-
December 19th, 2012, 01:12 AM
#1
[RESOLVED] Can't load 64-bit key using RegLoadKey in 32-bit service
I need to open up and modify a user's registry key from a 32-bit service (note that the user is not logged in at the time.) I do the following:
Code:
//For simplicity error checks are not shown
//I also made sure to enable the following privileges:
// SE_RESTORE_NAME, SE_BACKUP_NAME
//"ntuser.dat" = is the file OS uses to load user's profile
RegLoadKey(HKEY_LOCAL_MACHINE, L"Test123", L"C:\\Users\\UserA\\ntuser.dat");
HKEY hKey;
DWORD dwRes = RegOpenKeyEx(HKEY_LOCAL_MACHINE,
L"Test123\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify"),
NULL, KEY_READ | KEY_WOW64_64KEY, &hKey);
//'dwRes' = is returned as 2, or ERROR_FILE_NOT_FOUND
RegUnLoadKey(HKEY_LOCAL_MACHINE, L"Test123");
The problem is that the "Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify" key isn't loaded, even though I know that it exists in the actual user profile. I can verify that by loading the user account and by using 64-bit regedit.
I suspect that this has something to do with the Wow64 redirection but I can't seem to understand what am I doing wrong?
-
December 19th, 2012, 03:53 AM
#2
Re: Can't load 64-bit key using RegLoadKey in 32-bit service
It seems "\\Software\\Classes" appears to be another mounting point for a separate hive. And it gets mounted only for loaded user profile. This is just a hunch, as this is what I can see in regedit: HKEY_USERS\<SID string>_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify. No directly loaded hives in regedit have Software\Classes path.
EDIT: This was in Win 7 64-bit. I just made sure, the same behavior I can see in Windows XP/Vista 32-bit.
When profile loaded:
HKEY_USERS\<SID string> is mounted as HKEY_CURRENT_USER
HKEY_USERS\<SID string>_Classes is mounted as HKEY_CURRENT_USER\Software\Classes
Last edited by Igor Vartanov; December 19th, 2012 at 04:15 AM.
Best regards,
Igor
-
December 19th, 2012, 05:25 AM
#3
Re: Can't load 64-bit key using RegLoadKey in 32-bit service
Igor, much appreciated! I haven't been here for some time and here you are again, as always bailing my butt
How you been?
Thanks for the clarification. It all checks out, although I'm not quite sure about how to find the `HKEY_USERS\<SID string>_Classes` key in the user's file system. It doesn't seem to be in the ntuser.dat file. Here's how I know this: I copied the "C:\Users\UserA\ntuser.dat" file onto another computer and then did File -> Load Hive and specified that file from regedit. Below are the screenshots. As you can see the key I'm looking for is not there.
Any idea what .dat file is "HKEY_USERS\<SID string>_Classes" part stored in?
-
December 19th, 2012, 01:21 PM
#4
Re: Can't load 64-bit key using RegLoadKey in 32-bit service
A quick follow-up: I found out that the classes data is actually stored in a different file "\Device\HarddiskVolume2\Users\UserA\AppData\Local\Microsoft\Windows\UsrClass.dat". Any idea how to get this path from a user's profile?
-
December 19th, 2012, 09:49 PM
#5
Re: Can't load 64-bit key using RegLoadKey in 32-bit service
Another correction.
For Windows Vista and later: The file to load is "%LocalAppData%\Microsoft\Windows\Usrclass.dat" which is a non-roaming part of the user's registry hive. (Mostly COM stuff + some additional settings.) And the key to open after it's loaded is "Test123\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify" because of the redirection/mapping that Igor explained above.
For Windows XP: The file to load is "CSIDL_PROFILE\ntuser.dat" and the key to open is "Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify". Note that in case of Windows XP the classes part of the user's registry hive was still placed in a roaming folder.
-
December 19th, 2012, 09:50 PM
#6
Re: Can't load 64-bit key using RegLoadKey in 32-bit service
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|