0

I am trying to get a handle to the Registry hive "\REGISTRY\A{GUID}" and enumerate the keys under that handle. I been searching for hours but still hasn't got a clue on how to open or enumerate it.Please help me get to the correct API to do so. Btw, RegOpenKeyEx() and RegEnumKeyEx() doesn't work, I tried.

Thulasiraman V
  • 21
  • 3
  • Welcome to Stack Overflow! Please edit your question after reading [How to Ask a Question](https://stackoverflow.com/help/how-to-ask). – TriskalJM Dec 29 '17 at 15:24
  • https://stackoverflow.com/questions/4611291/mysterious-native-a-registry-key-with-path-registry-a – drescherjm Dec 29 '17 at 15:28
  • this work on win8.1, but on win10 when we try open "\REGISTRY\A\" we got access denied – RbMm Dec 29 '17 at 15:56
  • @drescherjm that thread was the stating point for me. there was no clear information on how to access "\REGISTRY\A\". Btw im new to c++. – Thulasiraman V Dec 29 '17 at 18:12
  • @eryksun Thanks for the reply. I have no problem accessing it using kernel debugger but i want to access it programmatically – Thulasiraman V Dec 29 '17 at 18:59
  • I been trying it in windows 10. I also ran 'procmon' on windows 10 and noticed that some application are able to access \Registry\A\{}. Actually i havn't tried it on windows 8.1. If i use NtOpenKeyEx() ObjectName as "\REGISTRY\A\" it fails but if i use "\REGISTRY" as ObjectName im able to open the key but NtQueryValueKey() fails. Am i missing something? – Thulasiraman V Dec 29 '17 at 19:36
  • I figured that much but i dono which file i must load into the hive to get to \Registry path – Thulasiraman V Dec 30 '17 at 04:26
  • Hi @eryksun sorry for the long delay and thank you for your help. i am now able to load in to "\Registry\a\{GUID}" path and access it. This is what i was looking for thanks. If you could post this as answer i can mark it as solution. Again thank you so much. – Thulasiraman V Jan 05 '18 at 12:06
  • Sorry for the confusion. – Thulasiraman V Jan 05 '18 at 15:51

1 Answers1

0

Applications with handles for "\REGISTRY\A\{GUID}" paths have either called RegLoadAppKey or NtLoadKeyEx. RegLoadAppKey loads a private application hive at an automatically generated path, "\REGISTRY\A\{GUID}". It returns a handle for the hive's root Key, and subkeys can be enumerated, created and opened relative to this handle.

It used to be possible to open "A" relative to a handle for "\REGISTRY" and enumerate its subkeys. This is no longer allowed in Windows 10. I assume access is restricted in the Configuration Manager's parse procedure for Key objects, CmpParseKey. However, you can still inspect this Key using a kernel debugger with commands such as !reg q \REGISTRY\A.

Eryk Sun
  • 33,190
  • 5
  • 92
  • 111