1

I'm creating a shadow copy and I want to mount a registry hive from that shadow copy using RegLoadKey() so I go over its content using the normal registry functions.
This usually works well except in certain machines where it doesn't work at all.

I create the shadow copy and get its mount point - something like
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8
I then call 

RegLoadKeyW(HKEY_LOCAL_MACHINE, "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\Windows\System32\config\SOFTWARE", "mntpoint");

This call returns 1009 - The configuration registry database is corrupt.

If I use CreateFileW() I can open this file successfully using that path so it is definitely there.

I've made sure that the shadow copy is created with the registry writer so I don't think that's the issue.
There's no difference if I create the shadow copy and try this after a reboot.
This only happens on some machines. on most it works just fine. I'm not sure what differentiates the machines it doesn't work on.
The machine is a windows 2008 64-bit.

Lightness Races in Orbit
  • 378,754
  • 76
  • 643
  • 1,055
shoosh
  • 76,898
  • 55
  • 205
  • 325
  • To clarify, this works consistently on some machines and fails consistently on others? Any common factors you can identify? – Harry Johnston Oct 18 '12 at 21:03
  • Yes, both are consistent. As mentioned, "I'm not sure what differentiates the machines it doesn't work on" – shoosh Oct 21 '12 at 08:17

2 Answers2

0

Turns out the problem was that to use RegLoadKeyW() The loaded hive needs to be somewhere writable. Since the shadow copy is read-only, it failed.
When I copied the mounted file outside the shadow copy it worked fine.

shoosh
  • 76,898
  • 55
  • 205
  • 325
  • Your solution cannot ever match your problem description. You never mentioned the images where moved and/or changed their r/w status on "some" cases. – Pat Oct 22 '12 at 14:25
-3

Are you loading on the same machine where you created the shadow copy?

One of the RegLoadKeyW() remarks says:

There are two registry hive file formats. Registry hives created on current operating systems typically cannot be loaded by earlier ones.

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
Pat
  • 2,670
  • 18
  • 27
  • Come to think of it, that implies that upgraded operating systems might use the earlier registry format, or worse, a mixture of formats. @shoosh, is it possible that the affected machines were upgraded from a previous version of the OS? – Harry Johnston Oct 19 '12 at 00:44
  • No, this is a vanilla, freshly installed machine – shoosh Oct 21 '12 at 08:16