Skip to main content

 none
problem with the function RtlDeleteRegistryValue RRS feed

  • Question

  • i have problem with the function RtlDeleteRegistryValue, this function works fine in DriverEntry, but it does not work in other routines/functions

    my code is:

    NTSTATUS ioctl_d_in_io2_pro(PIRP Irp,
    PIO_STACK_LOCATION pIoStackIrp)
    {
    DbgPrint(("deleting"));


    PCWSTR p = L"\\uuu2";
    PCWSTR v  = L"yyy2";
    NTSTATUS r6 = STATUS_SUCCESS;


    NTSTATUS r7 = RtlCheckRegistryKey(RTL_REGISTRY_USER, p); // here it works
    if (r7 == STATUS_SUCCESS)
    {

    r6 =  RtlDeleteRegistryValue(RTL_REGISTRY_USER, p, v);// it does not work here

    UNICODE_STRING us;
    WCHAR buffer[size];
    us.Buffer = buffer;
    us.Length = 0x0;
    us.MaximumLength = sizeof(buffer);



    RtlIntegerToUnicodeString((int)r6, 10, &us);

    ANSI_STRING as;
    CHAR buffer2[size];
    as.Buffer = buffer2;
    as.Length = 0x0;
    as.MaximumLength = sizeof(buffer2);

    RtlUnicodeStringToAnsiString(&as, &us, TRUE);



    DbgPrint(((char*)as.Buffer)); // r6 = 0xC0000034L = STATUS_OBJECT_NAME_NOT_FOUND



    if (r6 == STATUS_SUCCESS)
    {
    DbgPrint(("deleted"));
    ULONG v = 0;
    RtlWriteRegistryValue(RTL_REGISTRY_USER,
    L"\\uuu2",
    L"yyy2",
    REG_DWORD,
    &v,
    sizeof(ULONG));
    }
    }
    return r6;
    }


    Saturday, December 15, 2018 11:22 AM

Answers

All replies

  • First question would be what context are you in?  DriverEntry is run on a system thread, functions like IOCTL's are commonly running on the thread of the users application.   Depending on where you are calling things, you are not referring to the same path.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Saturday, December 15, 2018 12:24 PM
  • in finally, i would to call the DeviceIoControl function from the user mode for removing a registry value via kernel mode (with the function RtlDeleteRegistryValue).
    Saturday, December 15, 2018 12:43 PM
  • Consider doing the delete in a work item https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/system-worker-threads or make the entry explicit to your driver.   The latter is the typical approach, DriverEntry is passed the drivers registry path, create the value under that path, typically under Parameters.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Saturday, December 15, 2018 12:50 PM
  • i choose the work item method & i did not understand your second method

    so my code for work item is :


    IO_WORKITEM_ROUTINE MyWorkItem;// on the top of the driver main page

    // the work item routine is:

    VOID
    MyWorkItem(
    PDEVICE_OBJECT  DeviceObject,
    PVOID  Context
    )
    {
    PCWSTR p = L"\\uuu2";
    PCWSTR v = L"yyy2";
    NTSTATUS r6 = STATUS_SUCCESS;


    r6 = RtlDeleteRegistryValue(RTL_REGISTRY_USER, p, v);

    UNICODE_STRING us;
    WCHAR buffer[size];
    us.Buffer = buffer;
    us.Length = 0x0;
    us.MaximumLength = sizeof(buffer);



    RtlIntegerToUnicodeString((int)r6, 10, &us);

    ANSI_STRING as;
    CHAR buffer2[size];
    as.Buffer = buffer2;
    as.Length = 0x0;
    as.MaximumLength = sizeof(buffer2);

    RtlUnicodeStringToAnsiString(&as, &us, TRUE);



    DbgPrint(((char*)as.Buffer));



    if (r6 == STATUS_SUCCESS)
    {
    DbgPrint(("deleted"));
    ULONG v = 0;
    RtlWriteRegistryValue(RTL_REGISTRY_USER,
    L"\\uuu2",
    L"yyy2",
    REG_DWORD,
    &v,
    sizeof(ULONG));
    }
    }

    // the procedure that call the ioinitializeworkitem() function:

    NTSTATUS ioctl_d_in_io2_pro(PIRP Irp,
    PIO_STACK_LOCATION pIoStackIrp)
    {
    DbgPrint(("deleting"));

    PCWSTR p = L"\\uuu2";



    NTSTATUS r7 = RtlCheckRegistryKey(RTL_REGISTRY_USER, p);
    if (r7 == STATUS_SUCCESS)
    {

    IoInitializeWorkItem(pIoStackIrp->DeviceObject, MyWorkItem);

    }
    return r7;
    }

    but it gives me a blue screen with error : an attempt was made to write a read-only memory.


    Saturday, December 15, 2018 2:23 PM
  • Take a look at the sample at https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdfregistry/nf-wdfregistry-wdfregistrycreatekey   Where you are creating the key is non-standard and unless there is a specific reason to do this, you are just leaving a problem for the future.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Saturday, December 15, 2018 2:30 PM