[RESOLVED] Can't load 64-bit key using RegLoadKey in 32-bit service
I need to open up and modify a user's registry key from a 32-bit service (note that the user is not logged in at the time.) I do the following:
Code:
//For simplicity error checks are not shown
//I also made sure to enable the following privileges:
// SE_RESTORE_NAME, SE_BACKUP_NAME
//"ntuser.dat" = is the file OS uses to load user's profile
RegLoadKey(HKEY_LOCAL_MACHINE, L"Test123", L"C:\\Users\\UserA\\ntuser.dat");
HKEY hKey;
DWORD dwRes = RegOpenKeyEx(HKEY_LOCAL_MACHINE,
L"Test123\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify"),
NULL, KEY_READ | KEY_WOW64_64KEY, &hKey);
//'dwRes' = is returned as 2, or ERROR_FILE_NOT_FOUND
RegUnLoadKey(HKEY_LOCAL_MACHINE, L"Test123");
The problem is that the "Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify" key isn't loaded, even though I know that it exists in the actual user profile. I can verify that by loading the user account and by using 64-bit regedit.
I suspect that this has something to do with the Wow64 redirection but I can't seem to understand what am I doing wrong?
Re: Can't load 64-bit key using RegLoadKey in 32-bit service
It seems "\\Software\\Classes" appears to be another mounting point for a separate hive. And it gets mounted only for loaded user profile. This is just a hunch, as this is what I can see in regedit: HKEY_USERS\<SID string>_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify. No directly loaded hives in regedit have Software\Classes path.
EDIT: This was in Win 7 64-bit. I just made sure, the same behavior I can see in Windows XP/Vista 32-bit.
When profile loaded:
HKEY_USERS\<SID string> is mounted as HKEY_CURRENT_USER
HKEY_USERS\<SID string>_Classes is mounted as HKEY_CURRENT_USER\Software\Classes
3 Attachment(s)
Re: Can't load 64-bit key using RegLoadKey in 32-bit service
Igor, much appreciated! I haven't been here for some time and here you are again, as always bailing my butt :)
How you been?
Thanks for the clarification. It all checks out, although I'm not quite sure about how to find the `HKEY_USERS\<SID string>_Classes` key in the user's file system. It doesn't seem to be in the ntuser.dat file. Here's how I know this: I copied the "C:\Users\UserA\ntuser.dat" file onto another computer and then did File -> Load Hive and specified that file from regedit. Below are the screenshots. As you can see the key I'm looking for is not there.
Any idea what .dat file is "HKEY_USERS\<SID string>_Classes" part stored in?
Re: Can't load 64-bit key using RegLoadKey in 32-bit service
A quick follow-up: I found out that the classes data is actually stored in a different file "\Device\HarddiskVolume2\Users\UserA\AppData\Local\Microsoft\Windows\UsrClass.dat". Any idea how to get this path from a user's profile?
Re: Can't load 64-bit key using RegLoadKey in 32-bit service
Another correction.
For Windows Vista and later: The file to load is "%LocalAppData%\Microsoft\Windows\Usrclass.dat" which is a non-roaming part of the user's registry hive. (Mostly COM stuff + some additional settings.) And the key to open after it's loaded is "Test123\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify" because of the redirection/mapping that Igor explained above.
For Windows XP: The file to load is "CSIDL_PROFILE\ntuser.dat" and the key to open is "Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify". Note that in case of Windows XP the classes part of the user's registry hive was still placed in a roaming folder.
Re: Can't load 64-bit key using RegLoadKey in 32-bit service
