Detect if a key is the root of a loaded/mounted registry hive

Question

In a running Windows, how can I ascertain via a C/C++ program of my own if a certain key is the "mount point", i.e. root, for a registry hive?

Via RegLoadKey() and the underlying NT native function (ZwLoadKey aka NtLoadKey from user mode) one can load/mount a hive.

Is there a way to figure out, just given the key (handle or path), if the key is the root or "mount point" of a registry hive?

To make it clear, I am aware that many a key in the \Registry (object manager namespace) is a subkey inside a loaded hive. But I am asking to find out about whether a particular key represents the root of a loaded hive. So I know the name of a key and I want to find out by any means Windows has to offer whether that key is the root of a loaded hive.

Bonus points for showing how to figure out the corresponding file path to the loaded hive on disk for a given key.

NB: I do not care if the Win32 API or NT native API is required to achieve this. I am just straight out looking for a way to achieve this feat.

Answer 1

There exists an indirect way to check this - call the undocumented NT native API function ZwQueryOpenSubKeys:

EXTERN_C
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwQueryOpenSubKeys(
    _In_ POBJECT_ATTRIBUTES TargetKey,
    _Out_ PULONG HandleCount
);

According to the following line from the WRK code we can assume that in the case where the key is not the root cell, the APIs return STATUS_INVALID_PARAMETER. In case STATUS_SUCCESS returned this is the root cell of a hive. For other status codes we cannot tell if it is or isn't the root of a hive.

Example code:

enum { root, not_root, fail } IsRootCell(PCOBJECT_ATTRIBUTES poa)
{
    ULONG  HandleCount;
    switch (NtQueryOpenSubKeys(poa, &HandleCount))
    {
    case STATUS_SUCCESS:
        return root;
    case STATUS_INVALID_PARAMETER:
        return not_root;
    }

    return fail;
};