Process Hacker
ntregapi.h
Go to the documentation of this file.
1 #ifndef _NTREGAPI_H
2 #define _NTREGAPI_H
3 
4 // Boot condition flags (NtInitializeRegistry)
5 
6 #define REG_INIT_BOOT_SM 0x0000
7 #define REG_INIT_BOOT_SETUP 0x0001
8 #define REG_INIT_BOOT_ACCEPTED_BASE 0x0002
9 #define REG_INIT_BOOT_ACCEPTED_MAX REG_INIT_BOOT_ACCEPTED_BASE + 999
10 
11 #define REG_MAX_KEY_VALUE_NAME_LENGTH 32767
12 #define REG_MAX_KEY_NAME_LENGTH 512
13 
14 typedef enum _KEY_INFORMATION_CLASS
15 {
16  KeyBasicInformation,
17  KeyNodeInformation,
18  KeyFullInformation,
19  KeyNameInformation,
20  KeyCachedInformation,
21  KeyFlagsInformation,
22  KeyVirtualizationInformation,
23  KeyHandleTagsInformation,
24  KeyTrustInformation,
25  MaxKeyInfoClass
26 } KEY_INFORMATION_CLASS;
27 
28 typedef struct _KEY_BASIC_INFORMATION
29 {
30  LARGE_INTEGER LastWriteTime;
31  ULONG TitleIndex;
32  ULONG NameLength;
33  WCHAR Name[1];
34 } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
35 
36 typedef struct _KEY_NODE_INFORMATION
37 {
38  LARGE_INTEGER LastWriteTime;
39  ULONG TitleIndex;
40  ULONG ClassOffset;
41  ULONG ClassLength;
42  ULONG NameLength;
43  WCHAR Name[1];
44  // ...
45  // WCHAR Class[1];
46 } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION;
47 
48 typedef struct _KEY_FULL_INFORMATION
49 {
50  LARGE_INTEGER LastWriteTime;
51  ULONG TitleIndex;
52  ULONG ClassOffset;
53  ULONG ClassLength;
54  ULONG SubKeys;
55  ULONG MaxNameLen;
56  ULONG MaxClassLen;
57  ULONG Values;
58  ULONG MaxValueNameLen;
59  ULONG MaxValueDataLen;
60  WCHAR Class[1];
61 } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
62 
63 typedef struct _KEY_NAME_INFORMATION
64 {
65  ULONG NameLength;
66  WCHAR Name[1];
67 } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION;
68 
69 typedef struct _KEY_CACHED_INFORMATION
70 {
71  LARGE_INTEGER LastWriteTime;
72  ULONG TitleIndex;
73  ULONG SubKeys;
74  ULONG MaxNameLen;
75  ULONG Values;
76  ULONG MaxValueNameLen;
77  ULONG MaxValueDataLen;
78  ULONG NameLength;
79  WCHAR Name[1];
80 } KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION;
81 
82 typedef struct _KEY_FLAGS_INFORMATION
83 {
84  ULONG UserFlags;
85 } KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION;
86 
87 typedef struct _KEY_VIRTUALIZATION_INFORMATION
88 {
89  ULONG VirtualizationCandidate : 1; // Tells whether the key is part of the virtualization namespace scope (only HKLM\Software for now).
90  ULONG VirtualizationEnabled : 1; // Tells whether virtualization is enabled on this key. Can be 1 only if above flag is 1.
91  ULONG VirtualTarget : 1; // Tells if the key is a virtual key. Can be 1 only if above 2 are 0. Valid only on the virtual store key handles.
92  ULONG VirtualStore : 1; // Tells if the key is a part of the virtual store path. Valid only on the virtual store key handles.
93  ULONG VirtualSource : 1; // Tells if the key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1.
94  ULONG Reserved : 27;
95 } KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION;
96 
97 // private
98 typedef struct _KEY_TRUST_INFORMATION
99 {
100  ULONG TrustedKey : 1;
101  ULONG Reserved : 31;
102 } KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION;
103 
104 typedef enum _KEY_SET_INFORMATION_CLASS
105 {
106  KeyWriteTimeInformation,
107  KeyWow64FlagsInformation,
108  KeyControlFlagsInformation,
109  KeySetVirtualizationInformation,
110  KeySetDebugInformation,
111  KeySetHandleTagsInformation,
112  MaxKeySetInfoClass
113 } KEY_SET_INFORMATION_CLASS;
114 
115 typedef struct _KEY_WRITE_TIME_INFORMATION
116 {
117  LARGE_INTEGER LastWriteTime;
118 } KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION;
119 
120 typedef struct _KEY_WOW64_FLAGS_INFORMATION
121 {
122  ULONG UserFlags;
123 } KEY_WOW64_FLAGS_INFORMATION, *PKEY_WOW64_FLAGS_INFORMATION;
124 
125 typedef struct _KEY_HANDLE_TAGS_INFORMATION
126 {
127  ULONG HandleTags;
128 } KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION;
129 
130 typedef struct _KEY_CONTROL_FLAGS_INFORMATION
131 {
132  ULONG ControlFlags;
133 } KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION;
134 
135 typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION
136 {
137  ULONG VirtualTarget : 1;
138  ULONG VirtualStore : 1;
139  ULONG VirtualSource : 1; // true if key has been virtualized at least once
140  ULONG Reserved : 29;
141 } KEY_SET_VIRTUALIZATION_INFORMATION, *PKEY_SET_VIRTUALIZATION_INFORMATION;
142 
143 typedef enum _KEY_VALUE_INFORMATION_CLASS
144 {
145  KeyValueBasicInformation,
146  KeyValueFullInformation,
147  KeyValuePartialInformation,
148  KeyValueFullInformationAlign64,
149  KeyValuePartialInformationAlign64,
150  MaxKeyValueInfoClass
151 } KEY_VALUE_INFORMATION_CLASS;
152 
153 typedef struct _KEY_VALUE_BASIC_INFORMATION
154 {
155  ULONG TitleIndex;
156  ULONG Type;
157  ULONG NameLength;
158  WCHAR Name[1];
159 } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
160 
161 typedef struct _KEY_VALUE_FULL_INFORMATION
162 {
163  ULONG TitleIndex;
164  ULONG Type;
165  ULONG DataOffset;
166  ULONG DataLength;
167  ULONG NameLength;
168  WCHAR Name[1];
169  // ...
170  // UCHAR Data[1];
171 } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
172 
173 typedef struct _KEY_VALUE_PARTIAL_INFORMATION
174 {
175  ULONG TitleIndex;
176  ULONG Type;
177  ULONG DataLength;
178  UCHAR Data[1];
179 } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
180 
181 typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64
182 {
183  ULONG Type;
184  ULONG DataLength;
185  UCHAR Data[1];
186 } KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64;
187 
188 typedef struct _KEY_VALUE_ENTRY
189 {
190  PUNICODE_STRING ValueName;
191  ULONG DataLength;
192  ULONG DataOffset;
193  ULONG Type;
194 } KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
195 
196 typedef enum _REG_ACTION
197 {
198  KeyAdded,
199  KeyRemoved,
200  KeyModified
201 } REG_ACTION;
202 
203 typedef struct _REG_NOTIFY_INFORMATION
204 {
205  ULONG NextEntryOffset;
206  REG_ACTION Action;
207  ULONG KeyLength;
208  WCHAR Key[1];
209 } REG_NOTIFY_INFORMATION, *PREG_NOTIFY_INFORMATION;
210 
211 typedef struct _KEY_PID_ARRAY
212 {
213  HANDLE PID;
214  UNICODE_STRING KeyName;
215 } KEY_PID_ARRAY, *PKEY_PID_ARRAY;
216 
217 typedef struct _KEY_OPEN_SUBKEYS_INFORMATION
218 {
219  ULONG Count;
220  KEY_PID_ARRAY KeyArray[1];
221 } KEY_OPEN_SUBKEYS_INFORMATION, *PKEY_OPEN_SUBKEYS_INFORMATION;
222 
223 // System calls
224 
225 NTSYSCALLAPI
226 NTSTATUS
227 NTAPI
228 NtCreateKey(
229  _Out_ PHANDLE KeyHandle,
230  _In_ ACCESS_MASK DesiredAccess,
231  _In_ POBJECT_ATTRIBUTES ObjectAttributes,
232  _Reserved_ ULONG TitleIndex,
233  _In_opt_ PUNICODE_STRING Class,
234  _In_ ULONG CreateOptions,
235  _Out_opt_ PULONG Disposition
236  );
237 
238 #if (PHNT_VERSION >= PHNT_VISTA)
239 NTSYSCALLAPI
240 NTSTATUS
241 NTAPI
242 NtCreateKeyTransacted(
243  _Out_ PHANDLE KeyHandle,
244  _In_ ACCESS_MASK DesiredAccess,
245  _In_ POBJECT_ATTRIBUTES ObjectAttributes,
246  _Reserved_ ULONG TitleIndex,
247  _In_opt_ PUNICODE_STRING Class,
248  _In_ ULONG CreateOptions,
249  _In_ HANDLE TransactionHandle,
250  _Out_opt_ PULONG Disposition
251  );
252 #endif
253 
254 NTSYSCALLAPI
255 NTSTATUS
256 NTAPI
257 NtOpenKey(
258  _Out_ PHANDLE KeyHandle,
259  _In_ ACCESS_MASK DesiredAccess,
260  _In_ POBJECT_ATTRIBUTES ObjectAttributes
261  );
262 
263 #if (PHNT_VERSION >= PHNT_VISTA)
264 NTSYSCALLAPI
265 NTSTATUS
266 NTAPI
267 NtOpenKeyTransacted(
268  _Out_ PHANDLE KeyHandle,
269  _In_ ACCESS_MASK DesiredAccess,
270  _In_ POBJECT_ATTRIBUTES ObjectAttributes,
271  _In_ HANDLE TransactionHandle
272  );
273 #endif
274 
275 #if (PHNT_VERSION >= PHNT_WIN7)
276 NTSYSCALLAPI
277 NTSTATUS
278 NTAPI
279 NtOpenKeyEx(
280  _Out_ PHANDLE KeyHandle,
281  _In_ ACCESS_MASK DesiredAccess,
282  _In_ POBJECT_ATTRIBUTES ObjectAttributes,
283  _In_ ULONG OpenOptions
284  );
285 #endif
286 
287 #if (PHNT_VERSION >= PHNT_WIN7)
288 NTSYSCALLAPI
289 NTSTATUS
290 NTAPI
291 NtOpenKeyTransactedEx(
292  _Out_ PHANDLE KeyHandle,
293  _In_ ACCESS_MASK DesiredAccess,
294  _In_ POBJECT_ATTRIBUTES ObjectAttributes,
295  _In_ ULONG OpenOptions,
296  _In_ HANDLE TransactionHandle
297  );
298 #endif
299 
300 NTSYSCALLAPI
301 NTSTATUS
302 NTAPI
303 NtDeleteKey(
304  _In_ HANDLE KeyHandle
305  );
306 
307 NTSYSCALLAPI
308 NTSTATUS
309 NTAPI
310 NtRenameKey(
311  _In_ HANDLE KeyHandle,
312  _In_ PUNICODE_STRING NewName
313  );
314 
315 NTSYSCALLAPI
316 NTSTATUS
317 NTAPI
318 NtDeleteValueKey(
319  _In_ HANDLE KeyHandle,
320  _In_ PUNICODE_STRING ValueName
321  );
322 
323 NTSYSCALLAPI
324 NTSTATUS
325 NTAPI
326 NtQueryKey(
327  _In_ HANDLE KeyHandle,
328  _In_ KEY_INFORMATION_CLASS KeyInformationClass,
329  _Out_writes_bytes_opt_(Length) PVOID KeyInformation,
330  _In_ ULONG Length,
331  _Out_ PULONG ResultLength
332  );
333 
334 NTSYSCALLAPI
335 NTSTATUS
336 NTAPI
337 NtSetInformationKey(
338  _In_ HANDLE KeyHandle,
339  _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass,
340  _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation,
341  _In_ ULONG KeySetInformationLength
342  );
343 
344 NTSYSCALLAPI
345 NTSTATUS
346 NTAPI
347 NtQueryValueKey(
348  _In_ HANDLE KeyHandle,
349  _In_ PUNICODE_STRING ValueName,
350  _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
351  _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,
352  _In_ ULONG Length,
353  _Out_ PULONG ResultLength
354  );
355 
356 NTSYSCALLAPI
357 NTSTATUS
358 NTAPI
359 NtSetValueKey(
360  _In_ HANDLE KeyHandle,
361  _In_ PUNICODE_STRING ValueName,
362  _In_opt_ ULONG TitleIndex,
363  _In_ ULONG Type,
364  _In_reads_bytes_opt_(DataSize) PVOID Data,
365  _In_ ULONG DataSize
366  );
367 
368 NTSYSCALLAPI
369 NTSTATUS
370 NTAPI
371 NtQueryMultipleValueKey(
372  _In_ HANDLE KeyHandle,
373  _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries,
374  _In_ ULONG EntryCount,
375  _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer,
376  _Inout_ PULONG BufferLength,
377  _Out_opt_ PULONG RequiredBufferLength
378  );
379 
380 NTSYSCALLAPI
381 NTSTATUS
382 NTAPI
383 NtEnumerateKey(
384  _In_ HANDLE KeyHandle,
385  _In_ ULONG Index,
386  _In_ KEY_INFORMATION_CLASS KeyInformationClass,
387  _Out_writes_bytes_opt_(Length) PVOID KeyInformation,
388  _In_ ULONG Length,
389  _Out_ PULONG ResultLength
390  );
391 
392 NTSYSCALLAPI
393 NTSTATUS
394 NTAPI
395 NtEnumerateValueKey(
396  _In_ HANDLE KeyHandle,
397  _In_ ULONG Index,
398  _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
399  _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,
400  _In_ ULONG Length,
401  _Out_ PULONG ResultLength
402  );
403 
404 NTSYSCALLAPI
405 NTSTATUS
406 NTAPI
407 NtFlushKey(
408  _In_ HANDLE KeyHandle
409  );
410 
411 NTSYSCALLAPI
412 NTSTATUS
413 NTAPI
414 NtCompactKeys(
415  _In_ ULONG Count,
416  _In_reads_(Count) HANDLE KeyArray[]
417  );
418 
419 NTSYSCALLAPI
420 NTSTATUS
421 NTAPI
422 NtCompressKey(
423  _In_ HANDLE Key
424  );
425 
426 NTSYSCALLAPI
427 NTSTATUS
428 NTAPI
429 NtLoadKey(
430  _In_ POBJECT_ATTRIBUTES TargetKey,
431  _In_ POBJECT_ATTRIBUTES SourceFile
432  );
433 
434 NTSYSCALLAPI
435 NTSTATUS
436 NTAPI
437 NtLoadKey2(
438  _In_ POBJECT_ATTRIBUTES TargetKey,
439  _In_ POBJECT_ATTRIBUTES SourceFile,
440  _In_ ULONG Flags
441  );
442 
443 NTSYSCALLAPI
444 NTSTATUS
445 NTAPI
446 NtLoadKeyEx(
447  _In_ POBJECT_ATTRIBUTES TargetKey,
448  _In_ POBJECT_ATTRIBUTES SourceFile,
449  _In_ ULONG Flags,
450  _In_opt_ HANDLE TrustClassKey,
451  _In_opt_ HANDLE Event,
452  _In_opt_ ACCESS_MASK DesiredAccess,
453  _Out_opt_ PHANDLE RootHandle,
454  _Out_opt_ PIO_STATUS_BLOCK IoStatus
455  );
456 
457 NTSYSCALLAPI
458 NTSTATUS
459 NTAPI
460 NtReplaceKey(
461  _In_ POBJECT_ATTRIBUTES NewFile,
462  _In_ HANDLE TargetHandle,
463  _In_ POBJECT_ATTRIBUTES OldFile
464  );
465 
466 NTSYSCALLAPI
467 NTSTATUS
468 NTAPI
469 NtSaveKey(
470  _In_ HANDLE KeyHandle,
471  _In_ HANDLE FileHandle
472  );
473 
474 NTSYSCALLAPI
475 NTSTATUS
476 NTAPI
477 NtSaveKeyEx(
478  _In_ HANDLE KeyHandle,
479  _In_ HANDLE FileHandle,
480  _In_ ULONG Format
481  );
482 
483 NTSYSCALLAPI
484 NTSTATUS
485 NTAPI
486 NtSaveMergedKeys(
487  _In_ HANDLE HighPrecedenceKeyHandle,
488  _In_ HANDLE LowPrecedenceKeyHandle,
489  _In_ HANDLE FileHandle
490  );
491 
492 NTSYSCALLAPI
493 NTSTATUS
494 NTAPI
495 NtRestoreKey(
496  _In_ HANDLE KeyHandle,
497  _In_ HANDLE FileHandle,
498  _In_ ULONG Flags
499  );
500 
501 NTSYSCALLAPI
502 NTSTATUS
503 NTAPI
504 NtUnloadKey(
505  _In_ POBJECT_ATTRIBUTES TargetKey
506  );
507 
508 NTSYSCALLAPI
509 NTSTATUS
510 NTAPI
511 NtUnloadKey2(
512  _In_ POBJECT_ATTRIBUTES TargetKey,
513  _In_ ULONG Flags
514  );
515 
516 NTSYSCALLAPI
517 NTSTATUS
518 NTAPI
519 NtUnloadKeyEx(
520  _In_ POBJECT_ATTRIBUTES TargetKey,
521  _In_opt_ HANDLE Event
522  );
523 
524 NTSYSCALLAPI
525 NTSTATUS
526 NTAPI
527 NtNotifyChangeKey(
528  _In_ HANDLE KeyHandle,
529  _In_opt_ HANDLE Event,
530  _In_opt_ PIO_APC_ROUTINE ApcRoutine,
531  _In_opt_ PVOID ApcContext,
532  _Out_ PIO_STATUS_BLOCK IoStatusBlock,
533  _In_ ULONG CompletionFilter,
534  _In_ BOOLEAN WatchTree,
535  _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
536  _In_ ULONG BufferSize,
537  _In_ BOOLEAN Asynchronous
538  );
539 
540 NTSYSCALLAPI
541 NTSTATUS
542 NTAPI
543 NtNotifyChangeMultipleKeys(
544  _In_ HANDLE MasterKeyHandle,
545  _In_opt_ ULONG Count,
546  _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[],
547  _In_opt_ HANDLE Event,
548  _In_opt_ PIO_APC_ROUTINE ApcRoutine,
549  _In_opt_ PVOID ApcContext,
550  _Out_ PIO_STATUS_BLOCK IoStatusBlock,
551  _In_ ULONG CompletionFilter,
552  _In_ BOOLEAN WatchTree,
553  _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
554  _In_ ULONG BufferSize,
555  _In_ BOOLEAN Asynchronous
556  );
557 
558 NTSYSCALLAPI
559 NTSTATUS
560 NTAPI
561 NtQueryOpenSubKeys(
562  _In_ POBJECT_ATTRIBUTES TargetKey,
563  _Out_ PULONG HandleCount
564  );
565 
566 NTSYSCALLAPI
567 NTSTATUS
568 NTAPI
569 NtQueryOpenSubKeysEx(
570  _In_ POBJECT_ATTRIBUTES TargetKey,
571  _In_ ULONG BufferLength,
572  _Out_writes_bytes_(BufferLength) PVOID Buffer,
573  _Out_ PULONG RequiredSize
574  );
575 
576 NTSYSCALLAPI
577 NTSTATUS
578 NTAPI
579 NtInitializeRegistry(
580  _In_ USHORT BootCondition
581  );
582 
583 NTSYSCALLAPI
584 NTSTATUS
585 NTAPI
586 NtLockRegistryKey(
587  _In_ HANDLE KeyHandle
588  );
589 
590 NTSYSCALLAPI
591 NTSTATUS
592 NTAPI
593 NtLockProductActivationKeys(
594  _Inout_opt_ ULONG *pPrivateVer,
595  _Out_opt_ ULONG *pSafeMode
596  );
597 
598 #if (PHNT_VERSION >= PHNT_VISTA)
599 // private
600 NTSYSCALLAPI
601 NTSTATUS
602 NTAPI
603 NtFreezeRegistry(
604  _In_ ULONG TimeOutInSeconds
605  );
606 #endif
607 
608 #if (PHNT_VERSION >= PHNT_VISTA)
609 // private
610 NTSYSCALLAPI
611 NTSTATUS
612 NTAPI
613 NtThawRegistry(
614  VOID
615  );
616 #endif
617 
618 #endif