Can't load 64-bit key using RegLoadKey in 32-bit service

Question

I need to open up and modify a user's registry key from a 32-bit service (note that the user is not logged in at the time.) I do the following:

//For simplicity error checks are not shown
//I also made sure to enable the following privileges:
// SE_RESTORE_NAME, SE_BACKUP_NAME

//"ntuser.dat" = is the file OS uses to load user's profile
if(RegLoadKey(HKEY_LOCAL_MACHINE, L"Test123", L"C:\\Users\\UserA\\ntuser.dat") == ERROR_SUCCESS)
{
    HKEY hKey;
    DWORD dwRes = RegOpenKeyEx(HKEY_LOCAL_MACHINE,
        L"Test123\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify"),
        NULL, KEY_READ | KEY_WOW64_64KEY, &hKey);

    //'dwRes' = is returned as 2, or ERROR_FILE_NOT_FOUND

    RegUnLoadKey(HKEY_LOCAL_MACHINE, L"Test123");
}

The problem is that the Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify key isn't loaded, even though I know that it exists in the actual user profile. I can verify that by loading the user account and by using 64-bit regedit.

I suspect that this has something to do with the Wow64 redirection but I can't seem to understand what am I doing wrong?

EDIT: Added error check for the first API.

Given that the key you are trying to fetch is in HKEY_LOCAL_MACHINE, why are you bothering with RegLoadKey? — selbie, Dec 19 '12 at 06:50
Because HKEY_LOCAL_MACHINE is where he is loading the data into, not where the data was originally located inside of ntuser.dat. — Remy Lebeau, Dec 19 '12 at 07:51
What is the return value of `RegLoadKey()`? You are not doing error handling on it. — Remy Lebeau, Dec 19 '12 at 07:56
@RemyLebeau: The return from RegLoadKey is 0. As I said I took the error handling out for brevity. — c00000fd, Dec 19 '12 at 08:41
What is also strange is this. I copied the `ntuser.dat` file to another computer and opened it with the `regedit` by doing File -> "Load Hive" and that too didn't have the `Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify` key like it showed on the actual user account. It's almost like those Wow64 reflected keys are stored in a different location/file? — c00000fd, Dec 19 '12 at 08:45
Are you sure you want to access **Software\\Classes\\Local Settings**\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify and not Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify? — rioki, Dec 19 '12 at 09:14
@rioki: Yes, `HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify` is the actual key when the `UserA` is logged on. — c00000fd, Dec 19 '12 at 09:43
Did you check the other hives lying around the user profile? — rioki, Dec 19 '12 at 09:56
@rioki: I found out that the key I'm looking for is mapped into `HKEY_USERS\_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify` but it doesn't seem to be included in the ntuser.dat for that user. Any idea where can it be stored? — c00000fd, Dec 19 '12 at 10:28
@rioki, a follow-up -- I found out that the classes data is actually stored in a different file `\Device\HarddiskVolume2\Users\UserA\AppData\Local\Microsoft\Windows\UsrClass.dat`. Any idea how to get this path from a user's profile? — c00000fd, Dec 19 '12 at 18:20

score 2 · Answer 1 · answered Dec 20 '12 at 02:43

I think I got it. Two corrections to my original code:

First off, since Vista I need to load Usrclass.dat file for the classes hive and not ntuser.dat. It kinda makes sense because ntuser.dat is a part of a user's roaming profile and Classes\Local Settings does not fit into the picture well. So here's the location of the Usrclass.dat file, which contains non-roaming user data (mostly COM stuff, but some other settings as well):

%LocalAppData%\Microsoft\Windows\Usrclass.dat
The key to open after the user hive loads is:

Test123\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify

that is because the original HKCU\Software\Classes is redirected to HKU\<UserSID>_Classes that is stored in the Usrclass.dat file.

Can't load 64-bit key using RegLoadKey in 32-bit service

1 Answers1