none
How to Find out which Device Driver is Implementing a system function ? RRS feed

  • Question

  • RegOpenKey function Implemented in Advapi32.dll ( User space )

    As far as i concern The life Cycle of a function is this : 

    WriteFIle (kernel32) --> ntCreateFile(ntdll) --> KiFastSystemCall | KiFastCallEntry --> I/O Manager --------> DeviceDriver

    This is the life cycle of WriteFile Function called from User space. 

    But i want to know how can i find out regOpen which is implemented in Advapi32.dll.

    As i know Reg hives are on Disk, Is it going to End Up sending IRP to FileSystem Driver ? 

    Saturday, October 3, 2015 7:22 AM

Answers

  • A lot of this is covered in Windows Internals so you should be reading this.  The registry hives are in kernel memory for normal operation, so they do not generate a direct call to the file system.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Mn97 Saturday, October 3, 2015 3:01 PM
    Saturday, October 3, 2015 11:55 AM