BOOLEAN
SampSetUpgradeFlag(
)
/*++
Routine Description:
This routine sets SAM upgrade flag is set. The upgrade
flag is:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\lsa
UpgradeSam = REG_DWORD 1
and the value will be deleted.
Arguments:
Return Value:
TRUE - The flag was set
FALSE - The flag was not set or the value was not present
--*/
{
NTSTATUS NtStatus;
UNICODE_STRING KeyName;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE KeyHandle;
UCHAR Buffer[100];
PKEY_VALUE_PARTIAL_INFORMATION KeyValueInformation = (PKEY_VALUE_PARTIAL_INFORMATION) Buffer;
ULONG KeyValueLength = 100;
ULONG ResultLength;
PULONG UpgradeFlag;
//
// Open the Lsa key in the registry
//
RtlInitUnicodeString(
&KeyName,
SAMP_LSA_KEY_NAME
);
InitializeObjectAttributes(
&ObjectAttributes,
&KeyName,
OBJ_CASE_INSENSITIVE,
0,
NULL
);
NtStatus = NtOpenKey(
&KeyHandle,
KEY_SET_VALUE,
&ObjectAttributes
);
if (!NT_SUCCESS(NtStatus)) {
return(FALSE);
}
//
// Query the Notification Packages value
//
RtlInitUnicodeString(
&KeyName,
L"UpgradeSam"
);
NtStatus = NtDeleteValueKey(
KeyHandle,
&KeyName
);
NtClose(KeyHandle);
}
void DeleteValueTest(void)
{
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING KeyName = RTL_CONSTANT_STRING(L"\\Registry\\Machine\\Software\\testkey");
UNICODE_STRING ValueName = RTL_CONSTANT_STRING(L"TestValue");
HANDLE KeyHandle;
NTSTATUS Status;
dprintf("Open key '\\Registry\\Machine\\Software\\testkey':\n");
InitializeObjectAttributes(&ObjectAttributes,
&KeyName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status=NtOpenKey(&KeyHandle,
MAXIMUM_ALLOWED,
&ObjectAttributes);
dprintf(" Status = %lx\n", Status);
if (!NT_SUCCESS(Status))
return;
dprintf("Delete value:\n");
Status = NtDeleteValueKey(KeyHandle,
&ValueName);
dprintf(" Status = %lx\n", Status);
dprintf("Close key:\n");
Status = NtClose(KeyHandle);
dprintf(" Status = %lx\n", Status);
}
NTSTATUS
NTAPI
RtlApplyRXact(
PRXACT_CONTEXT Context)
{
UNICODE_STRING ValueName;
NTSTATUS Status;
/* Temporarily safe the current transaction in the 'Log' key value */
RtlInitUnicodeString(&ValueName, L"Log");
Status = ZwSetValueKey(Context->KeyHandle,
&ValueName,
0,
REG_BINARY,
Context->Data,
Context->Data->CurrentSize);
if (!NT_SUCCESS(Status))
{
return Status;
}
/* Flush the key */
Status = NtFlushKey(Context->KeyHandle);
if (!NT_SUCCESS(Status))
{
NtDeleteValueKey(Context->KeyHandle, &ValueName);
return Status;
}
/* Now commit the transaction */
Status = RXactpCommit(Context);
if (!NT_SUCCESS(Status))
{
NtDeleteValueKey(Context->KeyHandle, &ValueName);
return Status;
}
/* Delete the 'Log' key value */
Status = NtDeleteValueKey(Context->KeyHandle, &ValueName);
ASSERT(NT_SUCCESS(Status));
/* Reset the transaction */
Status = RtlAbortRXact(Context);
ASSERT(NT_SUCCESS(Status));
return STATUS_SUCCESS;
}
NTSTATUS
SampRegDeleteValue(IN HANDLE KeyHandle,
IN LPCWSTR ValueName)
{
UNICODE_STRING Name;
RtlInitUnicodeString(&Name,
ValueName);
return NtDeleteValueKey(KeyHandle,
&Name);
}
/* registry link delete test */
void test7(void)
{
HANDLE hKey;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING KeyName,ValueName;
NTSTATUS Status;
dprintf("Open link key\n");
dprintf(" Key: \\Registry\\Machine\\SOFTWARE\\Test\n");
RtlRosInitUnicodeStringFromLiteral(&KeyName, L"\\Registry\\Machine\\SOFTWARE\\Test");
InitializeObjectAttributes(&ObjectAttributes,
&KeyName,
OBJ_CASE_INSENSITIVE | OBJ_OPENIF | OBJ_OPENLINK,
NULL,
NULL);
Status = NtCreateKey(&hKey,
KEY_ALL_ACCESS,
&ObjectAttributes,
0,
NULL,
REG_OPTION_VOLATILE | REG_OPTION_OPEN_LINK,
NULL);
dprintf(" NtCreateKey() called (Status %lx)\n",Status);
if (!NT_SUCCESS(Status))
{
dprintf("Could not open the link key. Please run the link create test first!\n");
return;
}
dprintf("Delete link value\n");
RtlRosInitUnicodeStringFromLiteral(&ValueName, L"SymbolicLinkValue");
Status = NtDeleteValueKey(hKey,
&ValueName);
dprintf(" NtDeleteValueKey() called (Status %lx)\n",Status);
dprintf("Delete link key\n");
Status=NtDeleteKey(hKey);
dprintf(" NtDeleteKey() called (Status %lx)\n",Status);
dprintf("Close link key\n");
NtClose(hKey);
}
static VOID WriteCurrentUserRun(
_In_ BOOLEAN Present,
_In_ BOOLEAN StartHidden
)
{
HANDLE keyHandle;
if (CurrentUserRunPresent == Present && (!Present || CurrentUserRunStartHidden == StartHidden))
return;
if (NT_SUCCESS(PhOpenKey(
&keyHandle,
KEY_WRITE,
PH_KEY_CURRENT_USER,
&CurrentUserRunKeyName,
0
)))
{
UNICODE_STRING valueName;
RtlInitUnicodeString(&valueName, L"Process Hacker 2");
if (Present)
{
PPH_STRING value;
value = PH_AUTO(PhConcatStrings(3, L"\"", PhApplicationFileName->Buffer, L"\""));
if (StartHidden)
value = PhaConcatStrings2(value->Buffer, L" -hide");
NtSetValueKey(keyHandle, &valueName, 0, REG_SZ, value->Buffer, (ULONG)value->Length + 2);
}
else
{
NtDeleteValueKey(keyHandle, &valueName);
}
NtClose(keyHandle);
}
}
NTSTATUS
NTAPI
RtlInitializeRXact(
HANDLE RootDirectory,
BOOLEAN Commit,
PRXACT_CONTEXT *OutContext)
{
NTSTATUS Status, TmpStatus;
PRXACT_CONTEXT Context;
PKEY_VALUE_FULL_INFORMATION KeyValueInformation;
KEY_VALUE_BASIC_INFORMATION KeyValueBasicInfo;
UNICODE_STRING ValueName;
UNICODE_STRING KeyName;
OBJECT_ATTRIBUTES ObjectAttributes;
RXACT_INFO TransactionInfo;
ULONG Disposition;
ULONG ValueType;
ULONG ValueDataLength;
ULONG Length;
HANDLE KeyHandle;
/* Open or create the 'RXACT' key in the root directory */
RtlInitUnicodeString(&KeyName, L"RXACT");
InitializeObjectAttributes(&ObjectAttributes,
&KeyName,
OBJ_CASE_INSENSITIVE | OBJ_OPENIF,
RootDirectory,
NULL);
Status = ZwCreateKey(&KeyHandle,
KEY_READ | KEY_WRITE | DELETE,
&ObjectAttributes,
0,
NULL,
0,
&Disposition);
if (!NT_SUCCESS(Status))
{
return Status;
}
/* Allocate a new context */
Context = RtlAllocateHeap(RtlGetProcessHeap(), 0, sizeof(*Context));
*OutContext = Context;
if (Context == NULL)
{
TmpStatus = ZwDeleteKey(KeyHandle);
ASSERT(NT_SUCCESS(TmpStatus));
TmpStatus = NtClose(KeyHandle);
ASSERT(NT_SUCCESS(TmpStatus));
return STATUS_NO_MEMORY;
}
/* Initialize the context */
RXactInitializeContext(Context, RootDirectory, KeyHandle);
/* Check if we created a new key */
if (Disposition == REG_CREATED_NEW_KEY)
{
/* The key is new, set the default value */
TransactionInfo.Revision = 1;
RtlInitUnicodeString(&ValueName, NULL);
Status = ZwSetValueKey(KeyHandle,
&ValueName,
0,
REG_NONE,
&TransactionInfo,
sizeof(TransactionInfo));
if (!NT_SUCCESS(Status))
{
TmpStatus = ZwDeleteKey(KeyHandle);
ASSERT(NT_SUCCESS(TmpStatus));
TmpStatus = NtClose(KeyHandle);
ASSERT(NT_SUCCESS(TmpStatus));
RtlFreeHeap(RtlGetProcessHeap(), 0, *OutContext);
return Status;
}
return STATUS_RXACT_STATE_CREATED;
}
else
{
/* The key exited, get the default key value */
ValueDataLength = sizeof(TransactionInfo);
Status = RtlpNtQueryValueKey(KeyHandle,
&ValueType,
&TransactionInfo,
&ValueDataLength,
0);
if (!NT_SUCCESS(Status))
{
TmpStatus = NtClose(KeyHandle);
ASSERT(NT_SUCCESS(TmpStatus));
RtlFreeHeap(RtlGetProcessHeap(), 0, Context);
return Status;
}
/* Check if the value date is valid */
if ((ValueDataLength != sizeof(TransactionInfo)) ||
(TransactionInfo.Revision != 1))
{
TmpStatus = NtClose(KeyHandle);
ASSERT(NT_SUCCESS(TmpStatus));
RtlFreeHeap(RtlGetProcessHeap(), 0, Context);
return STATUS_UNKNOWN_REVISION;
}
/* Query the 'Log' key value */
RtlInitUnicodeString(&ValueName, L"Log");
Status = ZwQueryValueKey(KeyHandle,
&ValueName,
KeyValueBasicInformation,
&KeyValueBasicInfo,
sizeof(KeyValueBasicInfo),
&Length);
if (!NT_SUCCESS(Status))
{
/* There is no 'Log', so we are done */
return STATUS_SUCCESS;
}
/* Check if the caller asked to commit the current state */
if (!Commit)
{
/* We have a log, that must be committed first! */
return STATUS_RXACT_COMMIT_NECESSARY;
}
/* Query the size of the 'Log' key value */
Status = ZwQueryValueKey(KeyHandle,
&ValueName,
KeyValueFullInformation,
NULL,
0,
&Length);
if (Status != STATUS_BUFFER_TOO_SMALL)
{
return Status;
}
/* Allocate a buffer for the key value information */
KeyValueInformation = RtlAllocateHeap(RtlGetProcessHeap(), 0, Length);
if (KeyValueInformation == NULL)
{
return STATUS_NO_MEMORY;
}
/* Query the 'Log' key value */
Status = ZwQueryValueKey(KeyHandle,
&ValueName,
KeyValueFullInformation,
KeyValueInformation,
Length,
&Length);
if (!NT_SUCCESS(Status))
{
RtlFreeHeap(RtlGetProcessHeap(), 0, KeyValueInformation);
RtlFreeHeap(RtlGetProcessHeap(), 0, Context);
return Status;
}
/* Set the Data pointer to the key value data */
Context->Data = (PRXACT_DATA)((PUCHAR)KeyValueInformation +
KeyValueInformation->DataOffset);
/* This is an old log, don't use handles when committing! */
Context->CanUseHandles = FALSE;
/* Commit the data */
Status = RXactpCommit(Context);
if (!NT_SUCCESS(Status))
{
RtlFreeHeap(RtlGetProcessHeap(), 0, KeyValueInformation);
RtlFreeHeap(RtlGetProcessHeap(), 0, Context);
return Status;
}
/* Delete the old key */
Status = NtDeleteValueKey(KeyHandle, &ValueName);
ASSERT(NT_SUCCESS(Status));
/* Set the data member to the allocated buffer, so it will get freed */
Context->Data = (PRXACT_DATA)KeyValueInformation;
/* Abort the old transaction */
Status = RtlAbortRXact(Context);
ASSERT(NT_SUCCESS(Status));
return Status;
}
}
BOOLEAN
IopInitializeDeviceInstanceKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING KeyName,
IN OUT PVOID WorkName
)
/*++
Routine Description:
This routine is a callback function for IopApplyFunctionToSubKeys.
It is called for each subkey under HKLM\System\Enum\BusKey\DeviceKey.
Arguments:
KeyHandle - Supplies a handle to this key.
KeyName - Supplies the name of this key.
WorkName - points to the unicodestring which describes the path up to
this key.
Returns:
TRUE to continue the enumeration.
FALSE to abort it.
--*/
{
UNICODE_STRING unicodeName, serviceName;
PKEY_VALUE_FULL_INFORMATION keyValueInformation;
NTSTATUS status;
BOOLEAN duplicate = FALSE;
ULONG foundAtEnum, deviceFlags, instance, tmpValue1, tmpValue2;
USHORT length;
PUNICODE_STRING pUnicode;
//
// Get the "Problem" value entry to determine what we need to do with
// the device instance key.
//
deviceFlags = 0;
status = IopGetRegistryValue ( KeyHandle,
REGSTR_VALUE_PROBLEM,
&keyValueInformation
);
if (NT_SUCCESS(status)) {
if ((keyValueInformation->Type == REG_DWORD) &&
(keyValueInformation->DataLength >= sizeof(ULONG))) {
deviceFlags = *(PULONG)KEY_VALUE_DATA(keyValueInformation);
}
ExFreePool(keyValueInformation);
}
if (deviceFlags == CM_PROB_MOVED) {
//
// If the device instance was moved, we simply delete the key.
// The key will be deleted once the caller close the open handle.
//
NtDeleteKey(KeyHandle);
return TRUE;
}
//
// The device instance key exists. We need to propagate the ConfigFlag
// to problem and StatusFlags
//
deviceFlags = 0;
status = IopGetRegistryValue(KeyHandle,
REGSTR_VALUE_CONFIG_FLAGS,
&keyValueInformation);
if (NT_SUCCESS(status)) {
if ((keyValueInformation->Type == REG_DWORD) &&
(keyValueInformation->DataLength >= sizeof(ULONG))) {
deviceFlags = *(PULONG)KEY_VALUE_DATA(keyValueInformation);
}
ExFreePool(keyValueInformation);
}
if (deviceFlags & CONFIGFLAG_REINSTALL) {
tmpValue1 = CM_PROB_REINSTALL; // Problem
tmpValue2 = DN_HAS_PROBLEM; // StatusFlags
} else {
tmpValue1 = tmpValue2 = 0;
}
PiWstrToUnicodeString(&unicodeName, REGSTR_VALUE_PROBLEM);
NtSetValueKey(KeyHandle,
&unicodeName,
TITLE_INDEX_VALUE,
REG_DWORD,
&tmpValue1,
sizeof(tmpValue1)
);
PiWstrToUnicodeString(&unicodeName, REGSTR_VALUE_STATUSFLAGS);
NtSetValueKey(KeyHandle,
&unicodeName,
TITLE_INDEX_VALUE,
REG_DWORD,
&tmpValue2,
sizeof(tmpValue2)
);
//
// Get the "DuplicateOf" value entry to determine if the device instance
// should be registered. If the device instance is duplicate, We don't
// add it to its service key's enum branch.
//
status = IopGetRegistryValue ( KeyHandle,
REGSTR_VALUE_DUPLICATEOF,
&keyValueInformation
);
if (NT_SUCCESS(status)) {
if ((keyValueInformation->Type == REG_SZ) &&
(keyValueInformation->DataLength > 0)) {
duplicate = TRUE;
}
ExFreePool(keyValueInformation);
}
if (!duplicate) {
//
// Combine WorkName and KeyName to form device instance path
// and register this device instance by
// constructing new value entry for ServiceKeyName\Enum key.
// i.e., <Number> = <PathToSystemEnumBranch>
//
pUnicode = (PUNICODE_STRING)WorkName;
length = pUnicode->Length; // Save WorkName
if (pUnicode->Buffer[pUnicode->Length / sizeof(WCHAR) - 1] != OBJ_NAME_PATH_SEPARATOR) {
pUnicode->Buffer[pUnicode->Length / sizeof(WCHAR)] = OBJ_NAME_PATH_SEPARATOR;
pUnicode->Length += 2;
}
RtlAppendStringToString((PSTRING)pUnicode, (PSTRING)KeyName);
PpDeviceRegistration(pUnicode, TRUE);
pUnicode->Length = length; // Restore WorkName
}
//
// Get the "Service=" value entry from KeyHandle
//
keyValueInformation = NULL;
serviceName.Length = 0;
status = IopGetRegistryValue ( KeyHandle,
REGSTR_VALUE_SERVICE,
&keyValueInformation
);
if (NT_SUCCESS(status)) {
//
// Append the new instance to its corresponding
// Service\Name\Enum.
//
if ((keyValueInformation->Type == REG_SZ) &&
(keyValueInformation->DataLength != 0)) {
//
// Set up ServiceKeyName unicode string
//
IopRegistryDataToUnicodeString(
&serviceName,
(PWSTR)KEY_VALUE_DATA(keyValueInformation),
keyValueInformation->DataLength
);
}
//
// Do not Free keyValueInformation
//
}
//
// The Pnp mgr set FoundAtEnum to 0 for everything under system\ccs\enum.
// For the stuff under Root we need to set them to 1 except if their
// CsConfigFlags was set to CSCONFIGFLAG_DO_NOT_CREATE.
//
foundAtEnum = 1;
status = RtlUnicodeStringToInteger(KeyName, 10, &instance);
if (NT_SUCCESS(status)) {
if (serviceName.Length != 0) {
status = IopGetDeviceInstanceCsConfigFlags(
&serviceName,
instance,
&deviceFlags
);
if (NT_SUCCESS(status) && (deviceFlags & CSCONFIGFLAG_DO_NOT_CREATE)) {
foundAtEnum = 0;
}
}
}
if (keyValueInformation) {
ExFreePool(keyValueInformation);
}
PiWstrToUnicodeString(&unicodeName, REGSTR_VALUE_FOUNDATENUM);
NtSetValueKey(KeyHandle,
&unicodeName,
TITLE_INDEX_VALUE,
REG_DWORD,
&foundAtEnum,
sizeof(foundAtEnum)
);
//
// Clean up "NtLogicalDevicePaths=" and "NtPhysicalDevicePaths=" of this key
//
PiWstrToUnicodeString(&unicodeName, REGSTR_VALUE_NT_PHYSICAL_DEVICE_PATHS);
NtDeleteValueKey(KeyHandle, &unicodeName);
PiWstrToUnicodeString(&unicodeName, REGSTR_VALUE_NT_LOGICAL_DEVICE_PATHS);
NtDeleteValueKey(KeyHandle, &unicodeName);
return TRUE;
}
VOID PhpAdvancedPageSave(
_In_ HWND hwndDlg
)
{
ULONG sampleCount;
SetSettingForDlgItemCheck(hwndDlg, IDC_ENABLEWARNINGS, L"EnableWarnings");
SetSettingForDlgItemCheckRestartRequired(hwndDlg, IDC_ENABLEKERNELMODEDRIVER, L"EnableKph");
SetSettingForDlgItemCheck(hwndDlg, IDC_HIDEUNNAMEDHANDLES, L"HideUnnamedHandles");
SetSettingForDlgItemCheckRestartRequired(hwndDlg, IDC_ENABLESTAGE2, L"EnableStage2");
SetSettingForDlgItemCheckRestartRequired(hwndDlg, IDC_ENABLENETWORKRESOLVE, L"EnableNetworkResolve");
SetSettingForDlgItemCheck(hwndDlg, IDC_PROPAGATECPUUSAGE, L"PropagateCpuUsage");
SetSettingForDlgItemCheck(hwndDlg, IDC_ENABLEINSTANTTOOLTIPS, L"EnableInstantTooltips");
if (WindowsVersion >= WINDOWS_7)
SetSettingForDlgItemCheckRestartRequired(hwndDlg, IDC_ENABLECYCLECPUUSAGE, L"EnableCycleCpuUsage");
sampleCount = GetDlgItemInt(hwndDlg, IDC_SAMPLECOUNT, NULL, FALSE);
SetSettingForDlgItemCheckRestartRequired(hwndDlg, IDC_SAMPLECOUNTAUTOMATIC, L"SampleCountAutomatic");
if (sampleCount == 0)
sampleCount = 1;
if (sampleCount != PhGetIntegerSetting(L"SampleCount"))
RestartRequired = TRUE;
PhSetIntegerSetting(L"SampleCount", sampleCount);
// Replace Task Manager
if (IsWindowEnabled(GetDlgItem(hwndDlg, IDC_REPLACETASKMANAGER)))
{
NTSTATUS status;
HANDLE taskmgrKeyHandle;
BOOLEAN replaceTaskMgr;
UNICODE_STRING valueName;
replaceTaskMgr = Button_GetCheck(GetDlgItem(hwndDlg, IDC_REPLACETASKMANAGER)) == BST_CHECKED;
if (OldReplaceTaskMgr != replaceTaskMgr)
{
// We should have created the key back in PhpAdvancedPageLoad, which is why
// we're opening the key here.
if (NT_SUCCESS(PhOpenKey(
&taskmgrKeyHandle,
KEY_WRITE,
PH_KEY_LOCAL_MACHINE,
&TaskMgrImageOptionsKeyName,
0
)))
{
RtlInitUnicodeString(&valueName, L"Debugger");
if (replaceTaskMgr)
{
PPH_STRING quotedFileName;
quotedFileName = PH_AUTO(PhConcatStrings(3, L"\"", PhApplicationFileName->Buffer, L"\""));
status = NtSetValueKey(taskmgrKeyHandle, &valueName, 0, REG_SZ, quotedFileName->Buffer, (ULONG)quotedFileName->Length + 2);
}
else
{
status = NtDeleteValueKey(taskmgrKeyHandle, &valueName);
}
if (!NT_SUCCESS(status))
PhShowStatus(hwndDlg, L"Unable to replace Task Manager", status, 0);
NtClose(taskmgrKeyHandle);
}
}
}
}
static VOID RemoveAppCompatEntry(
_In_ HANDLE ParentKey
)
{
static PH_STRINGREF keyName = PH_STRINGREF_INIT(L"ProcessHacker.exe");
ULONG bufferLength;
KEY_FULL_INFORMATION fullInfo;
memset(&fullInfo, 0, sizeof(KEY_FULL_INFORMATION));
if (!NT_SUCCESS(NtQueryKey(
ParentKey,
KeyFullInformation,
&fullInfo,
sizeof(KEY_FULL_INFORMATION),
&bufferLength
)))
{
return;
}
for (ULONG i = 0; i < fullInfo.Values; i++)
{
PPH_STRING value;
PKEY_VALUE_FULL_INFORMATION buffer;
bufferLength = sizeof(KEY_VALUE_FULL_INFORMATION);
buffer = PhAllocate(bufferLength);
memset(buffer, 0, bufferLength);
if (NT_SUCCESS(NtEnumerateValueKey(
ParentKey,
i,
KeyValueFullInformation,
buffer,
bufferLength,
&bufferLength
)))
{
PhFree(buffer);
break;
}
//bufferLength = bufferLength;
buffer = PhReAllocate(buffer, bufferLength);
memset(buffer, 0, bufferLength);
if (!NT_SUCCESS(NtEnumerateValueKey(
ParentKey,
i,
KeyValueFullInformation,
buffer,
bufferLength,
&bufferLength
)))
{
PhFree(buffer);
break;
}
if (value = PhCreateStringEx(buffer->Name, buffer->NameLength))
{
UNICODE_STRING us;
PhStringRefToUnicodeString(&value->sr, &us);
if (PhEndsWithStringRef(&value->sr, &keyName, TRUE))
{
NtDeleteValueKey(ParentKey, &us);
}
PhDereferenceObject(value);
}
PhFree(buffer);
}
}
