archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/windows/appcompat/shims/verifier/registrychecks.cpp

1492 lines
34 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) Microsoft Corporation. All rights reserved.
  5. Module Name:
  7. RegistryChecks.cpp
  9. Abstract:
  10. Warn the app when it's trying to read from or write to inappropriate
  11. places in the registry.
  13. Notes:
  15. This is a general purpose shim.
  17. History:
  19. 03/09/2001 maonis Created
  20. 09/04/2001 maonis Since none of the paths we compare with exceed MAX_PATH - 1
  21. characters, we only examine at most that many characters of
  22. the key paths to make sure there's no buffer overflow in
  23. the paths of open keys.
  24. 02/20/2002 rparsons Implemented strsafe functions.
  25. 02/25/2002 rparsons Modified critical section code to be thread safe.
  26. --*/
  28. #include "precomp.h"
  30. IMPLEMENT_SHIM_BEGIN(RegistryChecks)
  31. #include "ShimHookMacro.h"
  32. #include "RegistryChecks.h"
  34. //
  35. // verifier log entries
  36. //
  37. BEGIN_DEFINE_VERIFIER_LOG(RegistryChecks)
  38. VERIFIER_LOG_ENTRY(VLOG_HKCU_Console_READ)
  39. VERIFIER_LOG_ENTRY(VLOG_HKCU_ControlPanel_READ)
  40. VERIFIER_LOG_ENTRY(VLOG_HKCU_Environment_READ)
  41. VERIFIER_LOG_ENTRY(VLOG_HKCU_Identities_READ)
  42. VERIFIER_LOG_ENTRY(VLOG_HKCU_KeyboardLayout_READ)
  43. VERIFIER_LOG_ENTRY(VLOG_HKCU_Printers_READ)
  44. VERIFIER_LOG_ENTRY(VLOG_HKCU_RemoteAccess_READ)
  45. VERIFIER_LOG_ENTRY(VLOG_HKCU_SessionInformation_READ)
  46. VERIFIER_LOG_ENTRY(VLOG_HKCU_UNICODEProgramGroups_READ)
  47. VERIFIER_LOG_ENTRY(VLOG_HKCU_VolatileEnvironment_READ)
  48. VERIFIER_LOG_ENTRY(VLOG_HKCU_Windows31MigrationStatus_READ)
  49. VERIFIER_LOG_ENTRY(VLOG_HKLM_HARDWARE_READ)
  50. VERIFIER_LOG_ENTRY(VLOG_HKLM_SAM_READ)
  51. VERIFIER_LOG_ENTRY(VLOG_HKLM_SECURITY_READ)
  52. VERIFIER_LOG_ENTRY(VLOG_HKLM_SYSTEM_READ)
  53. VERIFIER_LOG_ENTRY(VLOG_HKCC_READ)
  54. VERIFIER_LOG_ENTRY(VLOG_HKUS_READ)
  55. VERIFIER_LOG_ENTRY(VLOG_NON_HKCU_WRITE)
  56. END_DEFINE_VERIFIER_LOG(RegistryChecks)
  58. INIT_VERIFIER_LOG(RegistryChecks);
  61. const RCWARNING g_warnNoDirectRead[] =
  62. {
  63. {HKCU_Console_STR, VLOG_HKCU_Console_READ, NUM_OF_CHAR(HKCU_Console_STR)},
  64. {HKCU_ControlPanel_STR, VLOG_HKCU_ControlPanel_READ, NUM_OF_CHAR(HKCU_ControlPanel_STR)},
  65. {HKCU_Environment_STR, VLOG_HKCU_Environment_READ, NUM_OF_CHAR(HKCU_Environment_STR)},
  66. {HKCU_Identities_STR, VLOG_HKCU_Identities_READ, NUM_OF_CHAR(HKCU_Identities_STR)},
  67. {HKCU_KeyboardLayout_STR, VLOG_HKCU_KeyboardLayout_READ, NUM_OF_CHAR(HKCU_KeyboardLayout_STR)},
  68. {HKCU_Printers_STR, VLOG_HKCU_Printers_READ, NUM_OF_CHAR(HKCU_Printers_STR)},
  69. {HKCU_RemoteAccess_STR, VLOG_HKCU_RemoteAccess_READ, NUM_OF_CHAR(HKCU_RemoteAccess_STR)},
  70. {HKCU_SessionInformation_STR, VLOG_HKCU_SessionInformation_READ, NUM_OF_CHAR(HKCU_SessionInformation_STR)},
  71. {HKCU_UNICODEProgramGroups_STR, VLOG_HKCU_UNICODEProgramGroups_READ, NUM_OF_CHAR(HKCU_UNICODEProgramGroups_STR)},
  72. {HKCU_VolatileEnvironment_STR, VLOG_HKCU_VolatileEnvironment_READ, NUM_OF_CHAR(HKCU_VolatileEnvironment_STR)},
  73. {HKCU_Windows31MigrationStatus_STR, VLOG_HKCU_Windows31MigrationStatus_READ,NUM_OF_CHAR(HKCU_Windows31MigrationStatus_STR)},
  74. {HKLM_HARDWARE_STR, VLOG_HKLM_HARDWARE_READ, NUM_OF_CHAR(HKLM_HARDWARE_STR)},
  75. {HKLM_SAM_STR, VLOG_HKLM_SAM_READ, NUM_OF_CHAR(HKLM_SAM_STR)},
  76. {HKLM_SECURITY_STR, VLOG_HKLM_SECURITY_READ, NUM_OF_CHAR(HKLM_SECURITY_STR)},
  77. {HKLM_SYSTEM_STR, VLOG_HKLM_SYSTEM_READ, NUM_OF_CHAR(HKLM_SYSTEM_STR)},
  78. {HKCC_STR, VLOG_HKCC_READ, NUM_OF_CHAR(HKCC_STR)},
  79. {HKUS_STR, VLOG_HKUS_READ, NUM_OF_CHAR(HKUS_STR)},
  80. };
  82. const UINT g_cWarnNDirectRead = sizeof(g_warnNoDirectRead) / sizeof(RCWARNING);
  84. //
  85. // Critical section that keeps us safe while using linked-lists, etc.
  86. //
  87. CCriticalSection g_csCritSec;
  89. VOID
  90. MakePathW(
  91. IN RCOPENKEY* key,
  92. IN HKEY hKey,
  93. IN LPCWSTR lpSubKey,
  94. IN OUT LPWSTR lpPath
  95. )
  96. {
  97. if (key) {
  98. if (key->wszPath[0]) {
  99. //
  100. // We only care about at most MAX_PATH - 1 characters.
  101. //
  102. wcsncpy(lpPath, key->wszPath, MAX_PATH - 1);
  103. }
  104. } else {
  105. if (hKey == HKEY_CLASSES_ROOT) {
  106. StringCchCopy(lpPath, MAX_PATH - 1, L"HKCR");
  107. } else if (hKey == HKEY_CURRENT_CONFIG) {
  108. StringCchCopy(lpPath, MAX_PATH - 1, L"HKCC");
  109. } else if (hKey == HKEY_CURRENT_USER) {
  110. StringCchCopy(lpPath, MAX_PATH - 1, L"HKCU");
  111. } else if (hKey == HKEY_LOCAL_MACHINE) {
  112. StringCchCopy(lpPath, MAX_PATH - 1, L"HKLM");
  113. } else if (hKey == HKEY_USERS) {
  114. StringCchCopy(lpPath, MAX_PATH - 1, L"HKUS");
  115. } else {
  116. StringCchCopy(lpPath, MAX_PATH - 1, L"Not recongized");
  117. }
  118. }
  120. if (lpSubKey && *lpSubKey) {
  121. DWORD cLen = wcslen(lpPath);
  122. //
  123. // We only care about at most MAX_PATH - 1 characters.
  124. //
  125. if (cLen < MAX_PATH - 1) {
  126. lpPath[cLen] = L'\\';
  127. wcsncpy(lpPath + cLen + 1, lpSubKey, MAX_PATH - cLen - 2);
  128. }
  129. }
  131. lpPath[MAX_PATH - 1] = L'\0';
  132. }
  134. VOID CheckReading(
  135. IN LPCWSTR pwszPath
  136. )
  137. {
  138. RCWARNING warn;
  140. for (UINT ui = 0; ui < g_cWarnNDirectRead; ++ui) {
  141. warn = g_warnNoDirectRead[ui];
  142. if (!_wcsnicmp(pwszPath, warn.wszPath, warn.cLen)) {
  143. VLOG(VLOG_LEVEL_ERROR, warn.dwAVStatus,
  144. "Read from dangerous registry entry '%ls'.",
  145. pwszPath);
  146. }
  147. }
  148. }
  150. // We warn for every tempt of writing to anything besides keys under HKCU.
  151. // Note this applies to both Users and Admins/Power Users because when an
  152. // app is running it shouldn't write anything to non HKCU keys, which should
  153. // be done during the installation time.
  154. VOID CheckWriting(
  155. IN REGSAM samDesired,
  156. IN LPCWSTR pwszPath
  157. )
  158. {
  159. if ((samDesired &~ STANDARD_RIGHTS_WRITE) & KEY_WRITE) {
  160. if (_wcsnicmp(pwszPath, L"HKCU", 4)) {
  161. VLOG(VLOG_LEVEL_ERROR, VLOG_NON_HKCU_WRITE, "Write to non-HKCU registry entry '%ls'.", pwszPath);
  162. }
  163. }
  164. }
  166. //
  167. // Implementation of the CRegistryChecks class.
  168. //
  170. RCOPENKEY*
  171. CRegistryChecks::FindKey(
  172. HKEY hKey
  173. )
  174. {
  175. RCOPENKEY* key = keys;
  177. while (key) {
  178. if (key->hkBase == hKey) {
  179. return key;
  180. }
  182. key = key->next;
  183. }
  185. return NULL;
  186. }
  188. // We add the key to the front of the list because the most
  189. // recently added keys are usually used/deleted first.
  190. BOOL
  191. CRegistryChecks::AddKey(
  192. HKEY hKey,
  193. LPCWSTR pwszPath
  194. )
  195. {
  196. RCOPENKEY* key = new RCOPENKEY;
  198. if (!key) {
  199. return FALSE;
  200. }
  202. key->hkBase = hKey;
  204. //
  205. // None of the key paths we need to check exceed MAX_PATH - 1 characters so
  206. // we only need to copy at most that many characters.
  207. //
  208. wcsncpy(key->wszPath, pwszPath, MAX_PATH - 1);
  209. key->wszPath[MAX_PATH - 1] = L'\0';
  211. key->next = keys;
  212. keys = key;
  214. return TRUE;
  215. }
  217. VOID
  218. CRegistryChecks::Check(
  219. HKEY hKey,
  220. LPCSTR lpSubKey,
  221. BOOL fCheckRead,
  222. BOOL fCheckWrite,
  223. REGSAM samDesired
  224. )
  225. {
  226. LPWSTR pwszSubKey = NULL;
  228. if (pwszSubKey = ToUnicode(lpSubKey)) {
  229. Check(hKey, pwszSubKey, fCheckRead, fCheckWrite);
  230. free(pwszSubKey);
  231. } else {
  232. DPFN(eDbgLevelError, "Failed to convert %s to unicode", lpSubKey);
  233. }
  234. }
  236. VOID
  237. CRegistryChecks::Check(
  238. HKEY hKey,
  239. LPCWSTR lpSubKey,
  240. BOOL fCheckRead,
  241. BOOL fCheckWrite,
  242. REGSAM samDesired
  243. )
  244. {
  245. RCOPENKEY* key = FindKey(hKey);
  246. WCHAR wszPath[MAX_PATH] = L"";
  247. MakePathW(key, hKey, lpSubKey, wszPath);
  249. if (fCheckRead) {
  250. CheckReading(wszPath);
  251. }
  253. if (fCheckWrite) {
  254. CheckWriting(samDesired, wszPath);
  255. }
  256. }
  258. LONG
  259. CRegistryChecks::OpenKeyExOriginalW(
  260. HKEY hKey,
  261. LPCWSTR lpSubKey,
  262. LPWSTR lpClass,
  263. DWORD dwOptions,
  264. REGSAM samDesired,
  265. LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  266. PHKEY phkResult,
  267. LPDWORD lpdwDisposition,
  268. BOOL bCreate
  269. )
  270. {
  271. if (bCreate) {
  272. return ORIGINAL_API(RegCreateKeyExW)(
  273. hKey,
  274. lpSubKey,
  275. 0,
  276. lpClass,
  277. dwOptions,
  278. samDesired,
  279. lpSecurityAttributes,
  280. phkResult,
  281. lpdwDisposition);
  282. } else {
  283. return ORIGINAL_API(RegOpenKeyExW)(
  284. hKey,
  285. lpSubKey,
  286. 0,
  287. samDesired,
  288. phkResult);
  289. }
  290. }
  292. LONG
  293. CRegistryChecks::OpenKeyExA(
  294. HKEY hKey,
  295. LPCSTR lpSubKey,
  296. LPSTR lpClass,
  297. DWORD dwOptions,
  298. REGSAM samDesired,
  299. LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  300. PHKEY phkResult,
  301. LPDWORD lpdwDisposition,
  302. BOOL bCreate
  303. )
  304. {
  305. LONG lRet;
  306. LPWSTR pwszSubKey = NULL;
  307. LPWSTR pwszClass = NULL;
  309. if (lpSubKey) {
  310. if (!(pwszSubKey = ToUnicode(lpSubKey))) {
  311. DPFN(eDbgLevelError, "Failed to convert %s to unicode", lpSubKey);
  312. return ERROR_NOT_ENOUGH_MEMORY;
  313. }
  314. }
  316. if (lpClass) {
  317. if (!(pwszClass = ToUnicode(lpClass)))
  318. {
  319. free(pwszSubKey);
  320. DPFN(eDbgLevelError, "Failed to convert %s to unicode", lpClass);
  321. return ERROR_NOT_ENOUGH_MEMORY;
  322. }
  323. }
  325. lRet = OpenKeyExW(
  326. hKey,
  327. pwszSubKey,
  328. pwszClass,
  329. dwOptions,
  330. samDesired,
  331. lpSecurityAttributes,
  332. phkResult,
  333. lpdwDisposition,
  334. bCreate);
  336. free(pwszSubKey);
  337. free(pwszClass);
  339. return lRet;
  340. }
  342. LONG
  343. CRegistryChecks::OpenKeyExW(
  344. HKEY hKey,
  345. LPCWSTR lpSubKey,
  346. LPWSTR lpClass,
  347. DWORD dwOptions,
  348. REGSAM samDesired,
  349. LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  350. PHKEY phkResult,
  351. LPDWORD lpdwDisposition,
  352. BOOL bCreate
  353. )
  354. {
  355. RCOPENKEY* key = FindKey(hKey);
  356. WCHAR wszPath[MAX_PATH] = L"";
  357. MakePathW(key, hKey, lpSubKey, wszPath);
  359. CheckReading(wszPath);
  360. CheckWriting(samDesired, wszPath);
  362. LONG lRes = OpenKeyExOriginalW(
  363. hKey,
  364. lpSubKey,
  365. lpClass,
  366. dwOptions,
  367. samDesired,
  368. lpSecurityAttributes,
  369. phkResult,
  370. lpdwDisposition,
  371. bCreate);
  373. if (lRes == ERROR_SUCCESS) {
  374. if (AddKey(*phkResult, wszPath)) {
  375. DPFN(eDbgLevelInfo, "[OpenKeyExW] success - adding key 0x%08X", *phkResult);
  376. } else {
  377. lRes = ERROR_INVALID_HANDLE;
  378. }
  379. }
  381. return lRes;
  382. }
  384. LONG
  385. CRegistryChecks::QueryValueA(
  386. HKEY hKey,
  387. LPCSTR lpSubKey,
  388. LPSTR lpValue,
  389. PLONG lpcbValue
  390. )
  391. {
  392. Check(hKey, lpSubKey, TRUE, FALSE);
  394. return ORIGINAL_API(RegQueryValueA)(
  395. hKey,
  396. lpSubKey,
  397. lpValue,
  398. lpcbValue);
  399. }
  401. LONG
  402. CRegistryChecks::QueryValueW(
  403. HKEY hKey,
  404. LPCWSTR lpSubKey,
  405. LPWSTR lpValue,
  406. PLONG lpcbValue
  407. )
  408. {
  409. Check(hKey, lpSubKey, TRUE, FALSE);
  411. return ORIGINAL_API(RegQueryValueW)(
  412. hKey,
  413. lpSubKey,
  414. lpValue,
  415. lpcbValue);
  416. }
  418. LONG
  419. CRegistryChecks::QueryValueExA(
  420. HKEY hKey,
  421. LPCSTR lpValueName,
  422. LPDWORD lpReserved,
  423. LPDWORD lpType,
  424. LPBYTE lpData,
  425. LPDWORD lpcbData
  426. )
  427. {
  428. Check(hKey, L"", TRUE, FALSE);
  430. return ORIGINAL_API(RegQueryValueExA)(
  431. hKey,
  432. lpValueName,
  433. lpReserved,
  434. lpType,
  435. lpData,
  436. lpcbData);
  437. }
  439. LONG
  440. CRegistryChecks::QueryValueExW(
  441. HKEY hKey,
  442. LPCWSTR lpValueName,
  443. LPDWORD lpReserved,
  444. LPDWORD lpType,
  445. LPBYTE lpData,
  446. LPDWORD lpcbData
  447. )
  448. {
  449. Check(hKey, L"", TRUE, FALSE);
  451. return ORIGINAL_API(RegQueryValueExW)(
  452. hKey,
  453. lpValueName,
  454. lpReserved,
  455. lpType,
  456. lpData,
  457. lpcbData);
  458. }
  460. LONG
  461. CRegistryChecks::QueryInfoKeyA(
  462. HKEY hKey,
  463. LPSTR lpClass,
  464. LPDWORD lpcbClass,
  465. LPDWORD lpReserved,
  466. LPDWORD lpcSubKeys,
  467. LPDWORD lpcbMaxSubKeyLen,
  468. LPDWORD lpcbMaxClassLen,
  469. LPDWORD lpcValues,
  470. LPDWORD lpcbMaxValueNameLen,
  471. LPDWORD lpcbMaxValueLen,
  472. LPDWORD lpcbSecurityDescriptor,
  473. PFILETIME lpftLastWriteTime
  474. )
  475. {
  476. Check(hKey, L"", TRUE, FALSE);
  478. return ORIGINAL_API(RegQueryInfoKeyA)(
  479. hKey,
  480. lpClass,
  481. lpcbClass,
  482. lpReserved,
  483. lpcSubKeys,
  484. lpcbMaxSubKeyLen,
  485. lpcbMaxClassLen,
  486. lpcValues,
  487. lpcbMaxValueNameLen,
  488. lpcbMaxValueLen,
  489. lpcbSecurityDescriptor,
  490. lpftLastWriteTime);
  491. }
  493. LONG
  494. CRegistryChecks::QueryInfoKeyW(
  495. HKEY hKey,
  496. LPWSTR lpClass,
  497. LPDWORD lpcbClass,
  498. LPDWORD lpReserved,
  499. LPDWORD lpcSubKeys,
  500. LPDWORD lpcbMaxSubKeyLen,
  501. LPDWORD lpcbMaxClassLen,
  502. LPDWORD lpcValues,
  503. LPDWORD lpcbMaxValueNameLen,
  504. LPDWORD lpcbMaxValueLen,
  505. LPDWORD lpcbSecurityDescriptor,
  506. PFILETIME lpftLastWriteTime
  507. )
  508. {
  509. Check(hKey, L"", TRUE, FALSE);
  511. return ORIGINAL_API(RegQueryInfoKeyW)(
  512. hKey,
  513. lpClass,
  514. lpcbClass,
  515. lpReserved,
  516. lpcSubKeys,
  517. lpcbMaxSubKeyLen,
  518. lpcbMaxClassLen,
  519. lpcValues,
  520. lpcbMaxValueNameLen,
  521. lpcbMaxValueLen,
  522. lpcbSecurityDescriptor,
  523. lpftLastWriteTime);
  524. }
  526. LONG
  527. CRegistryChecks::SetValueA(
  528. HKEY hKey,
  529. LPCSTR lpSubKey,
  530. DWORD dwType,
  531. LPCSTR lpData,
  532. DWORD cbData
  533. )
  534. {
  535. Check(hKey, lpSubKey, FALSE, TRUE, KEY_WRITE);
  537. return ORIGINAL_API(RegSetValueA)(
  538. hKey,
  539. lpSubKey,
  540. dwType,
  541. lpData,
  542. cbData);
  543. }
  545. LONG
  546. CRegistryChecks::SetValueW(
  547. HKEY hKey,
  548. LPCWSTR lpSubKey,
  549. DWORD dwType,
  550. LPCWSTR lpData,
  551. DWORD cbData
  552. )
  553. {
  554. Check(hKey, lpSubKey, FALSE, TRUE, KEY_WRITE);
  556. return ORIGINAL_API(RegSetValueW)(
  557. hKey,
  558. lpSubKey,
  559. dwType,
  560. lpData,
  561. cbData);
  562. }
  564. LONG
  565. CRegistryChecks::SetValueExA(
  566. HKEY hKey,
  567. LPCSTR lpValueName,
  568. DWORD Reserved,
  569. DWORD dwType,
  570. CONST BYTE * lpData,
  571. DWORD cbData
  572. )
  573. {
  574. Check(hKey, L"", FALSE, TRUE, KEY_WRITE);
  576. return ORIGINAL_API(RegSetValueExA)(
  577. hKey,
  578. lpValueName,
  579. Reserved,
  580. dwType,
  581. lpData,
  582. cbData);
  583. }
  585. LONG
  586. CRegistryChecks::SetValueExW(
  587. HKEY hKey,
  588. LPCWSTR lpValueName,
  589. DWORD Reserved,
  590. DWORD dwType,
  591. CONST BYTE * lpData,
  592. DWORD cbData
  593. )
  594. {
  595. Check(hKey, L"", FALSE, TRUE, KEY_WRITE);
  597. return ORIGINAL_API(RegSetValueExW)(
  598. hKey,
  599. lpValueName,
  600. Reserved,
  601. dwType,
  602. lpData,
  603. cbData);
  604. }
  606. LONG
  607. CRegistryChecks::EnumValueA(
  608. HKEY hKey,
  609. DWORD dwIndex,
  610. LPSTR lpValueName,
  611. LPDWORD lpcbValueName,
  612. LPDWORD lpReserved,
  613. LPDWORD lpType,
  614. LPBYTE lpData,
  615. LPDWORD lpcbData
  616. )
  617. {
  618. Check(hKey, L"", TRUE, FALSE);
  620. return ORIGINAL_API(RegEnumValueA)(
  621. hKey,
  622. dwIndex,
  623. lpValueName,
  624. lpcbValueName,
  625. lpReserved,
  626. lpType,
  627. lpData,
  628. lpcbData);
  629. }
  631. // If the key was not originated from HKCU,
  632. // we enum at the original location.
  633. LONG
  634. CRegistryChecks::EnumValueW(
  635. HKEY hKey,
  636. DWORD dwIndex,
  637. LPWSTR lpValueName,
  638. LPDWORD lpcbValueName,
  639. LPDWORD lpReserved,
  640. LPDWORD lpType,
  641. LPBYTE lpData,
  642. LPDWORD lpcbData
  643. )
  644. {
  645. Check(hKey, L"", TRUE, FALSE);
  647. return ORIGINAL_API(RegEnumValueW)(
  648. hKey,
  649. dwIndex,
  650. lpValueName,
  651. lpcbValueName,
  652. lpReserved,
  653. lpType,
  654. lpData,
  655. lpcbData);
  656. }
  658. LONG
  659. CRegistryChecks::EnumKeyExA(
  660. HKEY hKey,
  661. DWORD dwIndex,
  662. LPSTR lpName,
  663. LPDWORD lpcbName,
  664. LPDWORD lpReserved,
  665. LPSTR lpClass,
  666. LPDWORD lpcbClass,
  667. PFILETIME lpftLastWriteTime
  668. )
  669. {
  670. Check(hKey, L"", TRUE, FALSE);
  672. return ORIGINAL_API(RegEnumKeyExA)(
  673. hKey,
  674. dwIndex,
  675. lpName,
  676. lpcbName,
  677. lpReserved,
  678. lpClass,
  679. lpcbClass,
  680. lpftLastWriteTime);
  681. }
  683. // If the key was not originated from HKCU,
  684. // we enum at the original location.
  685. LONG
  686. CRegistryChecks::EnumKeyExW(
  687. HKEY hKey,
  688. DWORD dwIndex,
  689. LPWSTR lpName,
  690. LPDWORD lpcbName,
  691. LPDWORD lpReserved,
  692. LPWSTR lpClass,
  693. LPDWORD lpcbClass,
  694. PFILETIME lpftLastWriteTime
  695. )
  696. {
  697. Check(hKey, L"", TRUE, FALSE);
  699. return ORIGINAL_API(RegEnumKeyExW)(
  700. hKey,
  701. dwIndex,
  702. lpName,
  703. lpcbName,
  704. lpReserved,
  705. lpClass,
  706. lpcbClass,
  707. lpftLastWriteTime);
  708. }
  710. // Remove the key from the list.
  711. LONG
  712. CRegistryChecks::CloseKey(
  713. HKEY hKey
  714. )
  715. {
  716. RCOPENKEY* key = keys;
  717. RCOPENKEY* last = NULL;
  719. while (key) {
  720. if (key->hkBase == hKey) {
  721. if (last) {
  722. last->next = key->next;
  723. } else {
  724. keys = key->next;
  725. }
  727. delete key;
  728. break;
  729. }
  731. last = key;
  732. key = key->next;
  733. }
  735. DPFN(eDbgLevelInfo, "[CloseKey] closing key 0x%08X", hKey);
  737. return ORIGINAL_API(RegCloseKey)(hKey);
  738. }
  740. LONG
  741. CRegistryChecks::DeleteKeyA(
  742. HKEY hKey,
  743. LPCSTR lpSubKey
  744. )
  745. {
  746. Check(hKey, lpSubKey, FALSE, TRUE, KEY_WRITE);
  748. return ORIGINAL_API(RegDeleteKeyA)(
  749. hKey,
  750. lpSubKey);
  751. }
  753. LONG
  754. CRegistryChecks::DeleteKeyW(
  755. HKEY hKey,
  756. LPCWSTR lpSubKey
  757. )
  758. {
  759. Check(hKey, lpSubKey, FALSE, TRUE, KEY_WRITE);
  761. return ORIGINAL_API(RegDeleteKeyW)(
  762. hKey,
  763. lpSubKey);
  764. }
  766. CRegistryChecks RRegistry;
  768. //
  769. // Hook APIs.
  770. //
  772. LONG
  773. APIHOOK(RegOpenKeyA)(
  774. HKEY hKey,
  775. LPSTR lpSubKey,
  776. PHKEY phkResult
  777. )
  778. {
  779. CLock cLock(g_csCritSec);
  781. return RRegistry.OpenKeyExA(
  782. hKey,
  783. lpSubKey,
  784. 0,
  785. REG_OPTION_NON_VOLATILE,
  786. MAXIMUM_ALLOWED,
  787. NULL,
  788. phkResult,
  789. NULL,
  790. FALSE);
  791. }
  793. LONG
  794. APIHOOK(RegOpenKeyW)(
  795. HKEY hKey,
  796. LPWSTR lpSubKey,
  797. PHKEY phkResult
  798. )
  799. {
  800. CLock cLock(g_csCritSec);
  802. return RRegistry.OpenKeyExW(
  803. hKey,
  804. lpSubKey,
  805. 0,
  806. REG_OPTION_NON_VOLATILE,
  807. MAXIMUM_ALLOWED,
  808. NULL,
  809. phkResult,
  810. NULL,
  811. FALSE);
  812. }
  814. LONG
  815. APIHOOK(RegOpenKeyExA)(
  816. HKEY hKey,
  817. LPCSTR lpSubKey,
  818. DWORD ulOptions,
  819. REGSAM samDesired,
  820. PHKEY phkResult
  821. )
  822. {
  823. CLock cLock(g_csCritSec);
  825. return RRegistry.OpenKeyExA(
  826. hKey,
  827. lpSubKey,
  828. 0,
  829. REG_OPTION_NON_VOLATILE,
  830. samDesired,
  831. NULL,
  832. phkResult,
  833. NULL,
  834. FALSE);
  835. }
  837. LONG
  838. APIHOOK(RegOpenKeyExW)(
  839. HKEY hKey,
  840. LPCWSTR lpSubKey,
  841. DWORD ulOptions,
  842. REGSAM samDesired,
  843. PHKEY phkResult
  844. )
  845. {
  846. CLock cLock(g_csCritSec);
  848. return RRegistry.OpenKeyExW(
  849. hKey,
  850. lpSubKey,
  851. 0,
  852. REG_OPTION_NON_VOLATILE,
  853. samDesired,
  854. NULL,
  855. phkResult,
  856. NULL,
  857. FALSE);
  858. }
  860. LONG
  861. APIHOOK(RegCreateKeyA)(
  862. HKEY hKey,
  863. LPCSTR lpSubKey,
  864. PHKEY phkResult
  865. )
  866. {
  867. CLock cLock(g_csCritSec);
  869. return RRegistry.OpenKeyExA(
  870. hKey,
  871. lpSubKey,
  872. 0,
  873. REG_OPTION_NON_VOLATILE,
  874. MAXIMUM_ALLOWED,
  875. NULL,
  876. phkResult,
  877. NULL,
  878. TRUE);
  879. }
  881. LONG
  882. APIHOOK(RegCreateKeyW)(
  883. HKEY hKey,
  884. LPCWSTR lpSubKey,
  885. PHKEY phkResult
  886. )
  887. {
  888. CLock cLock(g_csCritSec);
  890. return RRegistry.OpenKeyExW(
  891. hKey,
  892. lpSubKey,
  893. 0,
  894. REG_OPTION_NON_VOLATILE,
  895. MAXIMUM_ALLOWED,
  896. NULL,
  897. phkResult,
  898. NULL,
  899. TRUE);
  900. }
  902. LONG
  903. APIHOOK(RegCreateKeyExA)(
  904. HKEY hKey,
  905. LPCSTR lpSubKey,
  906. DWORD Reserved,
  907. LPSTR lpClass,
  908. DWORD dwOptions,
  909. REGSAM samDesired,
  910. LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  911. PHKEY phkResult,
  912. LPDWORD lpdwDisposition
  913. )
  914. {
  915. CLock cLock(g_csCritSec);
  917. return RRegistry.OpenKeyExA(
  918. hKey,
  919. lpSubKey,
  920. lpClass,
  921. dwOptions,
  922. samDesired,
  923. lpSecurityAttributes,
  924. phkResult,
  925. lpdwDisposition,
  926. TRUE);
  927. }
  929. LONG
  930. APIHOOK(RegCreateKeyExW)(
  931. HKEY hKey,
  932. LPCWSTR lpSubKey,
  933. DWORD Reserved,
  934. LPWSTR lpClass,
  935. DWORD dwOptions,
  936. REGSAM samDesired,
  937. LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  938. PHKEY phkResult,
  939. LPDWORD lpdwDisposition
  940. )
  941. {
  942. CLock cLock(g_csCritSec);
  944. return RRegistry.OpenKeyExW(
  945. hKey,
  946. lpSubKey,
  947. lpClass,
  948. dwOptions,
  949. samDesired,
  950. lpSecurityAttributes,
  951. phkResult,
  952. lpdwDisposition,
  953. TRUE);
  954. }
  956. LONG
  957. APIHOOK(RegQueryValueA)(
  958. HKEY hKey,
  959. LPCSTR lpSubKey,
  960. LPSTR lpValue,
  961. PLONG lpcbValue
  962. )
  963. {
  964. CLock cLock(g_csCritSec);
  966. return RRegistry.QueryValueA(
  967. hKey,
  968. lpSubKey,
  969. lpValue,
  970. lpcbValue);
  971. }
  973. LONG
  974. APIHOOK(RegQueryValueW)(
  975. HKEY hKey,
  976. LPCWSTR lpSubKey,
  977. LPWSTR lpValue,
  978. PLONG lpcbValue
  979. )
  980. {
  981. CLock cLock(g_csCritSec);
  983. return RRegistry.QueryValueW(
  984. hKey,
  985. lpSubKey,
  986. lpValue,
  987. lpcbValue);
  988. }
  990. LONG
  991. APIHOOK(RegQueryValueExA)(
  992. HKEY hKey,
  993. LPCSTR lpValueName,
  994. LPDWORD lpReserved,
  995. LPDWORD lpType,
  996. LPBYTE lpData,
  997. LPDWORD lpcbData
  998. )
  999. {
  1000. CLock cLock(g_csCritSec);
  1002. return RRegistry.QueryValueExA(
  1003. hKey,
  1004. lpValueName,
  1005. lpReserved,
  1006. lpType,
  1007. lpData,
  1008. lpcbData);
  1009. }
  1011. LONG
  1012. APIHOOK(RegQueryValueExW)(
  1013. HKEY hKey,
  1014. LPCWSTR lpValueName,
  1015. LPDWORD lpReserved,
  1016. LPDWORD lpType,
  1017. LPBYTE lpData,
  1018. LPDWORD lpcbData
  1019. )
  1020. {
  1021. CLock cLock(g_csCritSec);
  1023. return RRegistry.QueryValueExW(
  1024. hKey,
  1025. lpValueName,
  1026. lpReserved,
  1027. lpType,
  1028. lpData,
  1029. lpcbData);
  1030. }
  1032. LONG
  1033. APIHOOK(RegQueryInfoKeyA)(
  1034. HKEY hKey,
  1035. LPSTR lpClass,
  1036. LPDWORD lpcbClass,
  1037. LPDWORD lpReserved,
  1038. LPDWORD lpcSubKeys,
  1039. LPDWORD lpcbMaxSubKeyLen,
  1040. LPDWORD lpcbMaxClassLen,
  1041. LPDWORD lpcValues,
  1042. LPDWORD lpcbMaxValueNameLen,
  1043. LPDWORD lpcbMaxValueLen,
  1044. LPDWORD lpcbSecurityDescriptor,
  1045. PFILETIME lpftLastWriteTime
  1046. )
  1047. {
  1048. CLock cLock(g_csCritSec);
  1050. return RRegistry.QueryInfoKeyA(
  1051. hKey,
  1052. lpClass,
  1053. lpcbClass,
  1054. lpReserved,
  1055. lpcSubKeys,
  1056. lpcbMaxSubKeyLen,
  1057. lpcbMaxClassLen,
  1058. lpcValues,
  1059. lpcbMaxValueNameLen,
  1060. lpcbMaxValueLen,
  1061. lpcbSecurityDescriptor,
  1062. lpftLastWriteTime);
  1063. }
  1065. LONG
  1066. APIHOOK(RegQueryInfoKeyW)(
  1067. HKEY hKey,
  1068. LPWSTR lpClass,
  1069. LPDWORD lpcbClass,
  1070. LPDWORD lpReserved,
  1071. LPDWORD lpcSubKeys,
  1072. LPDWORD lpcbMaxSubKeyLen,
  1073. LPDWORD lpcbMaxClassLen,
  1074. LPDWORD lpcValues,
  1075. LPDWORD lpcbMaxValueNameLen,
  1076. LPDWORD lpcbMaxValueLen,
  1077. LPDWORD lpcbSecurityDescriptor,
  1078. PFILETIME lpftLastWriteTime
  1079. )
  1080. {
  1081. CLock cLock(g_csCritSec);
  1083. return RRegistry.QueryInfoKeyW(
  1084. hKey,
  1085. lpClass,
  1086. lpcbClass,
  1087. lpReserved,
  1088. lpcSubKeys,
  1089. lpcbMaxSubKeyLen,
  1090. lpcbMaxClassLen,
  1091. lpcValues,
  1092. lpcbMaxValueNameLen,
  1093. lpcbMaxValueLen,
  1094. lpcbSecurityDescriptor,
  1095. lpftLastWriteTime);
  1096. }
  1098. LONG
  1099. APIHOOK(RegSetValueA)(
  1100. HKEY hKey,
  1101. LPCSTR lpSubKey,
  1102. DWORD dwType,
  1103. LPCSTR lpData,
  1104. DWORD cbData
  1105. )
  1106. {
  1107. CLock cLock(g_csCritSec);
  1109. return RRegistry.SetValueA(
  1110. hKey,
  1111. lpSubKey,
  1112. dwType,
  1113. lpData,
  1114. cbData);
  1115. }
  1117. LONG
  1118. APIHOOK(RegSetValueW)(
  1119. HKEY hKey,
  1120. LPCWSTR lpSubKey,
  1121. DWORD dwType,
  1122. LPCWSTR lpData,
  1123. DWORD cbData
  1124. )
  1125. {
  1126. CLock cLock(g_csCritSec);
  1128. return RRegistry.SetValueW(
  1129. hKey,
  1130. lpSubKey,
  1131. dwType,
  1132. lpData,
  1133. cbData);
  1134. }
  1136. LONG
  1137. APIHOOK(RegSetValueExA)(
  1138. HKEY hKey,
  1139. LPCSTR lpSubKey,
  1140. DWORD Reserved,
  1141. DWORD dwType,
  1142. CONST BYTE * lpData,
  1143. DWORD cbData
  1144. )
  1145. {
  1146. CLock cLock(g_csCritSec);
  1148. return RRegistry.SetValueExA(
  1149. hKey,
  1150. lpSubKey,
  1151. Reserved,
  1152. dwType,
  1153. lpData,
  1154. cbData);
  1155. }
  1157. LONG
  1158. APIHOOK(RegSetValueExW)(
  1159. HKEY hKey,
  1160. LPCWSTR lpSubKey,
  1161. DWORD Reserved,
  1162. DWORD dwType,
  1163. CONST BYTE * lpData,
  1164. DWORD cbData
  1165. )
  1166. {
  1167. CLock cLock(g_csCritSec);
  1169. return RRegistry.SetValueExW(
  1170. hKey,
  1171. lpSubKey,
  1172. Reserved,
  1173. dwType,
  1174. lpData,
  1175. cbData);
  1176. }
  1178. LONG
  1179. APIHOOK(RegEnumValueA)(
  1180. HKEY hKey,
  1181. DWORD dwIndex,
  1182. LPSTR lpValueName,
  1183. LPDWORD lpcbValueName,
  1184. LPDWORD lpReserved,
  1185. LPDWORD lpType,
  1186. LPBYTE lpData,
  1187. LPDWORD lpcbData
  1188. )
  1189. {
  1190. CLock cLock(g_csCritSec);
  1192. return RRegistry.EnumValueA(
  1193. hKey,
  1194. dwIndex,
  1195. lpValueName,
  1196. lpcbValueName,
  1197. lpReserved,
  1198. lpType,
  1199. lpData,
  1200. lpcbData);
  1201. }
  1203. LONG
  1204. APIHOOK(RegEnumValueW)(
  1205. HKEY hKey,
  1206. DWORD dwIndex,
  1207. LPWSTR lpValueName,
  1208. LPDWORD lpcbValueName,
  1209. LPDWORD lpReserved,
  1210. LPDWORD lpType,
  1211. LPBYTE lpData,
  1212. LPDWORD lpcbData
  1213. )
  1214. {
  1215. CLock cLock(g_csCritSec);
  1217. return RRegistry.EnumValueW(
  1218. hKey,
  1219. dwIndex,
  1220. lpValueName,
  1221. lpcbValueName,
  1222. lpReserved,
  1223. lpType,
  1224. lpData,
  1225. lpcbData);
  1226. }
  1228. LONG
  1229. APIHOOK(RegEnumKeyA)(
  1230. HKEY hKey,
  1231. DWORD dwIndex,
  1232. LPSTR lpName,
  1233. DWORD cbName
  1234. )
  1235. {
  1236. CLock cLock(g_csCritSec);
  1238. return RRegistry.EnumKeyExA(
  1239. hKey,
  1240. dwIndex,
  1241. lpName,
  1242. &cbName,
  1243. NULL,
  1244. NULL,
  1245. NULL,
  1246. NULL); // can this be null???
  1247. }
  1249. LONG
  1250. APIHOOK(RegEnumKeyW)(
  1251. HKEY hKey,
  1252. DWORD dwIndex,
  1253. LPWSTR lpName,
  1254. DWORD cbName
  1255. )
  1256. {
  1257. CLock cLock(g_csCritSec);
  1259. return RRegistry.EnumKeyExW(
  1260. hKey,
  1261. dwIndex,
  1262. lpName,
  1263. &cbName,
  1264. NULL,
  1265. NULL,
  1266. NULL,
  1267. NULL);
  1268. }
  1270. LONG
  1271. APIHOOK(RegEnumKeyExA)(
  1272. HKEY hKey,
  1273. DWORD dwIndex,
  1274. LPSTR lpName,
  1275. LPDWORD lpcbName,
  1276. LPDWORD lpReserved,
  1277. LPSTR lpClass,
  1278. LPDWORD lpcbClass,
  1279. PFILETIME lpftLastWriteTime
  1280. )
  1281. {
  1282. CLock cLock(g_csCritSec);
  1284. return RRegistry.EnumKeyExA(
  1285. hKey,
  1286. dwIndex,
  1287. lpName,
  1288. lpcbName,
  1289. lpReserved,
  1290. lpClass,
  1291. lpcbClass,
  1292. lpftLastWriteTime);
  1293. }
  1295. LONG
  1296. APIHOOK(RegEnumKeyExW)(
  1297. HKEY hKey,
  1298. DWORD dwIndex,
  1299. LPWSTR lpName,
  1300. LPDWORD lpcbName,
  1301. LPDWORD lpReserved,
  1302. LPWSTR lpClass,
  1303. LPDWORD lpcbClass,
  1304. PFILETIME lpftLastWriteTime
  1305. )
  1306. {
  1307. CLock cLock(g_csCritSec);
  1309. return RRegistry.EnumKeyExW(
  1310. hKey,
  1311. dwIndex,
  1312. lpName,
  1313. lpcbName,
  1314. lpReserved,
  1315. lpClass,
  1316. lpcbClass,
  1317. lpftLastWriteTime);
  1318. }
  1320. LONG
  1321. APIHOOK(RegCloseKey)(HKEY hKey)
  1322. {
  1323. CLock cLock(g_csCritSec);
  1325. return RRegistry.CloseKey(hKey);
  1326. }
  1328. LONG
  1329. APIHOOK(RegDeleteKeyA)(
  1330. HKEY hKey,
  1331. LPCSTR lpSubKey
  1332. )
  1333. {
  1334. CLock cLock(g_csCritSec);
  1336. return RRegistry.DeleteKeyA(hKey, lpSubKey);
  1337. }
  1339. LONG
  1340. APIHOOK(RegDeleteKeyW)(
  1341. HKEY hKey,
  1342. LPCWSTR lpSubKey
  1343. )
  1344. {
  1345. CLock cLock(g_csCritSec);
  1347. return RRegistry.DeleteKeyW(hKey, lpSubKey);
  1348. }
  1350. SHIM_INFO_BEGIN()
  1352. SHIM_INFO_DESCRIPTION(AVS_REGISTRYCHECKS_DESC)
  1353. SHIM_INFO_FRIENDLY_NAME(AVS_REGISTRYCHECKS_FRIENDLY)
  1354. SHIM_INFO_VERSION(1, 3)
  1355. SHIM_INFO_FLAGS(AVRF_FLAG_EXTERNAL_ONLY)
  1356. SHIM_INFO_INCLUDE_EXCLUDE("E:msi.dll sxs.dll comctl32.dll ole32.dll oleaut32.dll")
  1358. SHIM_INFO_END()
  1360. /*++
  1362. Register hooked functions
  1364. Note we purposely ignore the cleanup because some apps call registry functions
  1365. during process detach.
  1367. --*/
  1369. HOOK_BEGIN
  1371. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_Console_READ,
  1372. AVS_HKCU_Console_READ,
  1373. AVS_HKCU_Console_READ_R,
  1374. AVS_HKCU_Console_READ_URL)
  1376. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_ControlPanel_READ,
  1377. AVS_HKCU_ControlPanel_READ,
  1378. AVS_HKCU_ControlPanel_READ_R,
  1379. AVS_HKCU_ControlPanel_READ_URL)
  1381. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_Environment_READ,
  1382. AVS_HKCU_Environment_READ,
  1383. AVS_HKCU_Environment_READ_R,
  1384. AVS_HKCU_Environment_READ_URL)
  1386. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_Identities_READ,
  1387. AVS_HKCU_Identities_READ,
  1388. AVS_HKCU_Identities_READ_R,
  1389. AVS_HKCU_Identities_READ_URL)
  1391. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_KeyboardLayout_READ,
  1392. AVS_HKCU_KeyboardLayout_READ,
  1393. AVS_HKCU_KeyboardLayout_READ_R,
  1394. AVS_HKCU_KeyboardLayout_READ_URL)
  1396. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_Printers_READ,
  1397. AVS_HKCU_Printers_READ,
  1398. AVS_HKCU_Printers_READ_R,
  1399. AVS_HKCU_Printers_READ_URL)
  1401. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_RemoteAccess_READ,
  1402. AVS_HKCU_RemoteAccess_READ,
  1403. AVS_HKCU_RemoteAccess_READ_R,
  1404. AVS_HKCU_RemoteAccess_READ_URL)
  1406. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_SessionInformation_READ,
  1407. AVS_HKCU_SessionInformation_READ,
  1408. AVS_HKCU_SessionInformation_READ_R,
  1409. AVS_HKCU_SessionInformation_READ_URL)
  1411. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_UNICODEProgramGroups_READ,
  1412. AVS_HKCU_UNICODEProgramGroups_READ,
  1413. AVS_HKCU_UNICODEProgramGroups_READ_R,
  1414. AVS_HKCU_UNICODEProgramGroups_READ_URL)
  1416. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_VolatileEnvironment_READ,
  1417. AVS_HKCU_VolatileEnvironment_READ,
  1418. AVS_HKCU_VolatileEnvironment_READ_R,
  1419. AVS_HKCU_VolatileEnvironment_READ_URL)
  1421. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_Windows31MigrationStatus_READ,
  1422. AVS_HKCU_Windows31MigrationStatus_READ,
  1423. AVS_HKCU_Windows31MigrationStatus_READ_R,
  1424. AVS_HKCU_Windows31MigrationStatus_READ_URL)
  1426. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKLM_HARDWARE_READ,
  1427. AVS_HKLM_HARDWARE_READ,
  1428. AVS_HKLM_HARDWARE_READ_R,
  1429. AVS_HKLM_HARDWARE_READ_URL)
  1431. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKLM_SAM_READ,
  1432. AVS_HKLM_SAM_READ,
  1433. AVS_HKLM_SAM_READ_R,
  1434. AVS_HKLM_SAM_READ_URL)
  1436. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKLM_SECURITY_READ,
  1437. AVS_HKLM_SECURITY_READ,
  1438. AVS_HKLM_SECURITY_READ_R,
  1439. AVS_HKLM_SECURITY_READ_URL)
  1441. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKLM_SYSTEM_READ,
  1442. AVS_HKLM_SYSTEM_READ,
  1443. AVS_HKLM_SYSTEM_READ_R,
  1444. AVS_HKLM_SYSTEM_READ_URL)
  1446. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCC_READ,
  1447. AVS_HKCC_READ,
  1448. AVS_HKCC_READ_R,
  1449. AVS_HKCC_READ_URL)
  1451. DUMP_VERIFIER_LOG_ENTRY(VLOG_HKUS_READ,
  1452. AVS_HKUS_READ,
  1453. AVS_HKUS_READ_R,
  1454. AVS_HKUS_READ_URL)
  1456. DUMP_VERIFIER_LOG_ENTRY(VLOG_NON_HKCU_WRITE,
  1457. AVS_NON_HKCU_WRITE,
  1458. AVS_NON_HKCU_WRITE_R,
  1459. AVS_NON_HKCU_WRITE_URL)
  1462. APIHOOK_ENTRY(ADVAPI32.DLL, RegOpenKeyA)
  1463. APIHOOK_ENTRY(ADVAPI32.DLL, RegOpenKeyW)
  1464. APIHOOK_ENTRY(ADVAPI32.DLL, RegOpenKeyExA)
  1465. APIHOOK_ENTRY(ADVAPI32.DLL, RegOpenKeyExW)
  1466. APIHOOK_ENTRY(ADVAPI32.DLL, RegCreateKeyA)
  1467. APIHOOK_ENTRY(ADVAPI32.DLL, RegCreateKeyW)
  1468. APIHOOK_ENTRY(ADVAPI32.DLL, RegCreateKeyExA)
  1469. APIHOOK_ENTRY(ADVAPI32.DLL, RegCreateKeyExW)
  1470. APIHOOK_ENTRY(ADVAPI32.DLL, RegCloseKey)
  1471. APIHOOK_ENTRY(ADVAPI32.DLL, RegQueryValueA)
  1472. APIHOOK_ENTRY(ADVAPI32.DLL, RegQueryValueW)
  1473. APIHOOK_ENTRY(ADVAPI32.DLL, RegQueryValueExA)
  1474. APIHOOK_ENTRY(ADVAPI32.DLL, RegQueryValueExW)
  1475. APIHOOK_ENTRY(ADVAPI32.DLL, RegQueryInfoKeyA)
  1476. APIHOOK_ENTRY(ADVAPI32.DLL, RegQueryInfoKeyW)
  1477. APIHOOK_ENTRY(ADVAPI32.DLL, RegSetValueA)
  1478. APIHOOK_ENTRY(ADVAPI32.DLL, RegSetValueW)
  1479. APIHOOK_ENTRY(ADVAPI32.DLL, RegSetValueExA)
  1480. APIHOOK_ENTRY(ADVAPI32.DLL, RegSetValueExW)
  1481. APIHOOK_ENTRY(ADVAPI32.DLL, RegEnumValueA)
  1482. APIHOOK_ENTRY(ADVAPI32.DLL, RegEnumValueW)
  1483. APIHOOK_ENTRY(ADVAPI32.DLL, RegEnumKeyA)
  1484. APIHOOK_ENTRY(ADVAPI32.DLL, RegEnumKeyW)
  1485. APIHOOK_ENTRY(ADVAPI32.DLL, RegEnumKeyExA)
  1486. APIHOOK_ENTRY(ADVAPI32.DLL, RegEnumKeyExW)
  1487. APIHOOK_ENTRY(ADVAPI32.DLL, RegDeleteKeyA)
  1488. APIHOOK_ENTRY(ADVAPI32.DLL, RegDeleteKeyW)
  1490. HOOK_END
  1492. IMPLEMENT_SHIM_END