BOOLEAN SampSetUpgradeFlag( ) /*++ Routine Description: This routine sets SAM upgrade flag is set. The upgrade flag is: HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\lsa UpgradeSam = REG_DWORD 1 and the value will be deleted. Arguments: Return Value: TRUE - The flag was set FALSE - The flag was not set or the value was not present --*/ { NTSTATUS NtStatus; UNICODE_STRING KeyName; OBJECT_ATTRIBUTES ObjectAttributes; HANDLE KeyHandle; UCHAR Buffer[100]; PKEY_VALUE_PARTIAL_INFORMATION KeyValueInformation = (PKEY_VALUE_PARTIAL_INFORMATION) Buffer; ULONG KeyValueLength = 100; ULONG ResultLength; PULONG UpgradeFlag; // // Open the Lsa key in the registry // RtlInitUnicodeString( &KeyName, SAMP_LSA_KEY_NAME ); InitializeObjectAttributes( &ObjectAttributes, &KeyName, OBJ_CASE_INSENSITIVE, 0, NULL ); NtStatus = NtOpenKey( &KeyHandle, KEY_SET_VALUE, &ObjectAttributes ); if (!NT_SUCCESS(NtStatus)) { return(FALSE); } // // Query the Notification Packages value // RtlInitUnicodeString( &KeyName, L"UpgradeSam" ); NtStatus = NtDeleteValueKey( KeyHandle, &KeyName ); NtClose(KeyHandle); }
void DeleteValueTest(void) { OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING KeyName = RTL_CONSTANT_STRING(L"\\Registry\\Machine\\Software\\testkey"); UNICODE_STRING ValueName = RTL_CONSTANT_STRING(L"TestValue"); HANDLE KeyHandle; NTSTATUS Status; dprintf("Open key '\\Registry\\Machine\\Software\\testkey':\n"); InitializeObjectAttributes(&ObjectAttributes, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL); Status=NtOpenKey(&KeyHandle, MAXIMUM_ALLOWED, &ObjectAttributes); dprintf(" Status = %lx\n", Status); if (!NT_SUCCESS(Status)) return; dprintf("Delete value:\n"); Status = NtDeleteValueKey(KeyHandle, &ValueName); dprintf(" Status = %lx\n", Status); dprintf("Close key:\n"); Status = NtClose(KeyHandle); dprintf(" Status = %lx\n", Status); }
NTSTATUS NTAPI RtlApplyRXact( PRXACT_CONTEXT Context) { UNICODE_STRING ValueName; NTSTATUS Status; /* Temporarily safe the current transaction in the 'Log' key value */ RtlInitUnicodeString(&ValueName, L"Log"); Status = ZwSetValueKey(Context->KeyHandle, &ValueName, 0, REG_BINARY, Context->Data, Context->Data->CurrentSize); if (!NT_SUCCESS(Status)) { return Status; } /* Flush the key */ Status = NtFlushKey(Context->KeyHandle); if (!NT_SUCCESS(Status)) { NtDeleteValueKey(Context->KeyHandle, &ValueName); return Status; } /* Now commit the transaction */ Status = RXactpCommit(Context); if (!NT_SUCCESS(Status)) { NtDeleteValueKey(Context->KeyHandle, &ValueName); return Status; } /* Delete the 'Log' key value */ Status = NtDeleteValueKey(Context->KeyHandle, &ValueName); ASSERT(NT_SUCCESS(Status)); /* Reset the transaction */ Status = RtlAbortRXact(Context); ASSERT(NT_SUCCESS(Status)); return STATUS_SUCCESS; }
NTSTATUS SampRegDeleteValue(IN HANDLE KeyHandle, IN LPCWSTR ValueName) { UNICODE_STRING Name; RtlInitUnicodeString(&Name, ValueName); return NtDeleteValueKey(KeyHandle, &Name); }
/* registry link delete test */ void test7(void) { HANDLE hKey; OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING KeyName,ValueName; NTSTATUS Status; dprintf("Open link key\n"); dprintf(" Key: \\Registry\\Machine\\SOFTWARE\\Test\n"); RtlRosInitUnicodeStringFromLiteral(&KeyName, L"\\Registry\\Machine\\SOFTWARE\\Test"); InitializeObjectAttributes(&ObjectAttributes, &KeyName, OBJ_CASE_INSENSITIVE | OBJ_OPENIF | OBJ_OPENLINK, NULL, NULL); Status = NtCreateKey(&hKey, KEY_ALL_ACCESS, &ObjectAttributes, 0, NULL, REG_OPTION_VOLATILE | REG_OPTION_OPEN_LINK, NULL); dprintf(" NtCreateKey() called (Status %lx)\n",Status); if (!NT_SUCCESS(Status)) { dprintf("Could not open the link key. Please run the link create test first!\n"); return; } dprintf("Delete link value\n"); RtlRosInitUnicodeStringFromLiteral(&ValueName, L"SymbolicLinkValue"); Status = NtDeleteValueKey(hKey, &ValueName); dprintf(" NtDeleteValueKey() called (Status %lx)\n",Status); dprintf("Delete link key\n"); Status=NtDeleteKey(hKey); dprintf(" NtDeleteKey() called (Status %lx)\n",Status); dprintf("Close link key\n"); NtClose(hKey); }
static VOID WriteCurrentUserRun( _In_ BOOLEAN Present, _In_ BOOLEAN StartHidden ) { HANDLE keyHandle; if (CurrentUserRunPresent == Present && (!Present || CurrentUserRunStartHidden == StartHidden)) return; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_WRITE, PH_KEY_CURRENT_USER, &CurrentUserRunKeyName, 0 ))) { UNICODE_STRING valueName; RtlInitUnicodeString(&valueName, L"Process Hacker 2"); if (Present) { PPH_STRING value; value = PH_AUTO(PhConcatStrings(3, L"\"", PhApplicationFileName->Buffer, L"\"")); if (StartHidden) value = PhaConcatStrings2(value->Buffer, L" -hide"); NtSetValueKey(keyHandle, &valueName, 0, REG_SZ, value->Buffer, (ULONG)value->Length + 2); } else { NtDeleteValueKey(keyHandle, &valueName); } NtClose(keyHandle); } }
NTSTATUS NTAPI RtlInitializeRXact( HANDLE RootDirectory, BOOLEAN Commit, PRXACT_CONTEXT *OutContext) { NTSTATUS Status, TmpStatus; PRXACT_CONTEXT Context; PKEY_VALUE_FULL_INFORMATION KeyValueInformation; KEY_VALUE_BASIC_INFORMATION KeyValueBasicInfo; UNICODE_STRING ValueName; UNICODE_STRING KeyName; OBJECT_ATTRIBUTES ObjectAttributes; RXACT_INFO TransactionInfo; ULONG Disposition; ULONG ValueType; ULONG ValueDataLength; ULONG Length; HANDLE KeyHandle; /* Open or create the 'RXACT' key in the root directory */ RtlInitUnicodeString(&KeyName, L"RXACT"); InitializeObjectAttributes(&ObjectAttributes, &KeyName, OBJ_CASE_INSENSITIVE | OBJ_OPENIF, RootDirectory, NULL); Status = ZwCreateKey(&KeyHandle, KEY_READ | KEY_WRITE | DELETE, &ObjectAttributes, 0, NULL, 0, &Disposition); if (!NT_SUCCESS(Status)) { return Status; } /* Allocate a new context */ Context = RtlAllocateHeap(RtlGetProcessHeap(), 0, sizeof(*Context)); *OutContext = Context; if (Context == NULL) { TmpStatus = ZwDeleteKey(KeyHandle); ASSERT(NT_SUCCESS(TmpStatus)); TmpStatus = NtClose(KeyHandle); ASSERT(NT_SUCCESS(TmpStatus)); return STATUS_NO_MEMORY; } /* Initialize the context */ RXactInitializeContext(Context, RootDirectory, KeyHandle); /* Check if we created a new key */ if (Disposition == REG_CREATED_NEW_KEY) { /* The key is new, set the default value */ TransactionInfo.Revision = 1; RtlInitUnicodeString(&ValueName, NULL); Status = ZwSetValueKey(KeyHandle, &ValueName, 0, REG_NONE, &TransactionInfo, sizeof(TransactionInfo)); if (!NT_SUCCESS(Status)) { TmpStatus = ZwDeleteKey(KeyHandle); ASSERT(NT_SUCCESS(TmpStatus)); TmpStatus = NtClose(KeyHandle); ASSERT(NT_SUCCESS(TmpStatus)); RtlFreeHeap(RtlGetProcessHeap(), 0, *OutContext); return Status; } return STATUS_RXACT_STATE_CREATED; } else { /* The key exited, get the default key value */ ValueDataLength = sizeof(TransactionInfo); Status = RtlpNtQueryValueKey(KeyHandle, &ValueType, &TransactionInfo, &ValueDataLength, 0); if (!NT_SUCCESS(Status)) { TmpStatus = NtClose(KeyHandle); ASSERT(NT_SUCCESS(TmpStatus)); RtlFreeHeap(RtlGetProcessHeap(), 0, Context); return Status; } /* Check if the value date is valid */ if ((ValueDataLength != sizeof(TransactionInfo)) || (TransactionInfo.Revision != 1)) { TmpStatus = NtClose(KeyHandle); ASSERT(NT_SUCCESS(TmpStatus)); RtlFreeHeap(RtlGetProcessHeap(), 0, Context); return STATUS_UNKNOWN_REVISION; } /* Query the 'Log' key value */ RtlInitUnicodeString(&ValueName, L"Log"); Status = ZwQueryValueKey(KeyHandle, &ValueName, KeyValueBasicInformation, &KeyValueBasicInfo, sizeof(KeyValueBasicInfo), &Length); if (!NT_SUCCESS(Status)) { /* There is no 'Log', so we are done */ return STATUS_SUCCESS; } /* Check if the caller asked to commit the current state */ if (!Commit) { /* We have a log, that must be committed first! */ return STATUS_RXACT_COMMIT_NECESSARY; } /* Query the size of the 'Log' key value */ Status = ZwQueryValueKey(KeyHandle, &ValueName, KeyValueFullInformation, NULL, 0, &Length); if (Status != STATUS_BUFFER_TOO_SMALL) { return Status; } /* Allocate a buffer for the key value information */ KeyValueInformation = RtlAllocateHeap(RtlGetProcessHeap(), 0, Length); if (KeyValueInformation == NULL) { return STATUS_NO_MEMORY; } /* Query the 'Log' key value */ Status = ZwQueryValueKey(KeyHandle, &ValueName, KeyValueFullInformation, KeyValueInformation, Length, &Length); if (!NT_SUCCESS(Status)) { RtlFreeHeap(RtlGetProcessHeap(), 0, KeyValueInformation); RtlFreeHeap(RtlGetProcessHeap(), 0, Context); return Status; } /* Set the Data pointer to the key value data */ Context->Data = (PRXACT_DATA)((PUCHAR)KeyValueInformation + KeyValueInformation->DataOffset); /* This is an old log, don't use handles when committing! */ Context->CanUseHandles = FALSE; /* Commit the data */ Status = RXactpCommit(Context); if (!NT_SUCCESS(Status)) { RtlFreeHeap(RtlGetProcessHeap(), 0, KeyValueInformation); RtlFreeHeap(RtlGetProcessHeap(), 0, Context); return Status; } /* Delete the old key */ Status = NtDeleteValueKey(KeyHandle, &ValueName); ASSERT(NT_SUCCESS(Status)); /* Set the data member to the allocated buffer, so it will get freed */ Context->Data = (PRXACT_DATA)KeyValueInformation; /* Abort the old transaction */ Status = RtlAbortRXact(Context); ASSERT(NT_SUCCESS(Status)); return Status; } }
BOOLEAN IopInitializeDeviceInstanceKey( IN HANDLE KeyHandle, IN PUNICODE_STRING KeyName, IN OUT PVOID WorkName ) /*++ Routine Description: This routine is a callback function for IopApplyFunctionToSubKeys. It is called for each subkey under HKLM\System\Enum\BusKey\DeviceKey. Arguments: KeyHandle - Supplies a handle to this key. KeyName - Supplies the name of this key. WorkName - points to the unicodestring which describes the path up to this key. Returns: TRUE to continue the enumeration. FALSE to abort it. --*/ { UNICODE_STRING unicodeName, serviceName; PKEY_VALUE_FULL_INFORMATION keyValueInformation; NTSTATUS status; BOOLEAN duplicate = FALSE; ULONG foundAtEnum, deviceFlags, instance, tmpValue1, tmpValue2; USHORT length; PUNICODE_STRING pUnicode; // // Get the "Problem" value entry to determine what we need to do with // the device instance key. // deviceFlags = 0; status = IopGetRegistryValue ( KeyHandle, REGSTR_VALUE_PROBLEM, &keyValueInformation ); if (NT_SUCCESS(status)) { if ((keyValueInformation->Type == REG_DWORD) && (keyValueInformation->DataLength >= sizeof(ULONG))) { deviceFlags = *(PULONG)KEY_VALUE_DATA(keyValueInformation); } ExFreePool(keyValueInformation); } if (deviceFlags == CM_PROB_MOVED) { // // If the device instance was moved, we simply delete the key. // The key will be deleted once the caller close the open handle. // NtDeleteKey(KeyHandle); return TRUE; } // // The device instance key exists. We need to propagate the ConfigFlag // to problem and StatusFlags // deviceFlags = 0; status = IopGetRegistryValue(KeyHandle, REGSTR_VALUE_CONFIG_FLAGS, &keyValueInformation); if (NT_SUCCESS(status)) { if ((keyValueInformation->Type == REG_DWORD) && (keyValueInformation->DataLength >= sizeof(ULONG))) { deviceFlags = *(PULONG)KEY_VALUE_DATA(keyValueInformation); } ExFreePool(keyValueInformation); } if (deviceFlags & CONFIGFLAG_REINSTALL) { tmpValue1 = CM_PROB_REINSTALL; // Problem tmpValue2 = DN_HAS_PROBLEM; // StatusFlags } else { tmpValue1 = tmpValue2 = 0; } PiWstrToUnicodeString(&unicodeName, REGSTR_VALUE_PROBLEM); NtSetValueKey(KeyHandle, &unicodeName, TITLE_INDEX_VALUE, REG_DWORD, &tmpValue1, sizeof(tmpValue1) ); PiWstrToUnicodeString(&unicodeName, REGSTR_VALUE_STATUSFLAGS); NtSetValueKey(KeyHandle, &unicodeName, TITLE_INDEX_VALUE, REG_DWORD, &tmpValue2, sizeof(tmpValue2) ); // // Get the "DuplicateOf" value entry to determine if the device instance // should be registered. If the device instance is duplicate, We don't // add it to its service key's enum branch. // status = IopGetRegistryValue ( KeyHandle, REGSTR_VALUE_DUPLICATEOF, &keyValueInformation ); if (NT_SUCCESS(status)) { if ((keyValueInformation->Type == REG_SZ) && (keyValueInformation->DataLength > 0)) { duplicate = TRUE; } ExFreePool(keyValueInformation); } if (!duplicate) { // // Combine WorkName and KeyName to form device instance path // and register this device instance by // constructing new value entry for ServiceKeyName\Enum key. // i.e., <Number> = <PathToSystemEnumBranch> // pUnicode = (PUNICODE_STRING)WorkName; length = pUnicode->Length; // Save WorkName if (pUnicode->Buffer[pUnicode->Length / sizeof(WCHAR) - 1] != OBJ_NAME_PATH_SEPARATOR) { pUnicode->Buffer[pUnicode->Length / sizeof(WCHAR)] = OBJ_NAME_PATH_SEPARATOR; pUnicode->Length += 2; } RtlAppendStringToString((PSTRING)pUnicode, (PSTRING)KeyName); PpDeviceRegistration(pUnicode, TRUE); pUnicode->Length = length; // Restore WorkName } // // Get the "Service=" value entry from KeyHandle // keyValueInformation = NULL; serviceName.Length = 0; status = IopGetRegistryValue ( KeyHandle, REGSTR_VALUE_SERVICE, &keyValueInformation ); if (NT_SUCCESS(status)) { // // Append the new instance to its corresponding // Service\Name\Enum. // if ((keyValueInformation->Type == REG_SZ) && (keyValueInformation->DataLength != 0)) { // // Set up ServiceKeyName unicode string // IopRegistryDataToUnicodeString( &serviceName, (PWSTR)KEY_VALUE_DATA(keyValueInformation), keyValueInformation->DataLength ); } // // Do not Free keyValueInformation // } // // The Pnp mgr set FoundAtEnum to 0 for everything under system\ccs\enum. // For the stuff under Root we need to set them to 1 except if their // CsConfigFlags was set to CSCONFIGFLAG_DO_NOT_CREATE. // foundAtEnum = 1; status = RtlUnicodeStringToInteger(KeyName, 10, &instance); if (NT_SUCCESS(status)) { if (serviceName.Length != 0) { status = IopGetDeviceInstanceCsConfigFlags( &serviceName, instance, &deviceFlags ); if (NT_SUCCESS(status) && (deviceFlags & CSCONFIGFLAG_DO_NOT_CREATE)) { foundAtEnum = 0; } } } if (keyValueInformation) { ExFreePool(keyValueInformation); } PiWstrToUnicodeString(&unicodeName, REGSTR_VALUE_FOUNDATENUM); NtSetValueKey(KeyHandle, &unicodeName, TITLE_INDEX_VALUE, REG_DWORD, &foundAtEnum, sizeof(foundAtEnum) ); // // Clean up "NtLogicalDevicePaths=" and "NtPhysicalDevicePaths=" of this key // PiWstrToUnicodeString(&unicodeName, REGSTR_VALUE_NT_PHYSICAL_DEVICE_PATHS); NtDeleteValueKey(KeyHandle, &unicodeName); PiWstrToUnicodeString(&unicodeName, REGSTR_VALUE_NT_LOGICAL_DEVICE_PATHS); NtDeleteValueKey(KeyHandle, &unicodeName); return TRUE; }
VOID PhpAdvancedPageSave( _In_ HWND hwndDlg ) { ULONG sampleCount; SetSettingForDlgItemCheck(hwndDlg, IDC_ENABLEWARNINGS, L"EnableWarnings"); SetSettingForDlgItemCheckRestartRequired(hwndDlg, IDC_ENABLEKERNELMODEDRIVER, L"EnableKph"); SetSettingForDlgItemCheck(hwndDlg, IDC_HIDEUNNAMEDHANDLES, L"HideUnnamedHandles"); SetSettingForDlgItemCheckRestartRequired(hwndDlg, IDC_ENABLESTAGE2, L"EnableStage2"); SetSettingForDlgItemCheckRestartRequired(hwndDlg, IDC_ENABLENETWORKRESOLVE, L"EnableNetworkResolve"); SetSettingForDlgItemCheck(hwndDlg, IDC_PROPAGATECPUUSAGE, L"PropagateCpuUsage"); SetSettingForDlgItemCheck(hwndDlg, IDC_ENABLEINSTANTTOOLTIPS, L"EnableInstantTooltips"); if (WindowsVersion >= WINDOWS_7) SetSettingForDlgItemCheckRestartRequired(hwndDlg, IDC_ENABLECYCLECPUUSAGE, L"EnableCycleCpuUsage"); sampleCount = GetDlgItemInt(hwndDlg, IDC_SAMPLECOUNT, NULL, FALSE); SetSettingForDlgItemCheckRestartRequired(hwndDlg, IDC_SAMPLECOUNTAUTOMATIC, L"SampleCountAutomatic"); if (sampleCount == 0) sampleCount = 1; if (sampleCount != PhGetIntegerSetting(L"SampleCount")) RestartRequired = TRUE; PhSetIntegerSetting(L"SampleCount", sampleCount); // Replace Task Manager if (IsWindowEnabled(GetDlgItem(hwndDlg, IDC_REPLACETASKMANAGER))) { NTSTATUS status; HANDLE taskmgrKeyHandle; BOOLEAN replaceTaskMgr; UNICODE_STRING valueName; replaceTaskMgr = Button_GetCheck(GetDlgItem(hwndDlg, IDC_REPLACETASKMANAGER)) == BST_CHECKED; if (OldReplaceTaskMgr != replaceTaskMgr) { // We should have created the key back in PhpAdvancedPageLoad, which is why // we're opening the key here. if (NT_SUCCESS(PhOpenKey( &taskmgrKeyHandle, KEY_WRITE, PH_KEY_LOCAL_MACHINE, &TaskMgrImageOptionsKeyName, 0 ))) { RtlInitUnicodeString(&valueName, L"Debugger"); if (replaceTaskMgr) { PPH_STRING quotedFileName; quotedFileName = PH_AUTO(PhConcatStrings(3, L"\"", PhApplicationFileName->Buffer, L"\"")); status = NtSetValueKey(taskmgrKeyHandle, &valueName, 0, REG_SZ, quotedFileName->Buffer, (ULONG)quotedFileName->Length + 2); } else { status = NtDeleteValueKey(taskmgrKeyHandle, &valueName); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to replace Task Manager", status, 0); NtClose(taskmgrKeyHandle); } } } }
static VOID RemoveAppCompatEntry( _In_ HANDLE ParentKey ) { static PH_STRINGREF keyName = PH_STRINGREF_INIT(L"ProcessHacker.exe"); ULONG bufferLength; KEY_FULL_INFORMATION fullInfo; memset(&fullInfo, 0, sizeof(KEY_FULL_INFORMATION)); if (!NT_SUCCESS(NtQueryKey( ParentKey, KeyFullInformation, &fullInfo, sizeof(KEY_FULL_INFORMATION), &bufferLength ))) { return; } for (ULONG i = 0; i < fullInfo.Values; i++) { PPH_STRING value; PKEY_VALUE_FULL_INFORMATION buffer; bufferLength = sizeof(KEY_VALUE_FULL_INFORMATION); buffer = PhAllocate(bufferLength); memset(buffer, 0, bufferLength); if (NT_SUCCESS(NtEnumerateValueKey( ParentKey, i, KeyValueFullInformation, buffer, bufferLength, &bufferLength ))) { PhFree(buffer); break; } //bufferLength = bufferLength; buffer = PhReAllocate(buffer, bufferLength); memset(buffer, 0, bufferLength); if (!NT_SUCCESS(NtEnumerateValueKey( ParentKey, i, KeyValueFullInformation, buffer, bufferLength, &bufferLength ))) { PhFree(buffer); break; } if (value = PhCreateStringEx(buffer->Name, buffer->NameLength)) { UNICODE_STRING us; PhStringRefToUnicodeString(&value->sr, &us); if (PhEndsWithStringRef(&value->sr, &keyName, TRUE)) { NtDeleteValueKey(ParentKey, &us); } PhDereferenceObject(value); } PhFree(buffer); } }