7

I recently wrote a native NT registry editor for Windows, and ran it on Windows 7. To my surprise, in addition to the two standard root keys, MACHINE and USER, that are present on Windows XP, there was also a mysterious key named "A", that cannot be opened in any way, whether by permission changes or backup privileges or otherwise:

Snapshot

Does anyone know what this key is for? I don't believe it's for any software, because it was there before I installed anything on the machine, and I believe I saw it on another fresh installation as well. It's rather very suspicious, and I'm curious as to why it's there. (If I'm curious enough, I might end up writing a driver to open it up without a privilege check, to see what happens!)

(I wasn't sure whether to put this on SuperUser or StackOverflow, since I think it could go in either one. I could be wrong, though; sorry if this isn't the appropriate place.)

Edit:

If forgot to say, I don't believe you can even see this key using the Win32 API, like RegOpenKey -- you have to use the native API like NtEnumerateKey instead.

Adam Lear
  • 38,111
  • 12
  • 81
  • 101
user541686
  • 205,094
  • 128
  • 528
  • 886
  • I ran into this a while ago; if I recall correctly it was used by some Microsoft software (I don't remember the specific details). Maybe I'll track it down in my email archive tomorrow. The understanding I had from one of our driver writers was that you can create any (volatile?) key like this using a driver, but user mode (or at least Win32) will only be able to see things under \Machine and \User. – Luke Jan 06 '11 at 04:27
  • 1
    Here is the comment from one of our driver writers: "DISCACHE.sys driver seems to be caching system file attributes and using \REGISTRY\A in an undocumented way. This driver is part of the kernel so it can load any hive wherever it wants." That file is described as "System Indexer/Cache Driver" or "System Attribute Cache"; a bit generic to tell exactly what it might be doing. – Luke Jan 06 '11 at 04:35
  • WHOA!! That's very interesting! If you place your comment as an answer I'll definitely mark it as accepted!! :) – user541686 Jan 06 '11 at 04:40

2 Answers2

6

Here is the comment from one of our driver writers: "DISCACHE.sys driver seems to be caching system file attributes and using \REGISTRY\A in an undocumented way. This driver is part of the kernel so it can load any hive wherever it wants."

Luke
  • 11,211
  • 2
  • 27
  • 38
3

Interesting...

The key indeed can be opened with a relative path, but not with an absolute path.

And it seems to contain information about all file systems and whatnot. Looks mysterious, indeed...

user541686
  • 205,094
  • 128
  • 528
  • 886