/* * PROJECT: Veil * FILE: Veil.h * PURPOSE: Definition for the Windows Internal API from ntdll.dll, * samlib.dll and winsta.dll * * LICENSE: Relicensed under The MIT License from The CC BY 4.0 License * * DEVELOPER: MiroKaku (50670906+MiroKaku@users.noreply.github.com) */ /* * PROJECT: Mouri's Internal NT API Collections (MINT) * FILE: MINT.h * PURPOSE: Definition for the Windows Internal API from ntdll.dll, * samlib.dll and winsta.dll * * LICENSE: Relicensed under The MIT License from The CC BY 4.0 License * * DEVELOPER: Mouri_Naruto (Mouri_Naruto AT Outlook.com) */ /* * This file is part of the Process Hacker project - https://processhacker.sf.io/ * * You can redistribute this file and/or modify it under the terms of the * Attribution 4.0 International (CC BY 4.0) license. * * You must give appropriate credit, provide a link to the license, and * indicate if changes were made. You may do so in any reasonable manner, but * not in any way that suggests the licensor endorses you or your use. */ #pragma once // Warnings which disabled for compiling #if _MSC_VER >= 1200 #pragma warning(push) // nonstandard extension used : nameless struct/union #pragma warning(disable:4201) // 'struct_name' : structure was padded due to __declspec(align()) #pragma warning(disable:4324) // 'enumeration': a forward declaration of an unscoped enumeration must have an // underlying type (int assumed) #pragma warning(disable:4471) #endif VEIL_BEGIN() // Boot condition flags (NtInitializeRegistry) #define REG_INIT_BOOT_SM 0x0000 #define REG_INIT_BOOT_SETUP 0x0001 #define REG_INIT_BOOT_ACCEPTED_BASE 0x0002 #define REG_INIT_BOOT_ACCEPTED_MAX REG_INIT_BOOT_ACCEPTED_BASE + 999 #define REG_MAX_KEY_VALUE_NAME_LENGTH 32767 #define REG_MAX_KEY_NAME_LENGTH 512 #ifndef _KERNEL_MODE typedef enum _KEY_INFORMATION_CLASS { KeyBasicInformation, // KEY_BASIC_INFORMATION KeyNodeInformation, // KEY_NODE_INFORMATION KeyFullInformation, // KEY_FULL_INFORMATION KeyNameInformation, // KEY_NAME_INFORMATION KeyCachedInformation, // KEY_CACHED_INFORMATION KeyFlagsInformation, // KEY_FLAGS_INFORMATION KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION KeyTrustInformation, // KEY_TRUST_INFORMATION KeyLayerInformation, // KEY_LAYER_INFORMATION MaxKeyInfoClass } KEY_INFORMATION_CLASS; typedef struct _KEY_BASIC_INFORMATION { LARGE_INTEGER LastWriteTime; ULONG TitleIndex; ULONG NameLength; WCHAR Name[1]; } KEY_BASIC_INFORMATION, * PKEY_BASIC_INFORMATION; typedef struct _KEY_NODE_INFORMATION { LARGE_INTEGER LastWriteTime; ULONG TitleIndex; ULONG ClassOffset; ULONG ClassLength; ULONG NameLength; WCHAR Name[1]; // ... // WCHAR Class[1]; } KEY_NODE_INFORMATION, * PKEY_NODE_INFORMATION; typedef struct _KEY_FULL_INFORMATION { LARGE_INTEGER LastWriteTime; ULONG TitleIndex; ULONG ClassOffset; ULONG ClassLength; ULONG SubKeys; ULONG MaxNameLen; ULONG MaxClassLen; ULONG Values; ULONG MaxValueNameLen; ULONG MaxValueDataLen; WCHAR Class[1]; } KEY_FULL_INFORMATION, * PKEY_FULL_INFORMATION; typedef struct _KEY_NAME_INFORMATION { ULONG NameLength; WCHAR Name[1]; } KEY_NAME_INFORMATION, * PKEY_NAME_INFORMATION; typedef struct _KEY_CACHED_INFORMATION { LARGE_INTEGER LastWriteTime; ULONG TitleIndex; ULONG SubKeys; ULONG MaxNameLen; ULONG Values; ULONG MaxValueNameLen; ULONG MaxValueDataLen; ULONG NameLength; WCHAR Name[1]; } KEY_CACHED_INFORMATION, * PKEY_CACHED_INFORMATION; #endif //!_KERNEL_MODE // rev #define REG_FLAG_VOLATILE 0x0001 #define REG_FLAG_LINK 0x0002 // msdn #define REG_KEY_DONT_VIRTUALIZE 0x0002 #define REG_KEY_DONT_SILENT_FAIL 0x0004 #define REG_KEY_RECURSE_FLAG 0x0008 // private typedef struct _KEY_FLAGS_INFORMATION { ULONG Wow64Flags; ULONG KeyFlags; // REG_FLAG_* ULONG ControlFlags; // REG_KEY_* } KEY_FLAGS_INFORMATION, * PKEY_FLAGS_INFORMATION; #ifndef _KERNEL_MODE typedef struct _KEY_VIRTUALIZATION_INFORMATION { ULONG VirtualizationCandidate : 1; // Tells whether the key is part of the virtualization namespace scope (only HKLM\Software for now). ULONG VirtualizationEnabled : 1; // Tells whether virtualization is enabled on this key. Can be 1 only if above flag is 1. ULONG VirtualTarget : 1; // Tells if the key is a virtual key. Can be 1 only if above 2 are 0. Valid only on the virtual store key handles. ULONG VirtualStore : 1; // Tells if the key is a part of the virtual store path. Valid only on the virtual store key handles. ULONG VirtualSource : 1; // Tells if the key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1. ULONG Reserved : 27; } KEY_VIRTUALIZATION_INFORMATION, * PKEY_VIRTUALIZATION_INFORMATION; // private typedef struct _KEY_TRUST_INFORMATION { ULONG TrustedKey : 1; ULONG Reserved : 31; } KEY_TRUST_INFORMATION, * PKEY_TRUST_INFORMATION; // private typedef struct _KEY_LAYER_INFORMATION { ULONG IsTombstone : 1; ULONG IsSupersedeLocal : 1; ULONG IsSupersedeTree : 1; ULONG ClassIsInherited : 1; ULONG Reserved : 28; } KEY_LAYER_INFORMATION, * PKEY_LAYER_INFORMATION; typedef enum _KEY_SET_INFORMATION_CLASS { KeyWriteTimeInformation, // KEY_WRITE_TIME_INFORMATION KeyWow64FlagsInformation, // KEY_WOW64_FLAGS_INFORMATION KeyControlFlagsInformation, // KEY_CONTROL_FLAGS_INFORMATION KeySetVirtualizationInformation, // KEY_SET_VIRTUALIZATION_INFORMATION KeySetDebugInformation, KeySetHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION KeySetLayerInformation, // KEY_SET_LAYER_INFORMATION MaxKeySetInfoClass } KEY_SET_INFORMATION_CLASS; typedef struct _KEY_WRITE_TIME_INFORMATION { LARGE_INTEGER LastWriteTime; } KEY_WRITE_TIME_INFORMATION, * PKEY_WRITE_TIME_INFORMATION; typedef struct _KEY_WOW64_FLAGS_INFORMATION { ULONG UserFlags; } KEY_WOW64_FLAGS_INFORMATION, * PKEY_WOW64_FLAGS_INFORMATION; typedef struct _KEY_HANDLE_TAGS_INFORMATION { ULONG HandleTags; } KEY_HANDLE_TAGS_INFORMATION, * PKEY_HANDLE_TAGS_INFORMATION; typedef struct _KEY_SET_LAYER_INFORMATION { ULONG IsTombstone : 1; ULONG IsSupersedeLocal : 1; ULONG IsSupersedeTree : 1; ULONG ClassIsInherited : 1; ULONG Reserved : 28; } KEY_SET_LAYER_INFORMATION, * PKEY_SET_LAYER_INFORMATION; typedef struct _KEY_CONTROL_FLAGS_INFORMATION { ULONG ControlFlags; } KEY_CONTROL_FLAGS_INFORMATION, * PKEY_CONTROL_FLAGS_INFORMATION; typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION { ULONG VirtualTarget : 1; ULONG VirtualStore : 1; ULONG VirtualSource : 1; // true if key has been virtualized at least once ULONG Reserved : 29; } KEY_SET_VIRTUALIZATION_INFORMATION, * PKEY_SET_VIRTUALIZATION_INFORMATION; typedef enum _KEY_VALUE_INFORMATION_CLASS { KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION KeyValueFullInformationAlign64, KeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION MaxKeyValueInfoClass } KEY_VALUE_INFORMATION_CLASS; typedef struct _KEY_VALUE_BASIC_INFORMATION { ULONG TitleIndex; ULONG Type; ULONG NameLength; WCHAR Name[1]; } KEY_VALUE_BASIC_INFORMATION, * PKEY_VALUE_BASIC_INFORMATION; typedef struct _KEY_VALUE_FULL_INFORMATION { ULONG TitleIndex; ULONG Type; ULONG DataOffset; ULONG DataLength; ULONG NameLength; WCHAR Name[1]; // ... // UCHAR Data[1]; } KEY_VALUE_FULL_INFORMATION, * PKEY_VALUE_FULL_INFORMATION; typedef struct _KEY_VALUE_PARTIAL_INFORMATION { ULONG TitleIndex; ULONG Type; ULONG DataLength; UCHAR Data[1]; } KEY_VALUE_PARTIAL_INFORMATION, * PKEY_VALUE_PARTIAL_INFORMATION; typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 { ULONG Type; ULONG DataLength; UCHAR Data[1]; } KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, * PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64; // private typedef struct _KEY_VALUE_LAYER_INFORMATION { ULONG IsTombstone : 1; ULONG Reserved : 31; } KEY_VALUE_LAYER_INFORMATION, * PKEY_VALUE_LAYER_INFORMATION; #endif //!_KERNEL_MODE // rev typedef enum _KEY_LOAD_ENTRY_TYPE { KeyLoadTrustClassKey = 1, KeyLoadEvent, KeyLoadToken } KEY_LOAD_ENTRY_TYPE; // rev typedef struct _KEY_LOAD_ENTRY { KEY_LOAD_ENTRY_TYPE EntryType; union { HANDLE Handle; ULONG_PTR Value; }; } KEY_LOAD_ENTRY, * PKEY_LOAD_ENTRY; #ifndef _KERNEL_MODE typedef struct _KEY_VALUE_ENTRY { PUNICODE_STRING ValueName; ULONG DataLength; ULONG DataOffset; ULONG Type; } KEY_VALUE_ENTRY, * PKEY_VALUE_ENTRY; #endif // !_KERNEL_MODE typedef enum _REG_ACTION { KeyAdded, KeyRemoved, KeyModified } REG_ACTION; typedef struct _REG_NOTIFY_INFORMATION { ULONG NextEntryOffset; REG_ACTION Action; ULONG KeyLength; WCHAR Key[1]; } REG_NOTIFY_INFORMATION, * PREG_NOTIFY_INFORMATION; typedef struct _KEY_PID_ARRAY { HANDLE ProcessId; UNICODE_STRING KeyName; } KEY_PID_ARRAY, * PKEY_PID_ARRAY; typedef struct _KEY_OPEN_SUBKEYS_INFORMATION { ULONG Count; KEY_PID_ARRAY KeyArray[1]; } KEY_OPEN_SUBKEYS_INFORMATION, * PKEY_OPEN_SUBKEYS_INFORMATION; // System calls __kernel_entry __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCreateKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Reserved_ ULONG TitleIndex, _In_opt_ PUNICODE_STRING Class, _In_ ULONG CreateOptions, _Out_opt_ PULONG Disposition ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwCreateKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Reserved_ ULONG TitleIndex, _In_opt_ PUNICODE_STRING Class, _In_ ULONG CreateOptions, _Out_opt_ PULONG Disposition ); #if (NTDDI_VERSION >= NTDDI_VISTA) __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCreateKeyTransacted( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Reserved_ ULONG TitleIndex, _In_opt_ PUNICODE_STRING Class, _In_ ULONG CreateOptions, _In_ HANDLE TransactionHandle, _Out_opt_ PULONG Disposition ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS ZwCreateKeyTransacted( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Reserved_ ULONG TitleIndex, _In_opt_ PUNICODE_STRING Class, _In_ ULONG CreateOptions, _In_ HANDLE TransactionHandle, _Out_opt_ PULONG Disposition ); #endif __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtOpenKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwOpenKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); #if (NTDDI_VERSION >= NTDDI_VISTA) __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtOpenKeyTransacted( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE TransactionHandle ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwOpenKeyTransacted( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE TransactionHandle ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtOpenKeyEx( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG OpenOptions ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwOpenKeyEx( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG OpenOptions ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtOpenKeyTransactedEx( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG OpenOptions, _In_ HANDLE TransactionHandle ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwOpenKeyTransactedEx( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG OpenOptions, _In_ HANDLE TransactionHandle ); #endif __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtDeleteKey( _In_ HANDLE KeyHandle ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwDeleteKey( _In_ HANDLE KeyHandle ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtRenameKey( _In_ HANDLE KeyHandle, _In_ PUNICODE_STRING NewName ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwRenameKey( _In_ HANDLE KeyHandle, _In_ PUNICODE_STRING NewName ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtDeleteValueKey( _In_ HANDLE KeyHandle, _In_ PUNICODE_STRING ValueName ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwDeleteValueKey( _In_ HANDLE KeyHandle, _In_ PUNICODE_STRING ValueName ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtQueryKey( _In_ HANDLE KeyHandle, _In_ KEY_INFORMATION_CLASS KeyInformationClass, _Out_writes_bytes_opt_(Length) PVOID KeyInformation, _In_ ULONG Length, _Out_ PULONG ResultLength ); _IRQL_requires_max_(PASSIVE_LEVEL) _When_(Length == 0, _Post_satisfies_(return < 0)) _When_(Length > 0, _Post_satisfies_(return <= 0)) _Success_(return == STATUS_SUCCESS) _On_failure_(_When_(return == STATUS_BUFFER_OVERFLOW || return == STATUS_BUFFER_TOO_SMALL, _Post_satisfies_(*ResultLength > Length))) NTSYSAPI NTSTATUS NTAPI ZwQueryKey( _In_ HANDLE KeyHandle, _In_ KEY_INFORMATION_CLASS KeyInformationClass, _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyInformation, _In_ ULONG Length, _Out_ PULONG ResultLength ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationKey( _In_ HANDLE KeyHandle, _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass, _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation, _In_ ULONG KeySetInformationLength ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwSetInformationKey( _In_ HANDLE KeyHandle, _In_ __drv_strictTypeMatch(__drv_typeConst) KEY_SET_INFORMATION_CLASS KeySetInformationClass, _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation, _In_ ULONG KeySetInformationLength ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtQueryValueKey( _In_ HANDLE KeyHandle, _In_ PUNICODE_STRING ValueName, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation, _In_ ULONG Length, _Out_ PULONG ResultLength ); _IRQL_requires_max_(PASSIVE_LEVEL) _When_(Length == 0, _Post_satisfies_(return < 0)) _When_(Length > 0, _Post_satisfies_(return <= 0)) _Success_(return == STATUS_SUCCESS) _On_failure_(_When_(return == STATUS_BUFFER_OVERFLOW || return == STATUS_BUFFER_TOO_SMALL, _Post_satisfies_(*ResultLength > Length))) NTSYSAPI NTSTATUS NTAPI ZwQueryValueKey( _In_ HANDLE KeyHandle, _In_ PUNICODE_STRING ValueName, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation, _In_ ULONG Length, _Out_ PULONG ResultLength ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtSetValueKey( _In_ HANDLE KeyHandle, _In_ PUNICODE_STRING ValueName, _In_opt_ ULONG TitleIndex, _In_ ULONG Type, _In_reads_bytes_opt_(DataSize) PVOID Data, _In_ ULONG DataSize ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwSetValueKey( _In_ HANDLE KeyHandle, _In_ PUNICODE_STRING ValueName, _In_opt_ ULONG TitleIndex, _In_ ULONG Type, _In_reads_bytes_opt_(DataSize) PVOID Data, _In_ ULONG DataSize ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtQueryMultipleValueKey( _In_ HANDLE KeyHandle, _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries, _In_ ULONG EntryCount, _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer, _Inout_ PULONG BufferLength, _Out_opt_ PULONG RequiredBufferLength ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwQueryMultipleValueKey( _In_ HANDLE KeyHandle, _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries, _In_ ULONG EntryCount, _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer, _Inout_ PULONG BufferLength, _Out_opt_ PULONG RequiredBufferLength ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtEnumerateKey( _In_ HANDLE KeyHandle, _In_ ULONG Index, _In_ KEY_INFORMATION_CLASS KeyInformationClass, _Out_writes_bytes_opt_(Length) PVOID KeyInformation, _In_ ULONG Length, _Out_ PULONG ResultLength ); _IRQL_requires_max_(PASSIVE_LEVEL) _When_(Length == 0, _Post_satisfies_(return < 0)) _When_(Length > 0, _Post_satisfies_(return <= 0)) _Success_(return == STATUS_SUCCESS) _On_failure_(_When_(return == STATUS_BUFFER_OVERFLOW || return == STATUS_BUFFER_TOO_SMALL, _Post_satisfies_(*ResultLength > Length))) NTSYSAPI NTSTATUS NTAPI ZwEnumerateKey( _In_ HANDLE KeyHandle, _In_ ULONG Index, _In_ KEY_INFORMATION_CLASS KeyInformationClass, _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyInformation, _In_ ULONG Length, _Out_ PULONG ResultLength ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtEnumerateValueKey( _In_ HANDLE KeyHandle, _In_ ULONG Index, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation, _In_ ULONG Length, _Out_ PULONG ResultLength ); _IRQL_requires_max_(PASSIVE_LEVEL) _When_(Length == 0, _Post_satisfies_(return < 0)) _When_(Length > 0, _Post_satisfies_(return <= 0)) _Success_(return == STATUS_SUCCESS) _On_failure_(_When_(return == STATUS_BUFFER_OVERFLOW || return == STATUS_BUFFER_TOO_SMALL, _Post_satisfies_(*ResultLength > Length))) NTSYSAPI NTSTATUS NTAPI ZwEnumerateValueKey( _In_ HANDLE KeyHandle, _In_ ULONG Index, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation, _In_ ULONG Length, _Out_ PULONG ResultLength ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtFlushKey( _In_ HANDLE KeyHandle ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwFlushKey( _In_ HANDLE KeyHandle ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCompactKeys( _In_ ULONG Count, _In_reads_(Count) HANDLE KeyArray[] ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwCompactKeys( _In_ ULONG Count, _In_reads_(Count) HANDLE KeyArray[] ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCompressKey( _In_ HANDLE Key ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwCompressKey( _In_ HANDLE Key ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtLoadKey( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ POBJECT_ATTRIBUTES SourceFile ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwLoadKey( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ POBJECT_ATTRIBUTES SourceFile ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtLoadKey2( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ POBJECT_ATTRIBUTES SourceFile, _In_ ULONG Flags ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwLoadKey2( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ POBJECT_ATTRIBUTES SourceFile, _In_ ULONG Flags ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtLoadKeyEx( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ POBJECT_ATTRIBUTES SourceFile, _In_ ULONG Flags, _In_opt_ HANDLE TrustClassKey, // this and below were added on Win10 _In_opt_ HANDLE Event, _In_opt_ ACCESS_MASK DesiredAccess, _Out_opt_ PHANDLE RootHandle, _Reserved_ PVOID Reserved // previously PIO_STATUS_BLOCK ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwLoadKeyEx( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ POBJECT_ATTRIBUTES SourceFile, _In_ ULONG Flags, _In_opt_ HANDLE TrustClassKey, // this and below were added on Win10 _In_opt_ HANDLE Event, _In_opt_ ACCESS_MASK DesiredAccess, _Out_opt_ PHANDLE RootHandle, _Reserved_ PVOID Reserved // previously PIO_STATUS_BLOCK ); // rev by tyranid #if (NTDDI_VERSION >= NTDDI_WIN10_VB) __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtLoadKey3( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ POBJECT_ATTRIBUTES SourceFile, _In_ ULONG Flags, _In_reads_(LoadEntryCount) PKEY_LOAD_ENTRY LoadEntries, _In_ ULONG LoadEntryCount, _In_opt_ ACCESS_MASK DesiredAccess, _Out_opt_ PHANDLE RootHandle, _Reserved_ PVOID Reserved ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwLoadKey3( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ POBJECT_ATTRIBUTES SourceFile, _In_ ULONG Flags, _In_reads_(LoadEntryCount) PKEY_LOAD_ENTRY LoadEntries, _In_ ULONG LoadEntryCount, _In_opt_ ACCESS_MASK DesiredAccess, _Out_opt_ PHANDLE RootHandle, _Reserved_ PVOID Reserved ); #endif // NTDDI_VERSION >= NTDDI_WIN10_VB __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtReplaceKey( _In_ POBJECT_ATTRIBUTES NewFile, _In_ HANDLE TargetHandle, _In_ POBJECT_ATTRIBUTES OldFile ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwReplaceKey( _In_ POBJECT_ATTRIBUTES NewFile, _In_ HANDLE TargetHandle, _In_ POBJECT_ATTRIBUTES OldFile ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtSaveKey( _In_ HANDLE KeyHandle, _In_ HANDLE FileHandle ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwSaveKey( _In_ HANDLE KeyHandle, _In_ HANDLE FileHandle ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtSaveKeyEx( _In_ HANDLE KeyHandle, _In_ HANDLE FileHandle, _In_ ULONG Format ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwSaveKeyEx( _In_ HANDLE KeyHandle, _In_ HANDLE FileHandle, _In_ ULONG Format ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtSaveMergedKeys( _In_ HANDLE HighPrecedenceKeyHandle, _In_ HANDLE LowPrecedenceKeyHandle, _In_ HANDLE FileHandle ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwSaveMergedKeys( _In_ HANDLE HighPrecedenceKeyHandle, _In_ HANDLE LowPrecedenceKeyHandle, _In_ HANDLE FileHandle ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtRestoreKey( _In_ HANDLE KeyHandle, _In_ HANDLE FileHandle, _In_ ULONG Flags ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwRestoreKey( _In_ HANDLE KeyHandle, _In_opt_ HANDLE FileHandle, _In_ ULONG Flags ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtUnloadKey( _In_ POBJECT_ATTRIBUTES TargetKey ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwUnloadKey( _In_ POBJECT_ATTRIBUTES TargetKey ); // // NtUnloadKey2 Flags (from winnt.h) // //#define REG_FORCE_UNLOAD 1 //#define REG_UNLOAD_LEGAL_FLAGS (REG_FORCE_UNLOAD) __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtUnloadKey2( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ ULONG Flags ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwUnloadKey2( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ ULONG Flags ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtUnloadKeyEx( _In_ POBJECT_ATTRIBUTES TargetKey, _In_opt_ HANDLE Event ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwUnloadKeyEx( _In_ POBJECT_ATTRIBUTES TargetKey, _In_opt_ HANDLE Event ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtNotifyChangeKey( _In_ HANDLE KeyHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG CompletionFilter, _In_ BOOLEAN WatchTree, _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, _In_ ULONG BufferSize, _In_ BOOLEAN Asynchronous ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwNotifyChangeKey( _In_ HANDLE KeyHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG CompletionFilter, _In_ BOOLEAN WatchTree, _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, _In_ ULONG BufferSize, _In_ BOOLEAN Asynchronous ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtNotifyChangeMultipleKeys( _In_ HANDLE MasterKeyHandle, _In_opt_ ULONG Count, _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[], _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG CompletionFilter, _In_ BOOLEAN WatchTree, _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, _In_ ULONG BufferSize, _In_ BOOLEAN Asynchronous ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwNotifyChangeMultipleKeys( _In_ HANDLE MasterKeyHandle, _In_opt_ ULONG Count, _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[], _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG CompletionFilter, _In_ BOOLEAN WatchTree, _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, _In_ ULONG BufferSize, _In_ BOOLEAN Asynchronous ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtQueryOpenSubKeys( _In_ POBJECT_ATTRIBUTES TargetKey, _Out_ PULONG HandleCount ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwQueryOpenSubKeys( _In_ POBJECT_ATTRIBUTES TargetKey, _Out_ PULONG HandleCount ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtQueryOpenSubKeysEx( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ ULONG BufferLength, _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, _Out_ PULONG RequiredSize ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwQueryOpenSubKeysEx( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ ULONG BufferLength, _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, _Out_ PULONG RequiredSize ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtInitializeRegistry( _In_ USHORT BootCondition ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwInitializeRegistry( _In_ USHORT BootCondition ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtLockRegistryKey( _In_ HANDLE KeyHandle ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwLockRegistryKey( _In_ HANDLE KeyHandle ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtLockProductActivationKeys( _Inout_opt_ ULONG* pPrivateVer, _Out_opt_ ULONG* pSafeMode ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwLockProductActivationKeys( _Inout_opt_ ULONG* pPrivateVer, _Out_opt_ ULONG* pSafeMode ); #if (NTDDI_VERSION >= NTDDI_VISTA) // private __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtFreezeRegistry( _In_ ULONG TimeOutInSeconds ); // private _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwFreezeRegistry( _In_ ULONG TimeOutInSeconds ); // private __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtThawRegistry( VOID ); // private _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwThawRegistry( VOID ); #endif #if (NTDDI_VERSION >= NTDDI_WIN10_TH2) __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCreateRegistryTransaction( _Out_ HANDLE* RegistryTransactionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjAttributes, _Reserved_ ULONG CreateOptions ); _Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI ZwCreateRegistryTransaction( _Out_ PHANDLE TransactionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_opt_ ULONG CreateOptions ); _Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtOpenRegistryTransaction( _Out_ PHANDLE TransactionHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwOpenRegistryTransaction( _Out_ HANDLE* RegistryTransactionHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjAttributes ); __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCommitRegistryTransaction( _In_ HANDLE RegistryTransactionHandle, _Reserved_ ULONG Flags ); _IRQL_requires_max_(PASSIVE_LEVEL) __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI ZwCommitRegistryTransaction( _In_ HANDLE TransactionHandle, _In_ ULONG Flags ); _IRQL_requires_max_(PASSIVE_LEVEL) __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtRollbackRegistryTransaction( _In_ HANDLE TransactionHandle, _In_ ULONG Flags ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwRollbackRegistryTransaction( _In_ HANDLE RegistryTransactionHandle, _Reserved_ ULONG Flags ); #endif // NTDDI_VERSION >= NTDDI_WIN10_TH2 VEIL_END() #if _MSC_VER >= 1200 #pragma warning(pop) #endif