Erasing Hive Registry RRS feed

  • Question

  • I have been trying to erase the Hive registry.

    Luckily, I found this forum( which tells me that it can be done by adding a new functionality in the kernelIoControl. I tried to call it and debugged it within one of the drivers and found that when I called  kernelIoControl, It lead me to XXX_KernelIoControl function in  C:\WINCE800\private\winceos\coreos\core\thunks\tkfuncs.cpp. At the end of the function, KernelIoControl is being called and I don't have access to the source code anymore (took me to assembly code).

    The forum provided an example code for setting the flag to erase the hive registry (see code below). 

    DWORD *pFlags = (DWORD *)lpInBuf;
    BOOL *pClean = (BOOL *)lpOutBuf;
    *pfClean = FALSE;
    if((*pdwFlags == HIVECLEANFLAG_SYSTEM) || (*pdwFlags == HIVECLEANFLAG_USERS))
                                    *pClean = TRUE;
    return TRUE;

    What I don't understand is I could not find *pclean anywhere(assuming the variable name is correct). Also, Microsoft provides the same information ( which still uses *pclean. So in a nut shell, I have been finding a way to set the flag to erase the hive.

    Monday, September 3, 2018 11:57 PM

All replies

  • I don't quite understand why do you try to find pClean outside of IOCTL scope.

    pClean is temporary variable and points to out buffer.

    See in your code: BOOL *pClean = (BOOL *)lpOutBuf;

    pClean point to the same RAM as lpOutBuf

    How it works:

    1. Kernel calls your IOCTL code and provides lpOutBuffer for your code to store result to.

    2. Your code does his job and stores result of operation to pClean (and to lpOutBuf since they are equal)

    3. After your code finishes, kernel will analyze what is in lpOutBuf and erase hive if told so

    You can replace *pClean = TRUE; with *((BOOL*)lpOutBuf) = TRUE; result will be the same.

    Hope I understood your question correctly...

    Tuesday, September 4, 2018 9:29 AM
  • Thanks for responding. 

    So how does the ioctl set the flag to erase the hive registry then? I would have thought that there would be some sort of macro for this.

    Tuesday, September 4, 2018 10:05 AM
  • No macro required.

    Quote from MS documentation:

    [out] Pointer to a DWORD. The output DWORD value should be set to TRUE if the hive described by the flag in lpInBuf should be cleaned. Set the DWORD value to FALSE if the hive should not be cleaned.

    If you set *pClean to TRUE, kernel will erase registry hive.

    I think kernel will call this IOCTL twice:

    1. System hive erase inquiry

    2. User hive erase inquiry

    Here is an example again, it checks which hive kernel queries about and decides to clean user hive only leaving system hive as is.

       if (!lpInBuf || (nInBufSize != sizeof(DWORD)) 
         || !lpOutBuf || (nOutBufSize != sizeof(BOOL))) { 
         return FALSE; 
       } else { 
         DWORD *pdwFlags = (DWORD*)lpInBuf; 
         BOOL  *pfClean  = (BOOL*)lpOutBuf; 
       if (*pdwFlags == HIVECLEANFLAG_SYSTEM) { 
         RETAILMSG(1, (TEXT("OEM: Not cleaning system hive\r\n"))); 
         *pfClean = FALSE; 
       } else if (*pdwFlags == HIVECLEANFLAG_USERS) { 
         RETAILMSG(1, (TEXT("OEM: Cleaning user profiles\r\n"))); 
         *pfClean = TRUE; 

    Tuesday, September 4, 2018 1:33 PM
  • First, have you tried debugging the code?

    Second, there were some problems with the code on my blog (but I did mention that I hadn't compiled it :) )  pFlags should have been pwdFlags, and pfClean should have been pClean.

    You do not need to call >kernelIoControl() It will be called automatically by FileSys.

    You do need to write CheckSharedMemoryHiveDeleteFlag() and return TRUE.

    If it were me, I would try the following to see if it works (it should work on EVERY boot):

    BOOL *pClean = (BOOL *)lpOutBuf;
    *pClean = TRUE;
    return TRUE;

    Bruce Eitman
    Senior Enginer
    Bruce.Eitman AT Synopsys DOT com
    My BLOG
    I work for

    Tuesday, September 4, 2018 3:51 PM