Update misleading informations in NtNotifyChangeMultipleKeys #2008
Conversation
|
@xmine64 : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
| ### -param SubordinateObjects [in, optional] | ||
|
|
||
| Pointer to an array of <a href="/windows-hardware/drivers/ddi/content/wudfwdm/ns-wudfwdm-_object_attributes">OBJECT_ATTRIBUTES</a> structures, one for each subkey. This array can contain one <b>OBJECT_ATTRIBUTES</b> structure. | ||
| Pointer to an array of <a href="/windows-hardware/drivers/ddi/content/wudfwdm/ns-wudfwdm-_object_attributes">OBJECT_ATTRIBUTES</a> structures, one for each key. This array can contain one <b>OBJECT_ATTRIBUTES</b> structure and must not be a key in the same hive as the <i>MasterKeyHandle</i> key. |
There was a problem hiding this comment.
If these aren't in the same hive as the master root key, how then could they be "subkeys" of a given registry key, as the summary description of this function claims they are?
What then would be the usefulness of the function altogether if this weren't the case?
There was a problem hiding this comment.
Being a subkey isn't a requirement, I tested the API on \Registry\User.Default\TestKey while the master key was \Registry\Machine\Software\TestKey and it worked. While being a subkey is not a requirement, it's possible to load a hive in a non-root key so that way a key would have a subkey from another hive. As far as I know that's how BCD and SAM database are loaded in to the registry, they're not a root key like HKLM but a subkey of a parent key, but they're from a separate hive compared to their parent.
| ### -param ApcRoutine [in, optional] | ||
|
|
||
| A pointer to an asynchronous procedure call (APC) function supplied by the caller. If <i>ApcRoutine</i> is not <b>NULL</b>, the specified APC function executes after the operation completes. | ||
| A pointer to an asynchronous procedure call (APC) function supplied by the caller. If <i>ApcRoutine</i> is not <b>NULL</b>, the specified APC function executes after the operation completes. A <a href="/windows-hardware/drivers/ddi/wdm/ns-wdm-_work_queue_item">WORK_QUEUE_ITEM</a> must be provided instead of ApcRoutine in the <i>ZwNotifyChangeMultipleKeys</i> variant. |
There was a problem hiding this comment.
The proposed change is strange. Normally zw routines are == NT ones except for the detour back into the syscall table that changes the PreviousMode to KerneMode.
(When being invoked from user-mode via ntdll, both are the same thing.)
Are you suggesting that the parameter purpose completely changes altogether?
There was a problem hiding this comment.
The said parameters are just pointers, and they can be treated differently. This behavior was documented in ZwNotifyChangeKey but not here.
3 participants
During my analysis, I put so much time wondering why my call to NtNotifyChangeMultipleKeys returns with
STATUS_INVALID_PARAMETERandSTATUS_INVALID_OBJECT_NAMEwhile everything is correct, according to the documentations, just to find out there are misleading information in it. I'm making this PR so other people won't be confused like me.