfo                        DbgPrint( "%p: (%5.5i) [%s] [Info]", KeGetCurrentThread(), __LINE__, __FUNCTION__);DbgPrint

//The Release log macros always log on debug version, and only log on release when switch is turned on
#define RelLoggingErrCond                  DbgPrint( "(%5.5i) [%s] [Error Condition ~~~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint
#define RelLoggingWarn                        DbgPrint( "(%5.5i) [%s] [Warning ~~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint
#define RelLoggingInfo                        DbgPrint( "(%5.5i) [%s] [Info ~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint

#else //Release macros log only when GXHSM_DIAG_MODE_ON is set to true

#define RelLoggingErrCond                  if (GXHSM_DIAG_MODE_ON) DbgPrint( "(%5.5i) [%s] [Error Condition ~~~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint
#define RelLoggingWarn                        if (GXHSM_DIAG_MODE_ON) DbgPrint( "(%5.5i) [%s] [Warning ~~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint
#define RelLoggingInfo                        if (GXHSM_DIAG_MODE_ON) DbgPrint( "(%5.5i) [%s] [Info ~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint

//This macro does nothing in release mode
#define DbgPrintInfo if (1);else DbgPrint

#endif // end DBG

If you use DebugView from Sysinternals, you can easily view above logging without having to boot the machine in special mode.
With my dirver, I'm able to turn the logging on and off without having to reboot the machine.

Author Comment

ID: 18014995
Thanks a lot guys, these answers were very helpful for me.
Let me just try out these and I'll close this question.
Thanks for your help.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Often, when implementing a feature, you won't know how certain events should be handled at the point where they occur and you'd rather defer to the user of your function or class. For example, a XML parser will extract a tag from the source code, wh…
Introduction This article is a continuation of the C/C++ Visual Studio Express debugger series. Part 1 provided a quick start guide in using the debugger. Part 2 focused on additional topics in breakpoints. As your assignments become a little more …
The goal of the video will be to teach the user the concept of local variables and scope. An example of a locally defined variable will be given as well as an explanation of what scope is in C++. The local variable and concept of scope will be relat…
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now