troubleshooting Question

Help query values from the registry using zwqueryvaluekey

Avatar of msgolez
msgolez asked on
CSystem ProgrammingMicrosoft Legacy OS
7 Comments1 Solution3182 ViewsLast Modified:
Hello All

I'm trying to querry a value from the registry using zwqueryvaluekey from a kernel driver. In particular i'm trying to query the start value of driver. My question is, once i get the structure the contains the information, how do i compare the value of the Start key with values such as 0, 1, 2, 3 or 4.

Here is my code:

#include <ntddk.h>

VOID ReadUnload(PDRIVER_OBJECT  pDriverObject);

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING RegistryPath)
{
UNICODE_STRING uPath, uName, uResult;
ANSI_STRING aResult;
HANDLE hFolder = NULL;
OBJECT_ATTRIBUTES objAttribs;
NTSTATUS status = STATUS_SUCCESS;
ULONG dataLength = 0x80;
ULONG structLength = sizeof(KEY_VALUE_BASIC_INFORMATION) + dataLength + sizeof(UNICODE_NULL);
PKEY_VALUE_BASIC_INFORMATION pBasicValue = NULL;
PKEY_VALUE_PARTIAL_INFORMATION pPartialValue = NULL;
PKEY_VALUE_FULL_INFORMATION pFullValue = NULL;
pBasicValue = (PKEY_VALUE_BASIC_INFORMATION) ExAllocatePool(PagedPool, structLength);
pPartialValue = (PKEY_VALUE_PARTIAL_INFORMATION) ExAllocatePool(PagedPool, structLength);
pFullValue = (PKEY_VALUE_FULL_INFORMATION) ExAllocatePool(PagedPool, structLength);

RtlInitUnicodeString(&uPath, L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\ultra" );
RtlInitUnicodeString(&uName, L"Type");

InitializeObjectAttributes(&objAttribs, &uPath, OBJ_CASE_INSENSITIVE, NULL, NULL);

status = ZwOpenKey(&hFolder, KEY_READ, &objAttribs);

if(status != STATUS_SUCCESS)
{
      DbgPrint("Couldn't open key. Ending function.\n");
      return status;
}

//Try to read the value, using the PKEY_VALUE_PARTIAL_INFORMATION.
memset(pPartialValue, 0, structLength);
status = ZwQueryValueKey(hFolder, &uName, KeyValuePartialInformation, pPartialValue, structLength, &dataLength);

switch(status)
{
case STATUS_INVALID_HANDLE: //Always end up here.
      DbgPrint("ZwQueryValueKey(Partial) says the handle is bogus.\n");
      break;
case STATUS_BUFFER_OVERFLOW:
      DbgPrint("Buffer overflow error");
      //Since it failed because of insufficient storage, allocate enough.
      ExFreePool(pPartialValue);
      structLength = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + dataLength + sizeof(UNICODE_NULL);
      pPartialValue = (PKEY_VALUE_PARTIAL_INFORMATION) ExAllocatePool(PagedPool, structLength);
      status = ZwQueryValueKey(hFolder, &uName, KeyValuePartialInformation, pPartialValue, structLength, &dataLength);

      if(status != STATUS_SUCCESS)
      {
            //Just give it up.  Shouldn't get here, either.
            DbgPrint("ZwQueryValueKey(Partial): Still didn't get it."\
                        " Status: %X\n", status);
            break;
      }
      //Fall Through
case STATUS_SUCCESS:
      DbgPrint("Success");
//      my_data =  (PCANSI_STRING)pPartialValue->Data;
//  RtlAnsiStringToUnicodeString( &uResult, my_data, TRUE);
//      RtlInitUnicodeString(&uResult, pPartialValue->Data);
//      DbgPrint(pPartialValue->Data[7]);
      DbgPrint(pPartialValue->Data);
}
ExFreePool(pPartialValue);

Basically when i get pPartialValue->Data, how do i compare it to 0,1,2,3 or 4?

Thanks
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 7 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros