EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Proper way to create a "virtual" registry key and "virtual" values

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
Posted: 09/16/2014 12:58:22
by not sure (Standard support level)
Joined: 05/27/2014
Posts: 24


I am attempting to use the CallbackRegistry library in order to create virtual registry keys (and subkeys) along with virtual values which will be backed not by the real registry, but an in-memory data structure.

I am wondering what the recommended way of doing this is. Right now I am handling the enumeration callback and the query callback for values and it is functional, aside from me setting values which are larger than the original buffer size and they request a cached information structure.

Is there an easier way?

Posted: 09/17/2014 02:35:48
by Volodymyr Zinin (EldoS Corp.)

It's necessary to handle the enumeration and the query callbacks as you do, but additionally it's required to handle the PreCreate and PreOpen callbacks in the following way:
1. Create some hidden place in the registry and place there some "backend" keys.
2. In the PreCreate and PreOpen callbacks for keys being virtualized create or open a key from that hidden place and return the handle via the KeyHandle parameter of these callbacks. In the case the "backend" key is absolutely the same as the virtualized one it isn't required to do additional handling in other callbacks.

The "backend" key is required at least to return handle to the system. It can be one "universal" empty key and its handles you will return for all virtualized keys. But such way requires to handle all other callbacks to virtualize data for the keys being virtualized. So the easier way is to create a set of "backend" keys which maximally correspond to virtualized ones in order to minimize handling in the CallbackRegistry callbacks. The maximally simple processing in such way is implemented in the GenSample sample application (see there the "redirection" section).
Posted: 09/17/2014 11:17:42
by not sure (Standard support level)
Joined: 05/27/2014
Posts: 24

Thank you for the detailed information, I will attempt using the "universal" approach along with appropriate context to handle the callbacks.
Posted: 09/18/2014 15:05:58
by not sure (Standard support level)
Joined: 05/27/2014
Posts: 24

I'm trying to set the safe handle in the OnPostOpenKey callback and am getting Windows BSOD. I notice in the RedirectionSample code that it only sets the handle in the OnPreOpenKey handler.

I want to only set the handle to be the "universal" handle if the key does not exist in the registry so I am checking result for 2 and attempting to fixup the handle at that point.

Thanks for your help so far!
Posted: 09/18/2014 21:56:47
by not sure (Standard support level)
Joined: 05/27/2014
Posts: 24

Just an update. I am able to work around the BSOD by doing as GenSample does and setting the key handle to be one gotten from my "universal" key (pinvoke RegCreateKeyEx). After handling OnPreQueryKey and OnPreEnumerate key I am able to get a "virtual" key to show up along with values which do not exist in the actual registry.

My problem is now virtual subkeys / values of the existing virtual key. The callback for OnPreQueryKey gets called for the virtual key as a result of f5 in regedit with a class of KeyCachedInformation, which I fill in based on my data structure in memory to indicate number of subkeys, values etc. After that I do not see any additional callbacks referencing the key (either query or key level enumeration). I'm wondering if the KeyCachedInformation is being handled properly as it seems no matter what I put in there it doesn't change the outcome.

Posted: 09/18/2014 21:58:49
by not sure (Standard support level)
Joined: 05/27/2014
Posts: 24

Also from powershell when I attempt to get-childitem for the virtual key I get the following error if it is helpful: Get-ChildItem : A device attached to the system is not functioning.
Posted: 09/19/2014 12:16:43
by Volodymyr Zinin (EldoS Corp.)

I will check all of these and write result here.
Posted: 09/19/2014 12:27:36
by not sure (Standard support level)
Joined: 05/27/2014
Posts: 24

Thank you! I have been working with this more and it seems that handling KeyCachedInformation in OnPreQueryKey definitely causes issues. If I handle this for a not virtual key such as hklm:\Software without setting stopFiltering to true I see that regedit thinks there are no subkeys for it no matter what I put in the EcbRegKeyCachedInformation structure. I cannot set stopFiltering because I need to handle enumeration as well in order to create a merged view (add additional virtual subkeys). Depending on how the client does the enumeration (loop through until ERROR_NO_MORE_ITEMS, or specifically only loop through based on the result of the query) the virtual key may or may not be visible to the client. Regedit appears to take the first approach and so the virtual key appears, but powershell get-childitem takes the second and so it doesn't show there.

Thanks again for all of your help. This product saves a lot of headache of doing all of this in kernel mode.
Posted: 09/22/2014 15:24:06
by not sure (Standard support level)
Joined: 05/27/2014
Posts: 24

More information. Any attempt to modify KeyCachedInformation in either the OnPre/PostQueryKey event results in the same corruption of data. I'm pretty much at a stand still at this point, but very close to achieving my requirements if this were functioning. Perhaps I will write a small client application in order to see what is returned to the client.
Posted: 09/22/2014 16:54:05
by not sure (Standard support level)
Joined: 05/27/2014
Posts: 24

Here is the result from my very small .NET client application that just attempts to get the subkeys of hklm:\Software. It reports the same exception as powershell (not surprising). I suspect the callback on the driver side is returning an error whenever I fill in the KeyCachedInformation data.

Unhandled Exception: System.IO.IOException: A device attached to the system is n
ot functioning.

at Microsoft.Win32.RegistryKey.Win32Error(Int32 errorCode, String str)
at Microsoft.Win32.RegistryKey.InternalSubKeyCount()
at Microsoft.Win32.RegistryKey.InternalGetSubKeyNames()
at Microsoft.Win32.RegistryKey.GetSubKeyNames()
at QuickQuery.Program.Main(String[] args) in c:\Source\QuickQuery\QuickQuery\
Program.cs:line 16
Also by EldoS: SecureBlackbox
200+ components and classes for digital security, signing, encryption and secure networking.



Topic viewed 11678 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!