How to redirect registry key in registry callback?

Forum for discussion about kernel-mode development.
Post Reply
myid
Posts: 157
Joined: Sat Jun 09, 2012 2:54 am

How to redirect registry key in registry callback?

Post by myid » Tue Dec 19, 2017 2:04 pm

Hi, everyone.
How to redirect registry key in registry callback?
I use RegEdit to test, OS environment is WIN7.
For example: redirect \\REGISTRY\\MACHINE\\SOFTWARE\\1111 to \\REGISTRY\\MACHINE\\SOFTWARE\\2222. These two keys are already exists.
I try to filter RegNtPreCreateKeyEx and RegNtPreOpenKeyEx, I can catch the call, but I cannot change the result.
1.Modify CompleteName and RootObject in PreInfo: no effect.
2.Use ZwCreateKey/ZwOpenKey to operate redirection key with original parameters, modify *ResultObject(convert handle to object by ObReferenceObjectByHandle), GrantedAccess and *Disposition(for RegNtPreOpenKeyEx only) after call: RegEdit cannot open the target key. No redirect effect.

User avatar
Brock
Posts: 201
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: How to redirect registry key in registry callback?

Post by Brock » Wed Dec 20, 2017 8:26 am

This should help you override and redirect the operation but I haven't tested it.

http://joyasystems.com/sample-code%2FWi ... s%2Fpost.c

*see example CallbackPostNotificationOverrideError()*
Accept nothing less than STATUS_SUCCESS

myid
Posts: 157
Joined: Sat Jun 09, 2012 2:54 am

Re: How to redirect registry key in registry callback?

Post by myid » Wed Dec 20, 2017 11:15 am

Brock wrote:This should help you override and redirect the operation but I haven't tested it.

http://joyasystems.com/sample-code%2FWi ... s%2Fpost.c

*see example CallbackPostNotificationOverrideError()*
This code is come from WDK demo code package, but it cannot work (No effect for REGEDIT).

User avatar
Brock
Posts: 201
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: How to redirect registry key in registry callback?

Post by Brock » Wed Dec 20, 2017 5:58 pm

Microsoft's sample code doesn't work on Microsoft's Regedit? What do you mean it "cannot" work? Have you verified this with other registry editors/viewers?
Accept nothing less than STATUS_SUCCESS

myid
Posts: 157
Joined: Sat Jun 09, 2012 2:54 am

Re: How to redirect registry key in registry callback?

Post by myid » Thu Dec 21, 2017 7:28 am

Brock wrote:Microsoft's sample code doesn't work on Microsoft's Regedit? What do you mean it "cannot" work? Have you verified this with other registry editors/viewers?
https://github.com/Microsoft/Windows-dr ... ry/regfltr
You can test this code if you don't believe me.

Post Reply