// Registers power callback _Use_decl_annotations_ NTSTATUS PowerCallbackInitialization() { PAGED_CODE(); UNICODE_STRING name = RTL_CONSTANT_STRING(L"\\Callback\\PowerState"); OBJECT_ATTRIBUTES oa = RTL_CONSTANT_OBJECT_ATTRIBUTES(&name, OBJ_CASE_INSENSITIVE); auto status = ExCreateCallback(&g_pcp_callback_object, &oa, FALSE, TRUE); if (!NT_SUCCESS(status)) { return status; } g_pcp_registration = ExRegisterCallback( g_pcp_callback_object, PowerCallbackpCallbackRoutine, nullptr); if (!g_pcp_registration) { ObDereferenceObject(g_pcp_callback_object); g_pcp_callback_object = nullptr; return STATUS_UNSUCCESSFUL; } return status; }
BOOLEAN WINAPI IsShimInfrastructureDisabled(VOID) { HANDLE KeyHandle; NTSTATUS Status; KEY_VALUE_PARTIAL_INFORMATION KeyInfo; ULONG ResultLength; UNICODE_STRING OptionKey = RTL_CONSTANT_STRING(L"\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option"); UNICODE_STRING AppCompatKey = RTL_CONSTANT_STRING(L"\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCompatibility"); UNICODE_STRING PolicyKey = RTL_CONSTANT_STRING(L"\\Registry\\MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppCompat"); UNICODE_STRING OptionValue = RTL_CONSTANT_STRING(L"OptionValue"); UNICODE_STRING DisableAppCompat = RTL_CONSTANT_STRING(L"DisableAppCompat"); UNICODE_STRING DisableEngine = RTL_CONSTANT_STRING(L"DisableEngine"); OBJECT_ATTRIBUTES OptionKeyAttributes = RTL_CONSTANT_OBJECT_ATTRIBUTES(&OptionKey, OBJ_CASE_INSENSITIVE); OBJECT_ATTRIBUTES AppCompatKeyAttributes = RTL_CONSTANT_OBJECT_ATTRIBUTES(&AppCompatKey, OBJ_CASE_INSENSITIVE); OBJECT_ATTRIBUTES PolicyKeyAttributes = RTL_CONSTANT_OBJECT_ATTRIBUTES(&PolicyKey, OBJ_CASE_INSENSITIVE); /* * This is a TROOLEAN, -1 means we haven't yet figured it out. * 0 means shims are enabled, and 1 means shims are disabled! */ if (g_ShimsEnabled == -1) { /* Open the safe mode key */ Status = NtOpenKey(&KeyHandle, 1, &OptionKeyAttributes); if (NT_SUCCESS(Status)) { /* Check if this is safemode */ Status = NtQueryValueKey(KeyHandle, &OptionValue, KeyValuePartialInformation, &KeyInfo, sizeof(KeyInfo), &ResultLength); NtClose(KeyHandle); if ((NT_SUCCESS(Status)) && (KeyInfo.Type == REG_DWORD) && (KeyInfo.DataLength == sizeof(ULONG)) && (KeyInfo.Data[0] == TRUE)) { /* It is, so disable shims! */ g_ShimsEnabled = TRUE; } else { /* Open the app compatibility engine settings key */ Status = NtOpenKey(&KeyHandle, 1, &AppCompatKeyAttributes); if (NT_SUCCESS(Status)) { /* Check if the app compat engine is turned off */ Status = NtQueryValueKey(KeyHandle, &DisableAppCompat, KeyValuePartialInformation, &KeyInfo, sizeof(KeyInfo), &ResultLength); NtClose(KeyHandle); if ((NT_SUCCESS(Status)) && (KeyInfo.Type == REG_DWORD) && (KeyInfo.DataLength == sizeof(ULONG)) && (KeyInfo.Data[0] == TRUE)) { /* It is, so disable shims! */ g_ShimsEnabled = TRUE; } else { /* Finally, open the app compatibility policy key */ Status = NtOpenKey(&KeyHandle, 1, &PolicyKeyAttributes); if (NT_SUCCESS(Status)) { /* Check if the system policy disables app compat */ Status = NtQueryValueKey(KeyHandle, &DisableEngine, KeyValuePartialInformation, &KeyInfo, sizeof(KeyInfo), &ResultLength), NtClose(KeyHandle); if ((NT_SUCCESS(Status)) && (KeyInfo.Type == REG_DWORD) && (KeyInfo.DataLength == sizeof(ULONG)) && (KeyInfo.Data[0] == TRUE)) { /* It does, so disable shims! */ g_ShimsEnabled = TRUE; } else { /* No keys are set, so enable shims! */ g_ShimsEnabled = FALSE; } } } } } } } /* Return if shims are disabled or not ("Enabled == 1" means disabled!) */ return g_ShimsEnabled ? TRUE : FALSE; }
#include <ntoskrnl.h> #define NDEBUG #include <debug.h> /* GLOBALS *******************************************************************/ static BOOLEAN ApphelpCacheEnabled = FALSE; static ERESOURCE ApphelpCacheLock; static RTL_AVL_TABLE ApphelpShimCache; static LIST_ENTRY ApphelpShimCacheAge; extern ULONG InitSafeBootMode; static UNICODE_STRING AppCompatCacheKey = RTL_CONSTANT_STRING(L"\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache"); static OBJECT_ATTRIBUTES AppCompatKeyAttributes = RTL_CONSTANT_OBJECT_ATTRIBUTES(&AppCompatCacheKey, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE); static UNICODE_STRING AppCompatCacheValue = RTL_CONSTANT_STRING(L"AppCompatCache"); #define EMPTY_SHIM_ENTRY { { 0 }, { { 0 } }, 0 } #define MAX_SHIM_ENTRIES 0x200 #define TAG_SHIM 'MIHS' #ifndef INVALID_HANDLE_VALUE #define INVALID_HANDLE_VALUE (HANDLE)(-1) #endif #include <pshpack1.h> typedef struct SHIM_PERSISTENT_CACHE_HEADER_52 { ULONG Magic;