/* When this hive file was last modified */
LARGE_INTEGER DateModified;
- /* Registry format version ? (1?) */
- ULONG Unused3;
+ /* Registry format major version (1) */
+ ULONG MajorVersion;
- /* Registry format version ? (3?) */
- ULONG Unused4;
+ /* Registry format minor version (3)
+ Version 3 added fast indexes, version 5 has large value optimizations */
+ ULONG MinorVersion;
- /* Registry format version ? (0?) */
- ULONG Unused5;
+ /* Registry file type (0 - Primary, 1 - Log) */
+ ULONG Type;
- /* Registry format version ? (1?) */
- ULONG Unused6;
+ /* Registry format (1 is the only defined value so far) */
+ ULONG Format;
/* Offset into file from the byte after the end of the base block.
If the hive is volatile, this is the actual pointer to the KEY_CELL */
ULONG Unused7;
/* Name of hive file */
- WCHAR FileName[64];
+ WCHAR FileName[48];
- /* ? */
- ULONG Unused8[83];
+ ULONG Reserved[99];
/* Checksum of first 0x200 bytes */
ULONG Checksum;
/* Size in bytes, multiple of the block size (4KB) */
ULONG BinSize;
- /* ? */
- ULONG Unused1;
+ ULONG Reserved[2];
/* When this bin was last modified */
LARGE_INTEGER DateModified;
- /* ? */
- ULONG Unused2;
+ /* ? (In-memory only) */
+ ULONG MemAlloc;
} HBIN, *PHBIN;
typedef struct _CELL_HEADER
/* List of subkeys loaded */
struct _KEY_OBJECT **SubKeys;
+
+ /* List entry into the global key object list */
+ LIST_ENTRY ListEntry;
+
+ /* Time stamp for the last access by the parse routine */
+ ULONG TimeStamp;
} KEY_OBJECT, *PKEY_OBJECT;
/* Bits 31-22 (top 10 bits) of the cell index is the directory index */
extern ERESOURCE CmiRegistryLock;
-typedef enum _REG_NOTIFY_CLASS
-{
- RegNtDeleteKey,
- RegNtPreDeleteKey = RegNtDeleteKey,
- RegNtSetValueKey,
- RegNtPreSetValueKey = RegNtSetValueKey,
- RegNtDeleteValueKey,
- RegNtPreDeleteValueKey = RegNtDeleteValueKey,
- RegNtSetInformationKey,
- RegNtPreSetInformationKey = RegNtSetInformationKey,
- RegNtRenameKey,
- RegNtPreRenameKey = RegNtRenameKey,
- RegNtEnumerateKey,
- RegNtPreEnumerateKey = RegNtEnumerateKey,
- RegNtEnumerateValueKey,
- RegNtPreEnumerateValueKey = RegNtEnumerateValueKey,
- RegNtQueryKey,
- RegNtPreQueryKey = RegNtQueryKey,
- RegNtQueryValueKey,
- RegNtPreQueryValueKey = RegNtQueryValueKey,
- RegNtQueryMultipleValueKey,
- RegNtPreQueryMultipleValueKey = RegNtQueryMultipleValueKey,
- RegNtPreCreateKey,
- RegNtPostCreateKey,
- RegNtPreOpenKey,
- RegNtPostOpenKey,
- RegNtKeyHandleClose,
- RegNtPreKeyHandleClose = RegNtKeyHandleClose,
- RegNtPostDeleteKey,
- RegNtPostSetValueKey,
- RegNtPostDeleteValueKey,
- RegNtPostSetInformationKey,
- RegNtPostRenameKey,
- RegNtPostEnumerateKey,
- RegNtPostEnumerateValueKey,
- RegNtPostQueryKey,
- RegNtPostQueryValueKey,
- RegNtPostQueryMultipleValueKey,
- RegNtPostKeyHandleClose,
- RegNtPreCreateKeyEx,
- RegNtPostCreateKeyEx,
- RegNtPreOpenKeyEx,
- RegNtPostOpenKeyEx
-} REG_NOTIFY_CLASS, *PREG_NOTIFY_CLASS;
/* Registry Callback Function */
-typedef NTSTATUS (*PEX_CALLBACK_FUNCTION ) (
+typedef NTSTATUS (STDCALL *PEX_CALLBACK_FUNCTION ) (
IN PVOID CallbackContext,
IN REG_NOTIFY_CLASS Argument1,
IN PVOID Argument2
IN OUT PWSTR *Path,
IN ULONG Attribute);
-NTSTATUS STDCALL
-CmiObjectCreate(PVOID ObjectBody,
- PVOID Parent,
- PWSTR RemainingPath,
- POBJECT_ATTRIBUTES ObjectAttributes);
-
VOID STDCALL
CmiObjectDelete(PVOID DeletedObject);
SECURITY_OPERATION_CODE OperationCode,
SECURITY_INFORMATION SecurityInformation,
PSECURITY_DESCRIPTOR SecurityDescriptor,
- PULONG BufferLength);
+ PULONG BufferLength,
+ PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
+ POOL_TYPE PoolType,
+ PGENERIC_MAPPING GenericMapping);
NTSTATUS STDCALL
CmiObjectQueryName (PVOID ObjectBody,
NTSTATUS
CmiRemoveKeyFromList(IN PKEY_OBJECT NewKey);
-PKEY_OBJECT
+NTSTATUS
CmiScanKeyList(IN PKEY_OBJECT Parent,
IN PUNICODE_STRING KeyName,
- IN ULONG Attributes);
+ IN ULONG Attributes,
+ PKEY_OBJECT* ReturnedObject);
NTSTATUS
CmiCreateVolatileHive(PREGISTRY_HIVE *RegistryHive);