Why it succeeds even if the value of ACCESS_MASK is 0 when calling ZwOpenKey

Asked Jul 09 '21 at 01:20

Active Jul 09 '21 at 01:20

Viewed 79 times

The driver I made does the job of verifying the Registry value in Kernel Mode.

The code is below

InitializeObjectAttributes(&ObjAttr,&RegKeyName,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE | OBJ_OPENIF,NULL, NULL);

ACCESS_MASK access_mask = 0;
Status = ZwOpenKey(&handle, access_mask, &ObjAttr);
if (!NT_SUCCESS(Status))
    break;

Status = ZwQueryValueKey(handle, ...);
if (!NT_SUCCESS(Status))
    break;
    
Status = ZwDeleteValueKey(handle, &RegKeyName);
if (!NT_SUCCESS(Status))
    break;
    
// So far, I've also succeeded in reading and deleting the values

I'm using Windows 10 x64 and I get the same result on 7

I don't know why it works like this

Looking at the ZwQueryValueKey document, it says that KEY_QUERY_VALUE is necessary, but now it succeeds even if it is set to 0.

If anyone knows the reason, can you tell me please

asked Jul 09 '21 at 01:20

i like cat

Why it succeeds even if the value of ACCESS_MASK is 0 when calling ZwOpenKey

0 Answers0