Reputation: 1670
NT Registry Handle Behaviour
I am doing an application virtualization project. So I hook applications in NT level and will direct the registry calls to my virtual registry. On running any application, if I go to File -> Open.. I have few registry calls like the below:
ZwOpenKey(registry key path)-> it produces the handle ex:(0x04e8)ZwQueryKey(0x4ea,...)
Process Monitor says both open and query are performed on same key. I myself tested and confirmed that is the same key.
Also query key produced the right result for the querykey api. This 2 byte difference is not for all open and query key cases.
How and why the application changes the handle from 0x4e8 to 0x4ea before it invokes querykey?
I have also tested the invocation of ZWDuplicateObject between the open and querykey, however the duplicateobject api is not invoked.
Can anyone say how this handle changes?
Upvotes: 1
Views: 155
Answers (1)
Reputation: 239814
The lowest two bits of a handle aren't used by the kernel, and so applications are free to set them to other values and/or some APIs use these as additional flags, rather than having an extra parameter
0x4ea & 0xffc == 0x4e8 & 0xffc
Raymond Chen did a series discussing possible uses for these bits:
Kernel handles are always a multiple of four; the bottom two bits are available for applications to use. But why would an application need those bits anyway?
Upvotes: 3
Related Questions
- Reading registry from windows kernel driver in C
- Read and Write to Window Registry in window xp and 7
- Registry virtualization failing
- C++ read Registry
- How to read from registry from inside driver code?
- Accessing 64 bit registry from 32 bit application
- Reading Registry in Windows 7 behaving strangely
- windows registry read
- Reading from the registry – Involves disk? Limitation on reading access?
- Detecting registry virtualization