Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Reading an INI file from the kernel driver (?)

Posted on 2006-11-26
Last Modified: 2011-09-20
Hi, I've read the question/answers located here:
and in general I'm aware that in the kernel mode driver you are not allowed to use CreateFile.

But, I need to read the ini file (or registry if possible) at the system startup (when the driver loads for the first time). How is this possible, if it is :)

Thanx a lot.
P.S. I've placed the 500 points for this because I think it's worth that amount.
Question by:nepostojeci_email
LVL 48

Accepted Solution

AlexFM earned 168 total points
ID: 18014190
To read file in kernel mode see the following functions:

I don't think that there are functions for handling ini files in kernel mode.

Usually driver-related data is kept in the Registry. The following functions can be used to access Registry:
... other functions

Do you have Walter Oney's book "Programming the Microsoft Windows Driver Model"? It contains working samples for these topics. This is possibly the only drivers book which contains really working sample code, I suggest you to buy it.
If you don't have this book, make search for these functions in www.osronline.com.
LVL 48

Expert Comment

ID: 18014305
LVL 86

Assisted Solution

jkr earned 166 total points
ID: 18014664
Accessing registry keys without Win32 APIs is way different. Sysinternals had some code that demonstrated how to do this, however, that is no longer available online. The scoop is to

    NTSTATUS ntStatus;

    WCHAR awcBaseKey [] = L"\\Registry\\Machine\\SOFTWARE\\MyProduct";
    WCHAR awcDataKey [] = L"MySettingsSubKey";
    HANDLE hBaseKey = NULL;
    HANDLE hDataKey = NULL;

    ULONG ulDisposition;

    // Open the base key

    KeyName.Buffer = awcBaseKey;
    KeyName.Length = (USHORT) wcslen (awcBaseKey) * sizeof (WCHAR);

    InitializeObjectAttributes(&oa, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL);

    ntStatus = ZwCreateKey(&hBaseKey, KEY_ALL_ACCESS, &oa, 0,  NULL, REG_OPTION_NON_VOLATILE, &ulDisposition);

    if(!NT_SUCCESS (ntStatus)) {

        // error

    __try {

        // Open the storage key

        DataKeyName.Buffer = awcDataKey;
        DataKeyName.Length = (USHORT) (wcslen (awcDataKey)) * sizeof (WCHAR);

        InitializeObjectAttributes (&oa, &DataKeyName, OBJ_CASE_INSENSITIVE, hBaseKey, NULL);

        ntStatus = ZwCreateKey (&hDataKey, KEY_ALL_ACCESS, &oa, 0, NULL, REG_OPTION_NON_VOLATILE, &ulDisposition);

        if(!NT_SUCCESS (ntStatus)) {

            // error


    } __finally {

        ZwClose (hBaseKey);

    WCHAR awcDataValue[]    = L"MySettings";


    __try {

        // Read the stored value

        ValueName.Buffer = awcDataValue;
        ValueName.Length = (USHORT) (wcslen (awcDataValue)) * sizeof (WCHAR);
        ULONG ulNeeded;

        size_t szkvi = sizeof (KEY_VALUE_PARTIAL_INFORMATION);
        pkvi = (KEY_VALUE_PARTIAL_INFORMATION*) new BYTE [szkvi];

        ZeroMemory (pkvi, sizeof (KEY_VALUE_PARTIAL_INFORMATION));
        pkvi->Type = REG_BINARY;

        // Query necessary size first
        ntStatus = ZwQueryValueKey (hDataKey, &ValueName, KeyValuePartialInformation, pkvi, (ULONG) szkvi, &ulNeeded);

        //  Not present
        if (STATUS_OBJECT_NAME_NOT_FOUND == ntStatus) {

            // error


        if (ntStatus != STATUS_BUFFER_TOO_SMALL && ntStatus != STATUS_BUFFER_OVERFLOW) {

            // error


        delete [] pkvi;
        szkvi = sizeof (KEY_VALUE_PARTIAL_INFORMATION) + ulNeeded;
        pkvi = (KEY_VALUE_PARTIAL_INFORMATION*) new BYTE [szkvi];
        ZeroMemory (pkvi, szkvi);
        pkvi->Type = REG_BINARY;

        // Finally, read value
        ntStatus = ZwQueryValueKey (hDataKey, &ValueName, KeyValuePartialInformation, pkvi, (ULONG) szkvi, &ulNeeded);

        if(!NT_SUCCESS (ntStatus)) {

            // error


    } __finally {

        delete [] pkvi;

        ZwClose (hDataKey);
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

LVL 30

Assisted Solution

Axter earned 166 total points
ID: 18014829
>>WCHAR awcBaseKey [] = L"\\Registry\\Machine\\SOFTWARE\\MyProduct";

Instead of using a string literal, you could use the path that is passed in to the DriverEntry function.
DriverEntry(IN PDRIVER_OBJECT DriverObject,
                  IN PUNICODE_STRING RegistryPath) // ***** use this value ******

This value will change according to your driver, so it makes it a little more portable.
Example reg path:

In my GetRegistrySettings function, I have a static variable that stores the RegistryPath value, so that the function can be called again from outside of DriverEntry without knowning the path value.

VOID GetRegistrySettings (IN PUNICODE_STRING RegistryPath_Input)
      OBJECT_ATTRIBUTES attributes;
      HANDLE driverRegKey;
      NTSTATUS status;
      ULONG resultLength;
      UNICODE_STRING valueName;
      UCHAR bufferPath[MAX_PATH * sizeof(WCHAR)] = {0};
      WCHAR *buffer = (WCHAR *)bufferPath;

      static UNICODE_STRING RegistryPath = {0, 0, 0}; // ****** Make sure this is STATIC *****

      if (RegistryPath_Input == NULL && RegistryPath.Buffer == NULL)
            return; //Should never reach this point unless NULL value passed first time called

      if (RegistryPath.Buffer == NULL)
            RegistryPath.Buffer = ExAllocatePoolWithTag(NonPagedPool,  (RegistryPath_Input->MaximumLength + 2) * sizeof(WCHAR), '6_H');
            if (RegistryPath.Buffer == NULL)
            RegistryPath.Length                        = RegistryPath_Input->Length;
            RegistryPath.MaximumLength            = RegistryPath_Input->MaximumLength;
            wcsncpy(RegistryPath.Buffer,RegistryPath_Input->Buffer, RegistryPath.Length      / 2 );
            RegistryPath.Buffer[RegistryPath_Input->Length / 2] = 0;

      InitializeObjectAttributes( &attributes,
            NULL );

      status = ZwOpenKey( &driverRegKey,
            &attributes );

      if (!NT_SUCCESS( status )) {

      RtlInitUnicodeString( &valueName, L"DEBUG_LOGGING_ON" );
      status = ZwQueryValueKey( driverRegKey,
            &resultLength );

      if (NT_SUCCESS( status ))
            if (((PKEY_VALUE_PARTIAL_INFORMATION) bufferPath)->Data[0] == 'Y')
                  GXHSM_DIAG_MODE_ON = TRUE;
                  RelLoggingInfo("Turning on DiagMode\n");
                  GXHSM_DIAG_MODE_ON = FALSE;
                  DbgPrintInfo("DiagMode is OFF\n");

You could easily change the above function so as to take a second argument that would specify the specific registry field to retrieve.
LVL 30

Expert Comment

ID: 18014860
I have macros that use the global GXHSM_DIAG_MODE_ON for determining if logging occurs.
#if DBG //Dbg macros only log when debug version is compiled

#define DbgPrintInfo                        DbgPrint( "%p: (%5.5i) [%s] [Info]", KeGetCurrentThread(), __LINE__, __FUNCTION__);DbgPrint

//The Release log macros always log on debug version, and only log on release when switch is turned on
#define RelLoggingErrCond                  DbgPrint( "(%5.5i) [%s] [Error Condition ~~~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint
#define RelLoggingWarn                        DbgPrint( "(%5.5i) [%s] [Warning ~~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint
#define RelLoggingInfo                        DbgPrint( "(%5.5i) [%s] [Info ~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint

#else //Release macros log only when GXHSM_DIAG_MODE_ON is set to true

#define RelLoggingErrCond                  if (GXHSM_DIAG_MODE_ON) DbgPrint( "(%5.5i) [%s] [Error Condition ~~~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint
#define RelLoggingWarn                        if (GXHSM_DIAG_MODE_ON) DbgPrint( "(%5.5i) [%s] [Warning ~~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint
#define RelLoggingInfo                        if (GXHSM_DIAG_MODE_ON) DbgPrint( "(%5.5i) [%s] [Info ~] ", __LINE__, __FUNCTION__);if (GXHSM_DIAG_MODE_ON) DbgPrint

//This macro does nothing in release mode
#define DbgPrintInfo if (1);else DbgPrint

#endif // end DBG

If you use DebugView from Sysinternals, you can easily view above logging without having to boot the machine in special mode.
With my dirver, I'm able to turn the logging on and off without having to reboot the machine.

Author Comment

ID: 18014995
Thanks a lot guys, these answers were very helpful for me.
Let me just try out these and I'll close this question.
Thanks for your help.

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Templates For Beginners Or How To Encourage The Compiler To Work For You Introduction This tutorial is targeted at the reader who is, perhaps, familiar with the basics of C++ but would prefer a little slower introduction to the more ad…
  Included as part of the C++ Standard Template Library (STL) is a collection of generic containers. Each of these containers serves a different purpose and has different pros and cons. It is often difficult to decide which container to use and …
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question