Discussion:
NtQueryKey & KeyNameInformation - Get a more regular hive name ?
(too old to reply)
R.Wieser
2017-09-28 06:48:44 UTC
Permalink
Hello All,

I'm retrieving/regenerating a registry path from a hKey using NtQueryKey &
KeyNameInformation. The result looks like this:

\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command

I was wondering if there is a standard way of replacing the, in this case*,
first two filder names with a bit more regular name, like HKEY_CLASSES_ROOT
or HKCU

*for the HKEY_CURRENT_USER hive thats three folders, with the last name
being variable.

As I do not really want to compare with a few hard-coded strings (any change
will bite me lin the behind later on. Also, I've got no idea how to retrieve
that third folder name for HKCU) I've tried to retrieve those hive
names/prefixes by just providing a hive ID to NtQueryKey &
KeyNameInformation (so I could compare its output to the first result), but
it didn't return anything (which, as I just realized, also creates a problem
when accessing the default value in the root of such a hive ...).

tl;dr:
How do I convert NTDLL style registry-path result to a Win32 (AdvApi32)
style one ? :-)

Regards,
Rudy Wieser
JJ
2017-09-28 14:57:44 UTC
Permalink
Post by R.Wieser
Hello All,
I'm retrieving/regenerating a registry path from a hKey using NtQueryKey &
\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command
I was wondering if there is a standard way of replacing the, in this case*,
first two filder names with a bit more regular name, like HKEY_CLASSES_ROOT
or HKCU
*for the HKEY_CURRENT_USER hive thats three folders, with the last name
being variable.
As I do not really want to compare with a few hard-coded strings (any change
will bite me lin the behind later on. Also, I've got no idea how to retrieve
that third folder name for HKCU) I've tried to retrieve those hive
names/prefixes by just providing a hive ID to NtQueryKey &
KeyNameInformation (so I could compare its output to the first result), but
it didn't return anything (which, as I just realized, also creates a problem
when accessing the default value in the root of such a hive ...).
How do I convert NTDLL style registry-path result to a Win32 (AdvApi32)
style one ? :-)
Regards,
Rudy Wieser
Try the suggested solutions on this SO question.

<https://stackoverflow.com/questions/65170/how-to-get-name-associated-with-open-handle/18792477>

I'd like to know too.
R.Wieser
2017-09-29 06:21:50 UTC
Permalink
JJ,
Try the suggested solutions on this SO question. [snip link]
Thanks. I've stored the page locally, and will take a good look at it
(better than the quick one I just did). Seems also to have stuff to convert
file-handles back to paths. Could come in handy too. :-)

Regards,
Rudy Wieser
Post by R.Wieser
Hello All,
I'm retrieving/regenerating a registry path from a hKey using NtQueryKey &
\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command
I was wondering if there is a standard way of replacing the, in this case*,
first two filder names with a bit more regular name, like
HKEY_CLASSES_ROOT
or HKCU
*for the HKEY_CURRENT_USER hive thats three folders, with the last name
being variable.
As I do not really want to compare with a few hard-coded strings (any change
will bite me lin the behind later on. Also, I've got no idea how to retrieve
that third folder name for HKCU) I've tried to retrieve those hive
names/prefixes by just providing a hive ID to NtQueryKey &
KeyNameInformation (so I could compare its output to the first result), but
it didn't return anything (which, as I just realized, also creates a problem
when accessing the default value in the root of such a hive ...).
How do I convert NTDLL style registry-path result to a Win32 (AdvApi32)
style one ? :-)
Regards,
Rudy Wieser
Try the suggested solutions on this SO question.
<https://stackoverflow.com/questions/65170/how-to-get-name-associated-with-open-handle/18792477>
I'd like to know too.
JJ
2017-09-29 09:19:46 UTC
Permalink
Post by R.Wieser
Thanks. I've stored the page locally, and will take a good look at it
(better than the quick one I just did). Seems also to have stuff to convert
file-handles back to paths. Could come in handy too. :-)
I haven't actually tried those methods. AFAIK, Windows doesn't provide any
API function to convert between Win32 and native registry path. Only file
system paths.

When I see ReactOS' ADVAPI32 source code, it uses its own registry path
conversion (private) functions.

Ant
2017-09-28 22:34:12 UTC
Permalink
Post by R.Wieser
I'm retrieving/regenerating a registry path from a hKey using NtQueryKey &
\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command
I was wondering if there is a standard way of replacing the, in this case*,
first two filder names with a bit more regular name, like HKEY_CLASSES_ROOT
or HKCU
At the native level all you have are:
\Registry\Machine (equivalent to HKEY_LOCAL_MACHINE)
\Registry\User (equivalent to HKEY_USERS)

HKEY_CLASSES_ROOT is a merging of info from HKLM and HKCU. There is no
native equivalent.
Post by R.Wieser
*for the HKEY_CURRENT_USER hive thats three folders, with the last name
being variable.
In this case you probably need to check the SID. Have a look at
RtlFormatCurrentUserKeyPath (which is called by RtlCheckRegistryKey).
Post by R.Wieser
As I do not really want to compare with a few hard-coded strings (any change
will bite me lin the behind later on. Also, I've got no idea how to retrieve
that third folder name for HKCU)
It's the user's SID, isn't it? (see above).
Post by R.Wieser
I've tried to retrieve those hive
names/prefixes by just providing a hive ID to NtQueryKey &
KeyNameInformation (so I could compare its output to the first result), but
it didn't return anything (which, as I just realized, also creates a problem
when accessing the default value in the root of such a hive ...).
User hives are called ntuser.dat. The user profile directory name can
be found here:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileList\SID\ProfileImagePath
Post by R.Wieser
How do I convert NTDLL style registry-path result to a Win32 (AdvApi32)
style one ? :-)
Not easily!
R.Wieser
2017-09-29 06:39:21 UTC
Permalink
Hello Ant,
Post by Ant
\Registry\Machine (equivalent to HKEY_LOCAL_MACHINE)
\Registry\User (equivalent to HKEY_USERS)
Hmm ...
Post by Ant
HKEY_CLASSES_ROOT is a merging of info from HKLM and HKCU.
There is no native equivalent.
Yep, that surely complicates matters.
Post by Ant
In this case you probably need to check the SID. Have a look at
RtlFormatCurrentUserKeyPath (which is called by RtlCheckRegistryKey).
Grmbl ... Now you mention its the SID (which I should have realized) ... I
was searching for a registry key which would hold that (third folder) string
of the current user, wholly forgetting that it could be available in the
system. And to add insult to injury, I already have an example to extract
it on file !
http://www.codeproject.com/Articles/14828/How-To-Get-Process-Owner-ID-and-Current-User-SID
Post by Ant
It's the user's SID, isn't it? (see above).
Yeah, yeah. Rub it in why don't you ... :-p :-)
Post by Ant
Post by R.Wieser
How do I convert NTDLL style registry-path result to a Win32
(AdvApi32) style one ? :-)
Not easily!
Yup. It looks like all I can do is a *partial* conversion, which makes me
wonder if doing so is a good idea to begin with ... (c|would be confusing to
have multiple styles returned).

Thanks for the explanation/heads up.

Regards,
Rudy Wieser
Post by Ant
Post by R.Wieser
I'm retrieving/regenerating a registry path from a hKey using NtQueryKey &
\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command
I was wondering if there is a standard way of replacing the, in this case*,
first two filder names with a bit more regular name, like
HKEY_CLASSES_ROOT
or HKCU
\Registry\Machine (equivalent to HKEY_LOCAL_MACHINE)
\Registry\User (equivalent to HKEY_USERS)
HKEY_CLASSES_ROOT is a merging of info from HKLM and HKCU. There is no
native equivalent.
Post by R.Wieser
*for the HKEY_CURRENT_USER hive thats three folders, with the last name
being variable.
In this case you probably need to check the SID. Have a look at
RtlFormatCurrentUserKeyPath (which is called by RtlCheckRegistryKey).
Post by R.Wieser
As I do not really want to compare with a few hard-coded strings (any change
will bite me lin the behind later on. Also, I've got no idea how to retrieve
that third folder name for HKCU)
It's the user's SID, isn't it? (see above).
Post by R.Wieser
I've tried to retrieve those hive
names/prefixes by just providing a hive ID to NtQueryKey &
KeyNameInformation (so I could compare its output to the first result), but
it didn't return anything (which, as I just realized, also creates a problem
when accessing the default value in the root of such a hive ...).
User hives are called ntuser.dat. The user profile directory name can
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileList\SID\ProfileImagePath
Post by R.Wieser
How do I convert NTDLL style registry-path result to a Win32 (AdvApi32)
style one ? :-)
Not easily!
Loading...