/*
* TsmiReadPatchChains
*
* Purpose:
*
* Read specified chains value from registry.
*
*/
NTSTATUS TsmiReadPatchChains(
_In_ HANDLE sKey,
_In_ PUNICODE_STRING ParamName,
_In_ VBOX_PATCH *PatchInfo
)
{
KEY_VALUE_PARTIAL_INFORMATION keyinfo;
ULONG ChainsLength = 0, bytesIO;
NTSTATUS status;
PAGED_CODE();
if (sKey == NULL)
return STATUS_INVALID_PARAMETER_1;
if (ParamName == NULL)
return STATUS_INVALID_PARAMETER_2;
if (PatchInfo == NULL)
return STATUS_INVALID_PARAMETER_3;
status = ZwQueryValueKey(sKey, ParamName, KeyValuePartialInformation, &keyinfo, sizeof(KEY_VALUE_PARTIAL_INFORMATION), &ChainsLength);
if (NT_SUCCESS(status)) {
return STATUS_BUFFER_TOO_SMALL; // The key value is empty. It should not success with zero-length buffer if there are some data;
}
if ((status != STATUS_BUFFER_TOO_SMALL) && (status != STATUS_BUFFER_OVERFLOW)) {
return status;
}
//
// Allocate buffer for data with given size
//
PatchInfo->Chains = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePoolWithTagPriority(PagedPool,
(SIZE_T)ChainsLength, TSUGUMI_TAG, NormalPoolPriority);
if (PatchInfo->Chains == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
#ifdef _DEBUGMSG
DbgPrint("[TSMI] ChainsLength=%lx\n", ChainsLength);
#endif //_DEBUGMSG
RtlSecureZeroMemory(PatchInfo->Chains, ChainsLength);
status = ZwQueryValueKey(sKey, ParamName, KeyValuePartialInformation, PatchInfo->Chains, ChainsLength, &bytesIO);
if (NT_SUCCESS(status)) {
PatchInfo->ChainsLength = ChainsLength;
#ifdef _DEBUGMSG
TsmiListPatchChains(PatchInfo->Chains);
#endif //_DEBUGMSG
}
return status;
}
NTSTATUS KphReadDynamicDataParameters(
__in_opt HANDLE KeyHandle
)
{
NTSTATUS status;
UNICODE_STRING valueName;
PKEY_VALUE_PARTIAL_INFORMATION info;
ULONG resultLength;
PAGED_CODE();
if (!KeyHandle)
return STATUS_UNSUCCESSFUL;
RtlInitUnicodeString(&valueName, L"DynamicConfiguration");
status = ZwQueryValueKey(
KeyHandle,
&valueName,
KeyValuePartialInformation,
NULL,
0,
&resultLength
);
if (status != STATUS_BUFFER_OVERFLOW && status != STATUS_BUFFER_TOO_SMALL)
{
// Unexpected status; fail now.
return STATUS_UNSUCCESSFUL;
}
info = ExAllocatePoolWithTag(PagedPool, resultLength, 'ThpK');
if (!info)
return STATUS_INSUFFICIENT_RESOURCES;
status = ZwQueryValueKey(
KeyHandle,
&valueName,
KeyValuePartialInformation,
info,
resultLength,
&resultLength
);
if (NT_SUCCESS(status))
{
if (info->Type == REG_BINARY)
status = KphpLoadDynamicConfiguration(info->Data, info->DataLength);
else
status = STATUS_OBJECT_TYPE_MISMATCH;
if (!NT_SUCCESS(status))
dprintf("Unable to load dynamic configuration: 0x%x\n", status);
}
ExFreePoolWithTag(info, 'ThpK');
return status;
}
NTSTATUS Reg_GetStringValue(_In_ HANDLE hKey, _In_ LPCWSTR pszValueName, _Out_ PWSTR *ppValue)
{
NTSTATUS Status = STATUS_SUCCESS;
UNICODE_STRING ValueName;
RtlInitUnicodeString(&ValueName, pszValueName);
ULONG ResultLength = 0;
Status = ZwQueryValueKey(hKey, &ValueName, KeyValuePartialInformation, NULL, 0, &ResultLength);
if (STATUS_BUFFER_OVERFLOW == Status || STATUS_BUFFER_TOO_SMALL == Status)
{
KEY_VALUE_PARTIAL_INFORMATION *pBuffer = ExAllocatePool(PagedPool, ResultLength);
if (pBuffer)
{
Status = ZwQueryValueKey(hKey, &ValueName, KeyValuePartialInformation, pBuffer, ResultLength, &ResultLength);
if (NT_SUCCESS(Status) && pBuffer->Type == REG_SZ) {
*ppValue = ExAllocatePool(PagedPool, pBuffer->DataLength);
if (*ppValue)
RtlMoveMemory(*ppValue, pBuffer->Data, pBuffer->DataLength);
else
Status = STATUS_INSUFFICIENT_RESOURCES;
}
ExFreePool(pBuffer);
}
}
else if (NT_SUCCESS(Status)) {
*ppValue = NULL;
}
return Status;
}
/*
typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
ULONG TitleIndex;
ULONG Type;
ULONG DataLength;
UCHAR Data[1];
} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
*/
NTSTATUS RegQueryValueKey(LPWSTR KeyName, LPWSTR ValueName, PKEY_VALUE_PARTIAL_INFORMATION *pkvpi)
{
ULONG ulSize;
NTSTATUS ntStatus;
PKEY_VALUE_PARTIAL_INFORMATION pvpi;
OBJECT_ATTRIBUTES objectAttributes;
HANDLE hRegister;
UNICODE_STRING usKeyName;
UNICODE_STRING usValueName;
RtlInitUnicodeString(&usKeyName, KeyName);
RtlInitUnicodeString(&usValueName, ValueName);
InitializeObjectAttributes(&objectAttributes,
&usKeyName,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes);
if(!NT_SUCCESS(ntStatus))
{
DbgPrint("[RegQueryValueKey]ZwOpenKey failed!\n");
return ntStatus;
}
ntStatus = ZwQueryValueKey(hRegister,
&usValueName,
KeyValuePartialInformation ,
NULL,
0,
&ulSize);
if (ntStatus==STATUS_OBJECT_NAME_NOT_FOUND || ulSize==0)
{
DbgPrint("ZwQueryValueKey 1 failed!\n");
return STATUS_UNSUCCESSFUL;
}
pvpi = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,ulSize);
ntStatus = ZwQueryValueKey(hRegister,
&usValueName,
KeyValuePartialInformation ,
pvpi,
ulSize,
&ulSize);
if (!NT_SUCCESS(ntStatus))
{
DbgPrint("ZwQueryValueKey 2 failed!\n");
return STATUS_UNSUCCESSFUL;
}
//这里的pvpi是没有释放的用完要释放。ExFreePool(pvpi);
*pkvpi=pvpi;
DbgPrint("ZwQueryValueKey success!\n");
return STATUS_SUCCESS;
}
VBOXDRVTOOL_DECL(NTSTATUS) VBoxDrvToolRegQueryValueDword(IN HANDLE hKey, IN PWCHAR pName, OUT PULONG pDword)
{
struct
{
KEY_VALUE_PARTIAL_INFORMATION Info;
UCHAR Buf[32]; /* should be enough */
} Buf;
ULONG cbBuf;
UNICODE_STRING RtlStr;
RtlInitUnicodeString(&RtlStr, pName);
NTSTATUS Status = ZwQueryValueKey(hKey,
&RtlStr,
KeyValuePartialInformation,
&Buf.Info,
sizeof(Buf),
&cbBuf);
if (Status == STATUS_SUCCESS)
{
if (Buf.Info.Type == REG_DWORD)
{
Assert(Buf.Info.DataLength == 4);
*pDword = *((PULONG)Buf.Info.Data);
return STATUS_SUCCESS;
}
}
return STATUS_INVALID_PARAMETER;
}
NTSTATUS ReadRegistryString(PUNICODE_STRING RegistryPath, PWCHAR ValueName, PWCHAR ValueBuffer, DWORD Len)
{
NTSTATUS St;
UNICODE_STRING param;
OBJECT_ATTRIBUTES ObjAtr;
HANDLE hKey;
PKEY_VALUE_PARTIAL_INFORMATION info = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(NonPagedPool, 260*2);
ULONG size;
InitializeObjectAttributes(&ObjAtr, RegistryPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
St = ZwOpenKey(&hKey, KEY_QUERY_VALUE, &ObjAtr);
if (St == STATUS_SUCCESS)
{
RtlInitUnicodeString(¶m, ValueName);
St = ZwQueryValueKey(hKey, ¶m, KeyValuePartialInformation, (PVOID)info, 260*2, &size);
if (NT_SUCCESS(St))
{
RtlZeroMemory(ValueBuffer, Len);
RtlCopyMemory(ValueBuffer, info->Data, info->DataLength);
}
ZwClose(hKey);
}
return St;
}
NTSTATUS GetRegistryDWORD(HANDLE hKey, LPCWSTR Value, PULONG Data, ULONG Default)
{
UCHAR buffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(ULONG)];
NTSTATUS status;
UNICODE_STRING valueName;
ULONG length;
RtlInitUnicodeString(&valueName, Value);
status = ZwQueryValueKey(hKey, &valueName, KeyValuePartialInformation, buffer, sizeof(buffer), &length);
if (NT_SUCCESS(status) && length <= sizeof(buffer))
{
PKEY_VALUE_PARTIAL_INFORMATION info = (PKEY_VALUE_PARTIAL_INFORMATION)buffer;
if (info->Type == REG_DWORD && info->DataLength == sizeof(ULONG))
*Data = *(ULONG*)(info->Data);
else
*Data = Default;
}
else
{
*Data = Default;
}
return STATUS_SUCCESS;
}
PJOYSTICK_MAP PPJoy_ReadMappingFromReg (UCHAR JoyType, HANDLE RegKey)
{
NTSTATUS ntStatus;
ULONG NumRead;
UNICODE_STRING ValueName;
WCHAR ValueNameBuffer[128];
ULONG MapSize;
UCHAR Buffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION)+1024];
PJOYSTICK_MAP Mapping;
PAGED_CODE();
Mapping= NULL;
swprintf (ValueNameBuffer,L"MapV1_%02X",JoyType);
RtlInitUnicodeString(&ValueName,ValueNameBuffer);
NumRead= 0;
ntStatus= ZwQueryValueKey(RegKey,&ValueName,KeyValuePartialInformation,Buffer,sizeof(Buffer),&NumRead);
if(!NT_SUCCESS(ntStatus))
{
PPJOY_DBGPRINT (FILE_MAPPING|PPJOY_WARN, ("Error 0x%X reading value %S. NumRead= %d",ntStatus,ValueName.Buffer,NumRead) );
goto Exit;
}
if (((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->Type!=REG_BINARY)
{
PPJOY_DBGPRINT (FILE_MAPPING|PPJOY_WARN, ("Wrong registry datatype %d reading value %S",((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->Type,ValueName.Buffer) );
goto Exit;
}
if (((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->DataLength==0)
{
PPJOY_DBGPRINT (FILE_MAPPING|PPJOY_BABBLE, ("Empty registry key, ignoring") );
goto Exit;
}
MapSize= (ULONG)-1;
if (((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->DataLength>4)
MapSize= PPJOY_ComputeMappingSize((PJOYSTICK_MAP)(((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->Data));
if (((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->DataLength!=MapSize)
{
PPJOY_DBGPRINT (FILE_MAPPING|PPJOY_WARN, ("Invalid registry value size. Value size= %d expected %d",((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->DataLength,MapSize) );
goto Exit;
}
Mapping= ExAllocatePoolWithTag (NonPagedPool,MapSize,PPJOY_POOL_TAG);
if (!Mapping)
{
PPJOY_DBGPRINT (FILE_MAPPING|PPJOY_ERROR, ("Cannot allocate nonpaged pool to store joystick mapping. Help!") );
goto Exit;
}
RtlCopyMemory (Mapping,((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->Data,MapSize);
Exit:
return Mapping;
}
/*****************************************************************************
* GetRegValueDword()
*****************************************************************************
* Convenience function to encapsulate registry reads.
*/
int GetRegValueDword(_In_ LPTSTR RegPath,_In_ LPTSTR ValueName,PULONG Value)
{
int ReturnValue = 0;
NTSTATUS Status;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE KeyHandle;
KEY_VALUE_PARTIAL_INFORMATION *Information;
ULONG InformationSize;
UNICODE_STRING UnicodeRegPath;
UNICODE_STRING UnicodeValueName;
RtlInitUnicodeString(&UnicodeRegPath, RegPath);
RtlInitUnicodeString(&UnicodeValueName, ValueName);
InitializeObjectAttributes(&ObjectAttributes,
&UnicodeRegPath,
OBJ_KERNEL_HANDLE, // Flags
NULL, // Root directory
NULL); // Security descriptor
Status = ZwOpenKey(&KeyHandle,
KEY_QUERY_VALUE,
&ObjectAttributes);
if (Status != STATUS_SUCCESS)
{
return 0;
}
InformationSize = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(ULONG);
Information = (KEY_VALUE_PARTIAL_INFORMATION*)ExAllocatePoolWithTag(PagedPool, InformationSize,'ISmD'); // DmSI
if (Information == NULL)
{
ZwClose(KeyHandle);
return 0;
}
Status = ZwQueryValueKey(KeyHandle,
&UnicodeValueName,
KeyValuePartialInformation,
Information,
InformationSize,
&InformationSize);
if (Status == STATUS_SUCCESS)
{
if (Information->Type == REG_DWORD && Information->DataLength == sizeof(ULONG))
{
RtlCopyMemory(Value, Information->Data, sizeof(ULONG));
ReturnValue = 1;
}
}
ExFreePool(Information);
ZwClose(KeyHandle);
return ReturnValue;
}
NTSTATUS NtfsQueryValueKey(IN PUNICODE_STRING KeyName,
IN PUNICODE_STRING ValueName,
IN OUT ULONG *KeyInfoSize,
OUT PKEY_VALUE_FULL_INFORMATION *KeyInfo,
OUT BOOLEAN* bNeedRelease)
{
NTSTATUS Status;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE Handle;
ULONG MemSize;
ULONG ResultLength;
InitializeObjectAttributes(&ObjectAttributes,KeyName,OBJ_CASE_INSENSITIVE,NULL,NULL);
Status = ZwOpenKey(&Handle,0x20019, &ObjectAttributes);
if(NT_SUCCESS(Status))
{
MemSize = *KeyInfoSize;
do
{
Status = ZwQueryValueKey(Handle, ValueName, KeyValueFullInformation, (PVOID)*KeyInfo, MemSize, &ResultLength);
if(Status != 0x80000005)
break;
if(bNeedRelease[0])
{
ExFreePool(*KeyInfo);
KeyInfoSize[0] = 0;
KeyInfo[0] = 0;
bNeedRelease[0] = FALSE;
}
MemSize += 256;
KeyInfo[0] = (PKEY_VALUE_FULL_INFORMATION)ExAllocatePoolWithTag(PagedPool, MemSize, REG_TAG );
if(!KeyInfo[0])
return 0xC0000017;
KeyInfoSize[0] = MemSize;
bNeedRelease[0] = TRUE;
} while (TRUE);
ZwClose(Handle);
if(NT_SUCCESS(Status))
{
if(!KeyInfo[0]->NameLength)
{
Status = 0xC0000034;
}
}
}
return Status;
}
PKEY_VALUE_PARTIAL_INFORMATION
ReadKeyValue(
IN HANDLE hSubKey,
IN PUNICODE_STRING KeyName)
{
NTSTATUS Status;
ULONG Length;
PKEY_VALUE_PARTIAL_INFORMATION PartialInformation;
/* now query MatchingDeviceId key */
Status = ZwQueryValueKey(hSubKey, KeyName, KeyValuePartialInformation, NULL, 0, &Length);
/* check for success */
if (Status != STATUS_BUFFER_TOO_SMALL)
return NULL;
/* allocate a buffer for key data */
PartialInformation = AllocateItem(NonPagedPool, Length);
if (!PartialInformation)
return NULL;
/* now query MatchingDeviceId key */
Status = ZwQueryValueKey(hSubKey, KeyName, KeyValuePartialInformation, PartialInformation, Length, &Length);
/* check for success */
if (!NT_SUCCESS(Status))
{
FreeItem(PartialInformation);
return NULL;
}
if (PartialInformation->Type != REG_SZ)
{
/* invalid key type */
FreeItem(PartialInformation);
return NULL;
}
return PartialInformation;
}
static SshRegData
ssh_registry_platform_get_value(SshRegKey registry_key,
SshRegUnicodeString value_name,
SshRegSize *size_return)
{
PKEY_VALUE_PARTIAL_INFORMATION info;
ULONG data_size;
SshRegData ret_ptr = NULL;
SSH_ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);
if (ZwQueryValueKey(registry_key, value_name, KeyValuePartialInformation,
NULL, 0, &data_size) != STATUS_BUFFER_TOO_SMALL)
goto error;
info = ssh_malloc(data_size);
if (info == NULL)
goto error;
if (NT_SUCCESS(ZwQueryValueKey(registry_key, value_name,
KeyValuePartialInformation, info,
data_size, &data_size)))
{
if (data_size > info->DataLength)
{
ret_ptr = ssh_malloc(info->DataLength);
if (ret_ptr)
{
memcpy(ret_ptr, info->Data, info->DataLength);
if (size_return)
*size_return = info->DataLength;
}
}
}
ssh_free(info);
error:
return ret_ptr;
}
/*
* TsmiReadPatchChains
*
* Purpose:
*
* Read specified chains value from registry.
*
*/
NTSTATUS TsmiReadPatchChains(
_In_ HANDLE sKey,
_In_ PUNICODE_STRING ParamName,
_In_ PVOID *ParamBuffer,
_In_ ULONG *ChainsLength
)
{
KEY_VALUE_PARTIAL_INFORMATION keyinfo;
NTSTATUS status;
ULONG bytesIO = 0;
if (ChainsLength == NULL)
return STATUS_INVALID_PARAMETER_4;
status = ZwQueryValueKey(sKey, ParamName, KeyValuePartialInformation, &keyinfo, sizeof(KEY_VALUE_PARTIAL_INFORMATION), &bytesIO);
if (NT_SUCCESS(status))
return STATUS_BUFFER_TOO_SMALL; // The key value is empty. It should not success with zero-length buffer if there are some data;
if ((status != STATUS_BUFFER_TOO_SMALL) && (status != STATUS_BUFFER_OVERFLOW))
return STATUS_INVALID_PARAMETER; // we got unexpected return
// bytesIO contains key value data length
*ChainsLength = bytesIO;
*ParamBuffer = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePoolWithTagPriority(PagedPool, (SIZE_T)bytesIO, TSUGUMI_TAG, NormalPoolPriority);
if (*ParamBuffer == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
#ifdef _DEBUGMSG
DbgPrint("[TSMI] ChainsLength=%lx\n", *ChainsLength);
#endif
RtlSecureZeroMemory(*ParamBuffer, bytesIO);
status = ZwQueryValueKey(sKey, ParamName, KeyValuePartialInformation, *ParamBuffer, bytesIO, &bytesIO);
#ifdef _DEBUGMSG
if (NT_SUCCESS(status)) {
TsmiListPatchChains(*ParamBuffer);
}
#endif
return status;
}
static NTSTATUS
ExpLoadUuidSequence(PULONG Sequence)
{
UCHAR ValueBuffer[VALUE_BUFFER_SIZE];
PKEY_VALUE_PARTIAL_INFORMATION ValueInfo;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING Name;
HANDLE KeyHandle;
ULONG ValueLength;
NTSTATUS Status;
RtlInitUnicodeString(&Name,
L"\\Registry\\Machine\\Software\\Microsoft\\Rpc");
InitializeObjectAttributes(&ObjectAttributes,
&Name,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status = ZwOpenKey(&KeyHandle,
KEY_QUERY_VALUE,
&ObjectAttributes);
if (!NT_SUCCESS(Status))
{
DPRINT("ZwOpenKey() failed (Status %lx)\n", Status);
return Status;
}
RtlInitUnicodeString(&Name, L"UuidSequenceNumber");
ValueInfo = (PKEY_VALUE_PARTIAL_INFORMATION)ValueBuffer;
Status = ZwQueryValueKey(KeyHandle,
&Name,
KeyValuePartialInformation,
ValueBuffer,
VALUE_BUFFER_SIZE,
&ValueLength);
ZwClose(KeyHandle);
if (!NT_SUCCESS(Status))
{
DPRINT("ZwQueryValueKey() failed (Status %lx)\n", Status);
return Status;
}
*Sequence = *((PULONG)ValueInfo->Data);
DPRINT("Loaded sequence %lx\n", *Sequence);
return STATUS_SUCCESS;
}
BOOLEAN
FsRtlpIsDfsEnabled(VOID)
{
HANDLE Key;
ULONG Length;
NTSTATUS Status;
UNICODE_STRING KeyName;
OBJECT_ATTRIBUTES ObjectAttributes;
struct
{
KEY_VALUE_PARTIAL_INFORMATION KeyInfo;
ULONG KeyValue;
} KeyQueryOutput;
/* You recognize MuppIsDfsEnabled()! Congratz :-) */
KeyName.Buffer = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Mup";
KeyName.Length = sizeof(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Mup") - sizeof(UNICODE_NULL);
KeyName.MaximumLength = sizeof(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Mup");
/* Simply query registry to get whether DFS is disabled.
* If DFS isn't disabled from registry side, assume it is enabled
* and go through MUP.
* MUP itself might disable it, but that's not our concern
* any longer
*/
InitializeObjectAttributes(&ObjectAttributes,
&KeyName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status = ZwOpenKey(&Key, KEY_READ, &ObjectAttributes);
if (!NT_SUCCESS(Status))
{
return TRUE;
}
KeyName.Buffer = L"DisableDfs";
KeyName.Length = sizeof(L"DisableDfs") - sizeof(UNICODE_NULL);
KeyName.MaximumLength = sizeof(L"DisableDfs");
Status = ZwQueryValueKey(Key, &KeyName, KeyValuePartialInformation, &KeyQueryOutput, sizeof(KeyQueryOutput), &Length);
ZwClose(Key);
if (!NT_SUCCESS(Status) || KeyQueryOutput.KeyInfo.Type != REG_DWORD)
{
return TRUE;
}
return ((ULONG)KeyQueryOutput.KeyInfo.Data != 1);
}
SHORT
FASTCALL
UserGetLanguageID(VOID)
{
HANDLE KeyHandle;
OBJECT_ATTRIBUTES ObAttr;
// http://support.microsoft.com/kb/324097
ULONG Ret = MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT);
PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
ULONG Size = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + MAX_PATH*sizeof(WCHAR);
UNICODE_STRING Language;
RtlInitUnicodeString( &Language,
L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language");
InitializeObjectAttributes( &ObAttr,
&Language,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
if ( NT_SUCCESS(ZwOpenKey(&KeyHandle, KEY_READ, &ObAttr)))
{
pKeyInfo = ExAllocatePoolWithTag(PagedPool, Size, TAG_STRING);
if ( pKeyInfo )
{
RtlInitUnicodeString(&Language, L"Default");
if ( NT_SUCCESS(ZwQueryValueKey( KeyHandle,
&Language,
KeyValuePartialInformation,
pKeyInfo,
Size,
&Size)) )
{
RtlInitUnicodeString(&Language, (PWSTR)pKeyInfo->Data);
if (!NT_SUCCESS(RtlUnicodeStringToInteger(&Language, 16, &Ret)))
{
Ret = MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT);
}
}
ExFreePoolWithTag(pKeyInfo, TAG_STRING);
}
ZwClose(KeyHandle);
}
TRACE("Language ID = %x\n",Ret);
return (SHORT) Ret;
}
NTSTATUS GetKeyValue(HANDLE hKey, LPWSTR ValueName, PVOID OutputBuffer, ULONG BufferSize, OUT OPTIONAL PULONG BytesReturned) {
if (BytesReturned != NULL) *BytesReturned = 0;
UNICODE_STRING UnicodeValueName;
RtlInitUnicodeString(&UnicodeValueName, ValueName);
ULONG PartialInformationSize = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + BufferSize - 1;
PKEY_VALUE_PARTIAL_INFORMATION PartialInformation = GetMem(PartialInformationSize);
ULONG ResultLength = 0;
NTSTATUS Status = ZwQueryValueKey(hKey, &UnicodeValueName, KeyValuePartialInformation, PartialInformation, PartialInformationSize, &ResultLength);
if NT_SUCCESS(Status) {
RtlCopyMemory(OutputBuffer, PartialInformation->Data, PartialInformation->DataLength);
if (BytesReturned != NULL) *BytesReturned = PartialInformation->DataLength;
} else if ((BytesReturned != NULL) && ((Status == STATUS_BUFFER_OVERFLOW) || (Status == STATUS_BUFFER_TOO_SMALL))) {
VOID
NTAPI
INIT_FUNCTION
KeI386VdmInitialize(VOID)
{
NTSTATUS Status;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE RegHandle;
UNICODE_STRING Name;
UCHAR KeyValueInfo[sizeof(KEY_VALUE_BASIC_INFORMATION) + 30];
ULONG ReturnLength;
/* Make sure that there is a WOW key */
RtlInitUnicodeString(&Name,
L"\\Registry\\Machine\\System\\CurrentControlSet\\"
L"Control\\Wow");
InitializeObjectAttributes(&ObjectAttributes,
&Name,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status = ZwOpenKey(&RegHandle, KEY_READ, &ObjectAttributes);
if (!NT_SUCCESS(Status)) return;
/* Check if VME is enabled */
RtlInitUnicodeString(&Name, L"DisableVme");
Status = ZwQueryValueKey(RegHandle,
&Name,
KeyValueBasicInformation,
&KeyValueInfo,
sizeof(KeyValueInfo),
&ReturnLength);
if (!NT_SUCCESS(Status))
{
/* Not present, so check if the CPU supports VME */
if (KeGetPcr()->Prcb->FeatureBits & KF_V86_VIS)
{
/* Enable them. FIXME: Use IPI */
Ki386VdmEnablePentiumExtentions(TRUE);
KeI386VirtualIntExtensions = TRUE;
}
}
/* Close the key */
ZwClose(RegHandle);
}
//////////////////////////////////////////////////////////////////////////
//
// Registry primitives.
//
NTSTATUS
DrReadKeyValue(
HANDLE RegKey,
PWCHAR KeyName,
ULONG KeyType,
PVOID Buffer,
ULONG BufferLength,
PULONG BufferLengthNeeded
) {
PKEY_VALUE_PARTIAL_INFORMATION keyValue;
NTSTATUS status;
ULONG outLength;
UNICODE_STRING valueName;
outLength = 0;
keyValue = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePoolWithTag(PagedPool, 512, DEVREG_POOTAG_KEYINFO);
if(keyValue == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
RtlInitUnicodeString(&valueName, KeyName);
status = ZwQueryValueKey(RegKey, &valueName, KeyValuePartialInformation, keyValue, 512, &outLength);
if(BufferLengthNeeded) {
*BufferLengthNeeded = keyValue->DataLength;
}
if(!NT_SUCCESS(status)) {
KDPrint(1, ("ZwQueryValueKey() failed. ValueKeyName:%ws\n", KeyName));
ExFreePool(keyValue);
return status;
}
if(keyValue->Type != KeyType) {
KDPrint(1, ("Wrong value key type. ValueKeyName:%ws\n", KeyName));
ExFreePool(keyValue);
return status;
}
if(BufferLength < keyValue->DataLength) {
KDPrint(1, ("Buffer too small. ValueKeyName:%ws\n", KeyName));
ExFreePool(keyValue);
return STATUS_BUFFER_TOO_SMALL;
}
RtlCopyMemory(Buffer, keyValue->Data, keyValue->DataLength);
ExFreePool(keyValue);
return STATUS_SUCCESS;
}
static NTSTATUS EvhdQueryBoolParameter(LPCWSTR lpszParameterName, BOOLEAN bDefaultValue, BOOLEAN *pResult)
{
NTSTATUS status = STATUS_SUCCESS;
HANDLE KeyHandle = NULL, SubKeyHandle = NULL;
OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
UNICODE_STRING SubKeyName, ValueName;
BOOLEAN Result = bDefaultValue;
KEY_VALUE_PARTIAL_INFORMATION KeyValueInformation;
ULONG ResultLength;
ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.ObjectName = g_pRegistryPath;
ObjectAttributes.Attributes = OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE;
status = ZwOpenKey(&KeyHandle, FILE_GENERIC_READ, &ObjectAttributes);
if (NT_SUCCESS(status))
{
RtlInitUnicodeString(&SubKeyName, L"Parameters");
ObjectAttributes.RootDirectory = KeyHandle;
ObjectAttributes.ObjectName = &SubKeyName;
status = ZwOpenKey(&SubKeyHandle, FILE_GENERIC_READ, &ObjectAttributes);
if (NT_SUCCESS(status))
{
RtlInitUnicodeString(&ValueName, lpszParameterName);
if (NT_SUCCESS(ZwQueryValueKey(SubKeyHandle, &ValueName, KeyValuePartialInformation, &KeyValueInformation,
sizeof(KeyValueInformation), &ResultLength)))
{
if (ResultLength == sizeof(KeyValueInformation) &&
REG_DWORD == KeyValueInformation.Type &&
sizeof(ULONG32) == KeyValueInformation.DataLength)
{
Result = 0 != *(ULONG32 *)KeyValueInformation.Data;
}
}
ZwClose(SubKeyHandle);
}
ZwClose(KeyHandle);
}
*pResult = Result;
return status;
}
VOID
NTAPI
PopReadShutdownPolicy(VOID)
{
UNICODE_STRING KeyString;
OBJECT_ATTRIBUTES ObjectAttributes;
NTSTATUS Status;
HANDLE KeyHandle;
ULONG Length;
UCHAR Buffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(ULONG)];
PKEY_VALUE_PARTIAL_INFORMATION Info = (PVOID)Buffer;
/* Setup object attributes */
RtlInitUnicodeString(&KeyString,
L"\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT");
InitializeObjectAttributes(&ObjectAttributes,
&KeyString,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
/* Open the key */
Status = ZwOpenKey(&KeyHandle, KEY_READ, &ObjectAttributes);
if (NT_SUCCESS(Status))
{
/* Open the policy value and query it */
RtlInitUnicodeString(&KeyString, L"DontPowerOffAfterShutdown");
Status = ZwQueryValueKey(KeyHandle,
&KeyString,
KeyValuePartialInformation,
&Info,
sizeof(Info),
&Length);
if ((NT_SUCCESS(Status)) && (Info->Type == REG_DWORD))
{
/* Read the policy */
PopShutdownPowerOffPolicy = *Info->Data == 1;
}
/* Close the key */
ZwClose(KeyHandle);
}
}
PAGED
NTSTATUS
GetRegDWORDValue(
_In_ PMS_FILTER pFilter,
_In_ PCWSTR ValueName,
_Out_ PULONG ValueData
)
{
NTSTATUS status;
ULONG resultLength;
UCHAR keybuf[128] = {0};
UNICODE_STRING UValueName;
PAGED_CODE();
RtlInitUnicodeString(&UValueName, ValueName);
status = ZwQueryValueKey(
pFilter->InterfaceRegKey,
&UValueName,
KeyValueFullInformation,
keybuf,
sizeof(keybuf),
&resultLength);
if (NT_SUCCESS(status))
{
PKEY_VALUE_FULL_INFORMATION keyInfo = (PKEY_VALUE_FULL_INFORMATION)keybuf;
if (keyInfo->Type != REG_DWORD)
{
status = STATUS_INVALID_PARAMETER_MIX;
}
else
{
*ValueData = *((ULONG UNALIGNED *)(keybuf + keyInfo->DataOffset));
}
}
return status;
}
NTSTATUS Reg_GetGuidValue(_In_ HANDLE hKey, _In_ LPCWSTR pszValueName, _Out_ PGUID pValue)
{
NTSTATUS Status = STATUS_SUCCESS;
UNICODE_STRING ValueName;
RtlInitUnicodeString(&ValueName, pszValueName);
struct {
KEY_VALUE_PARTIAL_INFORMATION Info;
GUID Extra;
} Buffer;
ULONG ResultLength;
Status = ZwQueryValueKey(hKey, &ValueName, KeyValuePartialInformation, &Buffer, sizeof(Buffer), &ResultLength);
if (NT_SUCCESS(Status))
{
if (REG_BINARY == Buffer.Info.Type && sizeof(GUID) == Buffer.Info.DataLength) {
RtlMoveMemory(pValue, Buffer.Info.Data, sizeof(GUID));
}
else
Status = STATUS_INVALID_BUFFER_SIZE;
}
return Status;
}
_Use_decl_annotations_ EXTERN_C NTSTATUS
UtilLoadPointerVaule(const wchar_t *Key, const wchar_t *Value, void **Data) {
PAGED_CODE();
UNICODE_STRING path = {};
RtlInitUnicodeString(&path, Key);
OBJECT_ATTRIBUTES oa = RTL_INIT_OBJECT_ATTRIBUTES(
&path, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE);
// Open the registry
HANDLE keyNaked = nullptr;
auto status = ZwOpenKey(&keyNaked, KEY_READ, &oa);
if (!NT_SUCCESS(status)) {
return status;
}
auto key =
std::experimental::make_unique_resource(std::move(keyNaked), &::ZwClose);
UNICODE_STRING valueName = {};
RtlInitUnicodeString(&valueName, Value);
// Read value
ULONG resultLength = 0;
UCHAR buffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(void *)] = {};
status = ZwQueryValueKey(key.get(), &valueName, KeyValuePartialInformation,
buffer, sizeof(buffer), &resultLength);
if (!NT_SUCCESS(status)) {
return status;
}
// Error if it is not an expected type or not a pointer size.
ULONG expectedRegType = (IsX64()) ? REG_QWORD : REG_DWORD;
auto data = reinterpret_cast<KEY_VALUE_PARTIAL_INFORMATION *>(buffer);
if (data->Type != expectedRegType || data->DataLength != sizeof(void *)) {
return STATUS_DATA_NOT_ACCEPTED;
}
*Data = *reinterpret_cast<void **>(data->Data);
return status;
}
// Query value from key, ZwQueryValueKey wrapper
BOOLEAN RegQueryValue (HANDLE hKey, PWSTR ValueName, ULONG Type, PVOID Buffer, ULONG *Len)
{
UNICODE_STRING uValueName;
NTSTATUS Status;
UCHAR InfoBuffer[512] = {0};
KEY_VALUE_PARTIAL_INFORMATION *Info = (KEY_VALUE_PARTIAL_INFORMATION*) InfoBuffer;
ULONG ResultLength;
RtlInitUnicodeString (&uValueName, ValueName);
Status = ZwQueryValueKey (
hKey,
&uValueName,
KeyValuePartialInformation,
Info,
sizeof(InfoBuffer),
&ResultLength
);
if (NT_SUCCESS(Status))
{
if (Type != Info->Type)
{
KdPrint(("Type mismatch (%d, %d)\n", Type, Info->Type));
return FALSE;
}
ULONG Length = min (*Len, Info->DataLength);
memcpy (Buffer, Info->Data, Length);
*Len = Length;
return TRUE;
}
KdPrint(("ZwQueryValueKey(%S) failed with status %X\n", ValueName, Status));
return FALSE;
}
NTSTATUS Reg_GetQwordValue(_In_ HANDLE hKey, _In_ LPCWSTR pszValueName, _Out_ PULONG64 pValue)
{
NTSTATUS Status = STATUS_SUCCESS;
UNICODE_STRING ValueName;
RtlInitUnicodeString(&ValueName, pszValueName);
struct {
KEY_VALUE_PARTIAL_INFORMATION Info;
ULONG64 Extra;
} Buffer;
ULONG ResultLength;
Status = ZwQueryValueKey(hKey, &ValueName, KeyValuePartialInformation, &Buffer, sizeof(Buffer), &ResultLength);
if (NT_SUCCESS(Status))
{
if (REG_QWORD == Buffer.Info.Type) {
ASSERT(Buffer.Info.DataLength == sizeof(ULONG64));
*pValue = *(PULONG64)Buffer.Info.Data;
}
else
Status = STATUS_INVALID_BUFFER_SIZE;
}
return Status;
}
/**
* Reads an integer (REG_DWORD) parameter from the registry.
*
* \param KeyHandle A handle to the Parameters key. If NULL, the function
* fails immediately and returns \a DefaultValue.
* \param ValueName The name of the parameter.
* \param DefaultValue The value that is returned if the function fails
* to retrieve the parameter from the registry.
*
* \return The parameter value, or \a DefaultValue if the function failed.
*/
ULONG KphpReadIntegerParameter(
__in_opt HANDLE KeyHandle,
__in PUNICODE_STRING ValueName,
__in ULONG DefaultValue
)
{
NTSTATUS status;
UCHAR buffer[FIELD_OFFSET(KEY_VALUE_PARTIAL_INFORMATION, Data) + sizeof(ULONG)];
PKEY_VALUE_PARTIAL_INFORMATION info;
ULONG resultLength;
PAGED_CODE();
if (!KeyHandle)
return DefaultValue;
info = (PKEY_VALUE_PARTIAL_INFORMATION)buffer;
status = ZwQueryValueKey(
KeyHandle,
ValueName,
KeyValuePartialInformation,
info,
sizeof(buffer),
&resultLength
);
if (info->Type != REG_DWORD)
status = STATUS_OBJECT_TYPE_MISMATCH;
if (!NT_SUCCESS(status))
{
dprintf("Unable to query parameter %.*S: 0x%x", ValueName->Length / sizeof(WCHAR), ValueName->Buffer, status);
return DefaultValue;
}
return *(PULONG)info->Data;
}
static
VOID
ProcessorSetFriendlyName(
PDEVICE_OBJECT DeviceObject)
{
KEY_VALUE_PARTIAL_INFORMATION *Buffer = NULL;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING HardwareKeyName, ValueName, EnumKeyName;
HANDLE KeyHandle = NULL;
ULONG DataLength = 0;
ULONG BufferLength = 0;
NTSTATUS Status;
PWSTR KeyNameBuffer = NULL;
PWSTR DeviceId = NULL;
PWSTR InstanceId = NULL;
PWSTR pszPrefix = L"\\Registry\\Machine\\System\\CurrentcontrolSet\\Enum";
RtlInitUnicodeString(&HardwareKeyName,
L"\\Registry\\Machine\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0");
InitializeObjectAttributes(&ObjectAttributes,
&HardwareKeyName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
Status = ZwOpenKey(&KeyHandle,
KEY_READ,
&ObjectAttributes);
if (!NT_SUCCESS(Status))
{
DPRINT1("ZwOpenKey() failed (Status 0x%08lx)\n", Status);
return;
}
RtlInitUnicodeString(&ValueName,
L"ProcessorNameString");
Status = ZwQueryValueKey(KeyHandle,
&ValueName,
KeyValuePartialInformation,
NULL,
0,
&DataLength);
if (Status != STATUS_BUFFER_OVERFLOW && Status != STATUS_BUFFER_TOO_SMALL && Status != STATUS_SUCCESS)
{
DPRINT1("ZwQueryValueKey() failed (Status 0x%08lx)\n", Status);
goto done;
}
Buffer = ExAllocatePool(PagedPool,
DataLength + sizeof(KEY_VALUE_PARTIAL_INFORMATION));
if (Buffer == NULL)
{
DPRINT1("ExAllocatePool() failed\n");
goto done;
}
Status = ZwQueryValueKey(KeyHandle,
&ValueName,
KeyValuePartialInformation,
Buffer,
DataLength + sizeof(KEY_VALUE_PARTIAL_INFORMATION),
&DataLength);
if (!NT_SUCCESS(Status))
{
DPRINT1("ZwQueryValueKey() failed (Status 0x%08lx)\n", Status);
goto done;
}
DPRINT("ProcessorNameString: %S\n", (PWSTR)&Buffer->Data[0]);
ZwClose(KeyHandle);
KeyHandle = NULL;
Status = GetDeviceId(DeviceObject,
BusQueryDeviceID,
&DeviceId);
if (!NT_SUCCESS(Status))
{
DPRINT1("GetDeviceId() failed (Status 0x%08lx)\n", Status);
goto done;
}
DPRINT("DeviceId: %S\n", DeviceId);
Status = GetDeviceId(DeviceObject,
BusQueryInstanceID,
&InstanceId);
if (!NT_SUCCESS(Status))
{
DPRINT1("GetDeviceId() failed (Status 0x%08lx)\n", Status);
goto done;
}
DPRINT("InstanceId: %S\n", InstanceId);
BufferLength = wcslen(pszPrefix) + 1 + wcslen(DeviceId) + 1 + wcslen(InstanceId) + 1;
KeyNameBuffer = ExAllocatePool(PagedPool, BufferLength * sizeof(WCHAR));
if (KeyNameBuffer == NULL)
{
DPRINT1("ExAllocatePool() failed\n");
goto done;
}
swprintf(KeyNameBuffer, L"%s\\%s\\%s", pszPrefix, DeviceId, InstanceId);
RtlInitUnicodeString(&EnumKeyName, KeyNameBuffer);
InitializeObjectAttributes(&ObjectAttributes,
&EnumKeyName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
Status = ZwOpenKey(&KeyHandle,
KEY_WRITE,
&ObjectAttributes);
if (!NT_SUCCESS(Status))
{
DPRINT1("ZwOpenKey() failed (Status 0x%08lx)\n", Status);
goto done;
}
RtlInitUnicodeString(&ValueName,
L"FriendlyName");
Status = ZwSetValueKey(KeyHandle,
&ValueName,
0,
REG_SZ,
(PVOID)&Buffer->Data[0],
Buffer->DataLength);
if (!NT_SUCCESS(Status))
{
DPRINT1("ZwSetValueKey() failed (Status 0x%08lx)\n", Status);
goto done;
}
done:
if (KeyHandle != NULL)
ZwClose(KeyHandle);
if (KeyNameBuffer != NULL)
ExFreePool(KeyNameBuffer);
if (InstanceId != NULL)
ExFreePool(InstanceId);
if (DeviceId != NULL)
ExFreePool(DeviceId);
if (Buffer != NULL)
ExFreePool(Buffer);
}
MIXER_STATUS
QueryKeyValue(
IN HANDLE hKey,
IN LPWSTR lpKeyName,
OUT PVOID * ResultBuffer,
OUT PULONG ResultLength,
OUT PULONG KeyType)
{
NTSTATUS Status;
UNICODE_STRING KeyName;
ULONG Length;
PKEY_VALUE_PARTIAL_INFORMATION PartialInformation;
/* initialize key name */
RtlInitUnicodeString(&KeyName, lpKeyName);
/* now query MatchingDeviceId key */
Status = ZwQueryValueKey(hKey, &KeyName, KeyValuePartialInformation, NULL, 0, &Length);
/* check for success */
if (Status != STATUS_BUFFER_TOO_SMALL)
return MM_STATUS_UNSUCCESSFUL;
/* allocate a buffer for key data */
PartialInformation = AllocateItem(NonPagedPool, Length);
if (!PartialInformation)
return MM_STATUS_NO_MEMORY;
/* now query MatchingDeviceId key */
Status = ZwQueryValueKey(hKey, &KeyName, KeyValuePartialInformation, PartialInformation, Length, &Length);
/* check for success */
if (!NT_SUCCESS(Status))
{
FreeItem(PartialInformation);
return MM_STATUS_UNSUCCESSFUL;
}
if (KeyType)
{
/* return key type */
*KeyType = PartialInformation->Type;
}
if (ResultLength)
{
/* return data length */
*ResultLength = PartialInformation->DataLength;
}
*ResultBuffer = AllocateItem(NonPagedPool, PartialInformation->DataLength);
if (!*ResultBuffer)
{
/* not enough memory */
FreeItem(PartialInformation);
return MM_STATUS_NO_MEMORY;
}
/* copy key value */
RtlMoveMemory(*ResultBuffer, PartialInformation->Data, PartialInformation->DataLength);
/* free key info */
FreeItem(PartialInformation);
return MM_STATUS_SUCCESS;
}
//***********************************************************************************
// Name: RegReadDword
//
// Description:
// reads dword registry value
//
// Return value:
// operation status
//
// Parameters:
//
// NOTE: None
// **********************************************************************************
NTSTATUS
RegReadDword(
IN HANDLE hKey,
IN PWCHAR szValueName,
OUT PULONG ValueData
)
{
NTSTATUS ntStatus;
PKEY_VALUE_PARTIAL_INFORMATION KeyValueInfo = NULL;
CHAR KeyValueBuffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION)+sizeof(ULONG)];
UNICODE_STRING usValueName;
ULONG ReturnedLength = 0;
RtlInitUnicodeString(&usValueName, szValueName);
KeyValueInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyValueBuffer;
RtlZeroMemory(KeyValueBuffer, sizeof(KeyValueBuffer));
ntStatus =
ZwQueryValueKey(
hKey,
&usValueName,
KeyValuePartialInformation,
KeyValueInfo,
sizeof(KeyValueBuffer),
&ReturnedLength
);
if (NT_SUCCESS(ntStatus)) {
if (KeyValueInfo->Type != REG_DWORD || KeyValueInfo->DataLength != sizeof(ULONG) ) {
ntStatus = STATUS_INVALID_PARAMETER_MIX;
} else {
*ValueData = *((ULONG UNALIGNED *)((PCHAR)KeyValueInfo->Data));
}
}
return ntStatus;
}
