All geek questions in one place

Is there a way to check if the Windows registry key is mutable (REG_OPTION_VOLATILE)?

In the Windows registry, keys can be created as mutable - this means that a volatile key cannot survive a PC reboot. After a reboot, there are no traces of such a key in the registry. This is indicated by the REG_OPTION_VOLATILE RegCreateKeyEx API option.

I need to check if any Windows registry key is unstable or not (created using REG_OPTION_VOLATILE).

For example, the key may be located in the section (HKLM \ Software \ MyCompany \ MyProgram \ KeyToBeChecked).

There seems to be no direct WIN APIs that allow such a check.

Does anyone know how to check this?

+3
source share
3

- , RegCreateKeyEx. , ERROR_CHILD_MUST_BE_VOLATILE. ShSetValue ERROR_CHILD_MUST_BE_VOLATILE .

+3

win7 - ZwQueryKey KeyFlagsInformation. , - . :

struct KEY_CONTROL_FLAGS_INFO_W7  // KeyFlagsInformation for Win7
{
    ULONG ControlFlags[3];
};

#define KEY_CTRL_FL_W7_01__IS_VOLATILE                                 0x01
#define KEY_CTRL_FL_W7_01__SYM_LINK                                    0x02


    HKEY hKey;
    LSTATUS r = RegOpenKeyEx(HKEY_CURRENT_USER, 
        L"Volatile Environment", REG_OPTION_OPEN_LINK, KEY_READ, &hKey);
    if (r == NOERROR)
    {
        ULONG cb;
        KEY_CONTROL_FLAGS_INFO_W7 kcf;

        if (0 <= ZwQueryKey(hKey, KeyFlagsInformation, &kcf, sizeof(kcf), &cb))
        {
            if (kcf.ControlFlags[1] & KEY_CTRL_FL_W7_01__IS_VOLATILE)
            {
                DbgPrint("key is volatile\n");
            }

            if (kcf.ControlFlags[1] & KEY_CTRL_FL_W7_01__SYM_LINK)
            {
                DbgPrint("key is link\n");
            }
        }
        RegCloseKey(hKey);
    }
+2

Source: https://habr.com/ru/post/1780077/

More articles:


All Articles