Sample Code
Windows Driver Samples/ RegFltr Sample Driver/ C++/ exe/ post.c/
/*++
Copyright (c) Microsoft Corporation. All rights reserved.
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR
PURPOSE.
Module Name:
Post.c
Abstract:
Samples that show what callbacks can do during the post-notification
phase.
Environment:
User mode only
--*/
#include "regctrl.h"
/*++
In registry callback version 1.0, there is a bug with post-notification
processing and multiple registry filter drivers that can break the samples
here. It is fixed with version 1.1.
The bug occurs when a driver blocks or bypasses a registry operation in the
pre-notification phase. Even though the processing of the operation stops
there, registry filter drivers registered at higher altitudes will still
get a post-notification for the operation. If the higher altitude driver
tries to change the status of the operation from failure to success or
vice versa, this change will be ignored and the status returned
will be the status returned by the driver who bypassed or blocked the
operation during the pre-notification phase.
For more information on how notification processing works with multiple
registry filter drivers registered see ..\sys\MultiAlt.c
For more information on issues in version 1.0 and changes in version 1.1
see ..\sys\Version.c
--*/
VOID
PostNotificationOverrideSuccessSample(
)
/*++
Routine Description:
This sample shows how registry callbacks can fail a registry operation
in the post-notification phase.
Two keys are created. The creates normally should succeeded, but one
is intercepted by the callback and failed with ERROR_ACCESS_DENIED.
The same is done for two values.
See ..\sys\Post.c for the callback routine used in this sample.
--*/
{
LONG Res;
HRESULT hr;
BOOL Result;
HKEY Key = NULL;
HKEY NotModifiedKey = NULL;
BOOL Success = FALSE;
DWORD BytesReturned;
DWORD ValueData = 0xDEADBEEF;
REGISTER_CALLBACK_INPUT RegisterCallbackInput = {0};
REGISTER_CALLBACK_OUTPUT RegisterCallbackOutput = {0};
UNREGISTER_CALLBACK_INPUT UnRegisterCallbackInput = {0};
InfoPrint("");
InfoPrint("=== Post-Notification Override Success Sample ====");
//
// Register a callback with the specified callback mode and altitude.
//
RtlZeroMemory(RegisterCallbackInput.Altitude,
MAX_ALTITUDE_BUFFER_LENGTH * sizeof(WCHAR));
hr = StringCbPrintf(RegisterCallbackInput.Altitude,
MAX_ALTITUDE_BUFFER_LENGTH * sizeof(WCHAR),
CALLBACK_ALTITUDE);
if (!SUCCEEDED(hr)) {
ErrorPrint("Copying altitude string failed. Error %d", hr);
goto Exit;
}
RegisterCallbackInput.CallbackMode = CALLBACK_MODE_POST_NOTIFICATION_OVERRIDE_SUCCESS;
Result = DeviceIoControl(g_Driver,
IOCTL_REGISTER_CALLBACK,
&RegisterCallbackInput,
sizeof(REGISTER_CALLBACK_INPUT),
&RegisterCallbackOutput,
sizeof(REGISTER_CALLBACK_OUTPUT),
&BytesReturned,
NULL);
if (Result != TRUE) {
ErrorPrint("RegisterCallback failed. Error %d", GetLastError());
goto Exit;
}
Success = TRUE;
//
// Create two keys.
// Creating the "not modified" key will succeed.
// Creating the other key will fail with file not found.
//
//
// NOTE: In the kernel debugger output, you will see 3 sets of
// notifications for create key even though we only call create key twice.
// You will also see the message that create key is overrided twice.
//
// Kd output:
//
// RegFltr: Callback: Altitude-380010, NotifyClass-RegNtPreCreateKeyEx.
// RegFltr: Callback: Altitude-380010, NotifyClass-RegNtPostCreateKeyEx.
// RegFltr: Callback: Altitude-380010, NotifyClass-RegNtPreCreateKeyEx.
// RegFltr: Callback: Altitude-380010, NotifyClass-RegNtPostCreateKeyEx.
// RegFltr: Callback: Create key _RegFltrKey overrided from success to error.
// RegFltr: Callback: Altitude-380010, NotifyClass-RegNtPreCreateKeyEx.
// RegFltr: Callback: Altitude-380010, NotifyClass-RegNtPostCreateKeyEx.
// RegFltr: Callback: Create key _RegFltrKey overrided from success to error.
//
// The reason this happens is that RegCreateKeyEx is more than just a
// wrapper around NtCreateKey. If the call to NtCreateKey fails,
// RegCreateKeyEx will retry the call in slightly different ways
// depending on the error returned.
//
Res = RegCreateKeyEx(g_RootKey,
NOT_MODIFIED_KEY_NAME,
0,
NULL,
0,
KEY_ALL_ACCESS,
NULL,
&NotModifiedKey,
NULL);
if (Res != ERROR_SUCCESS) {
ErrorPrint("RegCreateKeyEx returned unexpected error %d", Res);
Success = FALSE;
}
Res = RegCreateKeyEx(g_RootKey,
KEY_NAME,
0,
NULL,
0,
KEY_ALL_ACCESS,
NULL,
&Key,
NULL);
if (Res != ERROR_ACCESS_DENIED) {
ErrorPrint("RegCreateKeyEx returned unexpected error %d", Res);
Success = FALSE;
}
//
// Set two values.
// Setting the "not modified" value will succeed.
// Setting the other value will fail with file not found.
//
Res = RegSetValueEx(g_RootKey,
NOT_MODIFIED_VALUE_NAME,
0,
REG_DWORD,
(BYTE *) &ValueData,
sizeof(ValueData));
if(Res != ERROR_SUCCESS) {
ErrorPrint("RegSetValueEx return unexpected status %d", Res);
Success = FALSE;
}
Res = RegSetValueEx(g_RootKey,
VALUE_NAME,
0,
REG_DWORD,
(BYTE *) &ValueData,
sizeof(ValueData));
if(Res != ERROR_ACCESS_DENIED) {
ErrorPrint("RegSetValueEx return unexpected status %d", Res);
Success = FALSE;
}
//
// Unregister the callback
//
UnRegisterCallbackInput.Cookie = RegisterCallbackOutput.Cookie;
Result = DeviceIoControl(g_Driver,
IOCTL_UNREGISTER_CALLBACK,
&UnRegisterCallbackInput,
sizeof(UNREGISTER_CALLBACK_INPUT),
NULL,
0,
&BytesReturned,
NULL);
if (Result != TRUE) {
ErrorPrint("UnRegisterCallback failed. Error %d", GetLastError());
Success = FALSE;
}
//
// Verify that the create key and set value calls were failed by
// checking that the key and value with KEY_NAME and VALUE_NAME do not
// exist.
//
Res = RegOpenKeyEx(g_RootKey,
KEY_NAME,
0,
KEY_ALL_ACCESS,
&Key);
if (Res != ERROR_FILE_NOT_FOUND) {
ErrorPrint("RegOpenKeyEx returned unexpected error: %d", Res);
if (Key != NULL) {
RegCloseKey(Key);
Key = NULL;
}
Success = FALSE;
}
Res = RegDeleteValue(g_RootKey, VALUE_NAME);
if (Res != ERROR_FILE_NOT_FOUND) {
ErrorPrint("RegDeleteValue on value returned unexpected status: %d",
Res);
Success = FALSE;
}
Exit:
if (Key != NULL) {
RegCloseKey(Key);
}
RegDeleteKey(g_RootKey, KEY_NAME);
if (NotModifiedKey != NULL) {
RegCloseKey(NotModifiedKey);
}
RegDeleteKey(g_RootKey, NOT_MODIFIED_KEY_NAME);
RegDeleteValue(g_RootKey, VALUE_NAME);
RegDeleteValue(g_RootKey, NOT_MODIFIED_VALUE_NAME);
if (Success) {
InfoPrint("Post-Notification Override Success Sample succeeded.");
} else {
ErrorPrint("Post-Notification Override Success Sample FAILED.");
}
}
VOID
PostNotificationOverrideErrorSample(
)
/*++
Routine Description:
This sample shows how a registry callback can change a failed registry
operation into a successful operation in the post-notification phase.
A key that does not exist is opened. The opens should fail, but it is
intercepted by the callback and the open is redirected to a key that
does exist.
See ..\sys\Post.c for the callback routine used in this sample.
Return Value:
None
--*/
{
LONG Res;
HRESULT hr;
BOOL Success = FALSE;
BOOL Result;
HKEY Key = NULL;
HKEY ModifiedKey = NULL;
DWORD BytesReturned;
REGISTER_CALLBACK_INPUT RegisterCallbackInput = {0};
REGISTER_CALLBACK_OUTPUT RegisterCallbackOutput = {0};
UNREGISTER_CALLBACK_INPUT UnRegisterCallbackInput = {0};
InfoPrint("");
InfoPrint("=== Post-Notification Override Error Sample ====");
//
// Create a key with name MODIFIED_KEY_NAME
//
Res = RegCreateKeyEx(g_RootKey,
MODIFIED_KEY_NAME,
0,
NULL,
0,
KEY_ALL_ACCESS,
NULL,
&ModifiedKey,
NULL);
if (Res != ERROR_SUCCESS) {
ErrorPrint("RegCreateKeyEx returned unexpected error %d", Res);
goto Exit;
}
//
// Now try to open a key by KEY_NAME which does not exist. Verify that
// this fails.
//
Res = RegOpenKeyEx(g_RootKey,
KEY_NAME,
0,
KEY_ALL_ACCESS,
&Key);
if (Res != ERROR_FILE_NOT_FOUND) {
ErrorPrint("RegOpenKeyEx returned unexpected error %d", Res);
goto Exit;
}
//
// Register a callback with the specified callback mode and altitude.
//
RtlZeroMemory(RegisterCallbackInput.Altitude,
MAX_ALTITUDE_BUFFER_LENGTH * sizeof(WCHAR));
hr = StringCbPrintf(RegisterCallbackInput.Altitude,
MAX_ALTITUDE_BUFFER_LENGTH * sizeof(WCHAR),
CALLBACK_ALTITUDE);
if (!SUCCEEDED(hr)) {
ErrorPrint("Copying altitude string failed. Error %d", hr);
goto Exit;
}
RegisterCallbackInput.CallbackMode = CALLBACK_MODE_POST_NOTIFICATION_OVERRIDE_ERROR;
Result = DeviceIoControl(g_Driver,
IOCTL_REGISTER_CALLBACK,
&RegisterCallbackInput,
sizeof(REGISTER_CALLBACK_INPUT),
&RegisterCallbackOutput,
sizeof(REGISTER_CALLBACK_OUTPUT),
&BytesReturned,
NULL);
if (Result != TRUE) {
ErrorPrint("RegisterCallback failed. Error %d", GetLastError());
goto Exit;
}
Success = TRUE;
//
// Open key again. The callback will intercept this and make it succeed.
//
Res = RegOpenKeyEx(g_RootKey,
KEY_NAME,
0,
KEY_ALL_ACCESS,
&Key);
if (Res != ERROR_SUCCESS) {
ErrorPrint("RegOpenKeyEx returned unexpected error %d", Res);
Success = FALSE;
}
//
// Unregister the callback
//
UnRegisterCallbackInput.Cookie = RegisterCallbackOutput.Cookie;
Result = DeviceIoControl(g_Driver,
IOCTL_UNREGISTER_CALLBACK,
&UnRegisterCallbackInput,
sizeof(UNREGISTER_CALLBACK_INPUT),
NULL,
0,
&BytesReturned,
NULL);
if (Result != TRUE) {
ErrorPrint("UnRegisterCallback failed. Error %d", GetLastError());
Success = FALSE;
}
Exit:
if (Key != NULL) {
RegCloseKey(Key);
}
if (ModifiedKey != NULL) {
RegCloseKey(ModifiedKey);
}
RegDeleteKey(g_RootKey, KEY_NAME);
RegDeleteKey(g_RootKey, MODIFIED_KEY_NAME);
if (Success) {
InfoPrint("Post-Notification Override Error Sample succeeded.");
} else {
ErrorPrint("Post-Notification Override Error Sample FAILED.");
}
}
Our Services
-
What our customers say about us?
Read our customer testimonials to find out why our clients keep returning for their projects.
View Testimonials
