Loading... # 用户层便利注册表 根路径-Windows有提供根路径的宏。 | 宏 | 描述 | | - | - | | HKEY_CLASSES_ROOT | 包含了所有应用程序运行时必需的信息: | | HKEY_CURRENT_CONFIG | 允许软件和设备驱动程序员很方便的更新注册表,而不涉及到多个配置文件信息 | | HKEY_CURRENT_USER | 管理系统当前的用户信息。在这个[根键](https://baike.baidu.com/item/%E6%A0%B9%E9%94%AE/1801316)中保存了本地计算机中存放的当前登录的用户信息,包括用户登录用户名和暂存的密码。在用户登录Windows时,其信息从HKEY_USERS中相应的项拷贝到HKEY_CURRENT_USER中。 | | HKEY_LOCAL_MACHINE | HKEY_LOCAL_MACHINE保存了[注册表](https://baike.baidu.com/item/%E6%B3%A8%E5%86%8C%E8%A1%A8/101856)里的所有与这台计算机有关的配置信息,只是一个公共配置信息单元 | | HKEY_USERS | 包含了[缺省](https://baike.baidu.com/item/%E7%BC%BA%E7%9C%81/86055)用户设置和登录用户的信息。虽然它包含了所有独立用户的设置,但在用户未登录时用户的设置是不可用的。这些设置告诉系统哪些图标会被使用,什么组可用,哪个[开始菜单](https://baike.baidu.com/item/%E5%BC%80%E5%A7%8B%E8%8F%9C%E5%8D%95/8336189)可用,哪些颜色和字体可用,和[控制面板](https://baike.baidu.com/item/%E6%8E%A7%E5%88%B6%E9%9D%A2%E6%9D%BF/7353685)上什么选项和设置可用。 | HKEY 是注册表句柄。 函数成功返回ERROR_SUCCESS 失败或者无效返回FORMAT_MESSAGE_FROM_SYSTEM | 函数 | 参数 | 描述 | | - | - | - | | RegOpenKeyEx(RegKey, 0, 0, 0, &hKey) | 句柄【必须为上面5个宏其中一个】、子项名称、可为0、安全权限、返回句柄【HKEY】 | 打开一个子项 | | RegOpenKey(RegKey, lpSubKey, &hKey) | 句柄【5宏之一】、子项名、会返回句柄【HKEY】 | 打开一个子项 | | RegQueryInfoKey | 过多将在代码中注释 | 返回一个子项下多少子项、多少子健等信息 | | RegEnumValue | 过多将在代码中注释 | 遍历子健、以下标为索引、返回成功为条件 | | RegEnumKey | 过多将在代码中注释 | 遍历子项、以下标索引、返回成功为条件 | | RegCloseKey(hKey); | | 关闭句柄 | ```cpp //--------------------------------RegOpenKeyEx 打开句柄 RegOpenKeyEx(RegKey, 0, 0, 0, &hKey) HKEY hKey; //获取主项 没有子项 RegOpenKeyEx(RegKey, 0, 0, 0, &hKey == ERROR_SUCCESS //获取主项下子项 RegKey是上级项 lpSubKey是上级项下的子项 返回打开的句柄 RegOpenKey(RegKey, lpSubKey, &hKey) == ERROR_SUCCESS //--------------------------------RegEnumKey---------枚举子项 //定制索引 dwIndex = 0; //HKEY句柄 HKEY hKey = HKEY_CURRENT_USER; // 枚举子项 句柄 索引【遍历为主】 索引对应的名 写入名字的长度 while (RegEnumKey(hKey, dwIndex, wKeyName, NameLength) == ERROR_SUCCESS) { memcpy((((BYTE*)*OutKeys)+(MAX_PATH* dwIndex)), wKeyName, wcslen(wKeyName)*2); dwIndex++; } RegCloseKey(hKey); //--------------------------------RegEnumValue------枚举子键 WCHAR RegName[MAX_PATH*2]={0};//过小容易因为 名称太大造成 异常 DWORD ccRegName = 0; // 枚举的键 索引 获取的子键名字 实际写入 if (ERROR_SUCCESS != RegEnumValue(RegKey, index, RegName, &ccRegName, NULL, TypeVlue, NULL, NULL)) { break; } //有一些自建 没有在下标为0的地方所以得过滤一下 if (ccRegName == 0) { index++; continue; } printf("Index:[%d]---RegName:[%S]---TYPE:[%08X]\n", index, RegName, TypeVlue); index++; //-----------------------------RegQueryInfoKey---判断当前子项是否有下级子项或者子键 DWORD KeyCnt, KeyMaxLen, NameCnt, MaxNameLen, MaxDateLen; // 当前下键数量 键的长度 存在的值数量 名字最大长度 最大数据大小 RegQueryInfoKey(RegKey, NULL, NULL, NULL, &KeyCnt, &KeyMaxLen, NULL, &NameCnt, &MaxNameLen, &MaxDateLen, NULL, NULL); ``` # 内核层遍历注册表 原帖转自:http://blog.sina.com.cn/s/blog_4171e80d0100r3hg.html 声明路径 #define MY_REG_SOFTWARE_KEY_NAME L"[\\Registry\\Machine\\Software\\Zhangfan](file://registry//Machine//Software//Zhangfan)" 创建关闭注册表 ``` #pragma INITCODE VOID CreateRegTest() { //创建或打开某注册表项目 UNICODE_STRING RegUnicodeString; HANDLE hRegister; //初始化UNICODE_STRING字符串 RtlInitUnicodeString( &RegUnicodeString, MY_REG_SOFTWARE_KEY_NAME); OBJECT_ATTRIBUTES objectAttributes; //初始化objectAttributes InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE,//对大小写敏感 NULL, NULL ); ULONG ulResult; //创建或带开注册表项目 NTSTATUS ntStatus = ZwCreateKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes, 0, NULL, REG_OPTION_NON_VOLATILE, &ulResult); if (NT_SUCCESS(ntStatus)) { //判断是被新创建,还是已经被创建 if(ulResult==REG_CREATED_NEW_KEY) { KdPrint(("The register item is created\n")); }else if(ulResult==REG_OPENED_EXISTING_KEY) { KdPrint(("The register item has been created,and now is opened\n")); } } //(2)创建或打开某注册表项目的子项 UNICODE_STRING subRegUnicodeString; HANDLE hSubRegister; //初始化UNICODE_STRING字符串 RtlInitUnicodeString( &subRegUnicodeString, L"SubItem"); OBJECT_ATTRIBUTES subObjectAttributes; //初始化subObjectAttributes InitializeObjectAttributes(&subObjectAttributes, &subRegUnicodeString, OBJ_CASE_INSENSITIVE,//对大小写敏感 hRegister, NULL ); //创建或带开注册表项目 ntStatus = ZwCreateKey( &hSubRegister, KEY_ALL_ACCESS, &subObjectAttributes, 0, NULL, REG_OPTION_NON_VOLATILE, &ulResult); if (NT_SUCCESS(ntStatus)) { //判断是被新创建,还是已经被创建 if(ulResult==REG_CREATED_NEW_KEY) { KdPrint(("The sub register item is created\n")); }else if(ulResult==REG_OPENED_EXISTING_KEY) { KdPrint(("The sub register item has been created,and now is opened\n")); } } //关闭注册表句柄 ZwClose(hRegister); ZwClose(hSubRegister); } ``` 打开注册表 ``` #pragma INITCODE VOID OpenRegTest() { UNICODE_STRING RegUnicodeString; HANDLE hRegister; //初始化UNICODE_STRING字符串 RtlInitUnicodeString( &RegUnicodeString, MY_REG_SOFTWARE_KEY_NAME); OBJECT_ATTRIBUTES objectAttributes; //初始化objectAttributes InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE,//对大小写敏感 NULL, NULL ); //打开注册表 NTSTATUS ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes); if (NT_SUCCESS(ntStatus)) { KdPrint(("Open register successfully\n")); } ZwClose(hRegister); } ``` 添加-修改注册表键值 ``` #pragma INITCODE VOID SetRegTest() { UNICODE_STRING RegUnicodeString; HANDLE hRegister; //初始化UNICODE_STRING字符串 RtlInitUnicodeString( &RegUnicodeString, MY_REG_SOFTWARE_KEY_NAME); OBJECT_ATTRIBUTES objectAttributes; //初始化objectAttributes InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE,//对大小写敏感 NULL, NULL ); //打开注册表 NTSTATUS ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes); if (NT_SUCCESS(ntStatus)) { KdPrint(("Open register successfully\n")); } UNICODE_STRING ValueName; //初始化ValueName RtlInitUnicodeString( &ValueName, L"REG_DWORD value"); //设置REG_DWORD子键 ULONG ulValue = 1000; ZwSetValueKey(hRegister, &ValueName, 0, REG_DWORD, &ulValue, sizeof(ulValue)); //初始化ValueName RtlInitUnicodeString( &ValueName, L"REG_SZ value"); WCHAR* strValue = L"hello world"; //设置REG_SZ子键 ZwSetValueKey(hRegister, &ValueName, 0, REG_SZ, strValue, wcslen(strValue)*2+2); //初始化ValueName RtlInitUnicodeString( &ValueName, L"REG_BINARY value"); UCHAR buffer[10]; RtlFillMemory(buffer,sizeof(buffer),0xFF); //设置REG_MULTI_SZ子键 ZwSetValueKey(hRegister, &ValueName, 0, REG_BINARY, buffer, sizeof(buffer)); //关闭注册表句柄 ZwClose(hRegister); } ``` 打开注册表 ``` #pragma INITCODE VOID OpenRegTest() { UNICODE_STRING RegUnicodeString; HANDLE hRegister; //初始化UNICODE_STRING字符串 RtlInitUnicodeString( &RegUnicodeString, MY_REG_SOFTWARE_KEY_NAME); OBJECT_ATTRIBUTES objectAttributes; //初始化objectAttributes InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE,//对大小写敏感 NULL, NULL ); //打开注册表 NTSTATUS ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes); if (NT_SUCCESS(ntStatus)) { KdPrint(("Open register successfully\n")); } ZwClose(hRegister); } ``` 添加、修改注册表键值 ``` #pragma INITCODE VOID SetRegTest() { UNICODE_STRING RegUnicodeString; HANDLE hRegister; ULONG ulResult; //初始化UNICODE_STRING字符串 RtlInitUnicodeString( &RegUnicodeString, MY_REG_SOFTWARE_KEY_NAME); OBJECT_ATTRIBUTES objectAttributes; //初始化objectAttributes InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE,//对大小写敏感 NULL, NULL ); //打开注册表 NTSTATUS ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes); if (NT_SUCCESS(ntStatus)) { KdPrint(("Open register successfully\n")); } //(2)创建或打开某注册表项目的子项 UNICODE_STRING subRegUnicodeString; HANDLE hSubRegister; //初始化UNICODE_STRING字符串 RtlInitUnicodeString( &subRegUnicodeString, L"zzl"); OBJECT_ATTRIBUTES subObjectAttributes; //初始化subObjectAttributes InitializeObjectAttributes(&subObjectAttributes, &subRegUnicodeString, OBJ_CASE_INSENSITIVE,//对大小写敏感 hRegister, NULL ); //创建或带开注册表项目 ntStatus = ZwCreateKey( &hSubRegister, KEY_ALL_ACCESS, &subObjectAttributes, 0, NULL, REG_OPTION_NON_VOLATILE, &ulResult); if (NT_SUCCESS(ntStatus)) { //判断是被新创建,还是已经被创建 if(ulResult==REG_CREATED_NEW_KEY) { KdPrint(("The sub register item is created\n")); }else if(ulResult==REG_OPENED_EXISTING_KEY) { KdPrint(("The sub register item has been created,and now is opened\n")); } } //打开注册表 // ntStatus = ZwOpenKey( &hSubRegister, // KEY_ALL_ACCESS, // &objectAttributes); //if (NT_SUCCESS(ntStatus)) //{ // KdPrint(("Open register successfully\n")); //} UNICODE_STRING ValueName; //初始化ValueName RtlInitUnicodeString( &ValueName, L"REG_DWORD value"); //设置REG_DWORD子键 ULONG ulValue = 1000; ZwSetValueKey(hSubRegister, &ValueName, 0, REG_DWORD, &ulValue, sizeof(ulValue)); //初始化ValueName RtlInitUnicodeString( &ValueName, L"REG_SZ value"); WCHAR* strValue = L"hello world"; //设置REG_SZ子键 ZwSetValueKey(hSubRegister, &ValueName, 0, REG_SZ, strValue, wcslen(strValue)*2+2); //初始化ValueName RtlInitUnicodeString( &ValueName, L"REG_BINARY value"); UCHAR buffer[10]; RtlFillMemory(buffer,sizeof(buffer),0xFF); //设置REG_MULTI_SZ子键 ZwSetValueKey(hSubRegister, &ValueName, 0, REG_BINARY, buffer, sizeof(buffer)); //关闭注册表句柄 ZwClose(hRegister); ZwClose(hSubRegister); } ``` 查询注册表 ``` #pragma INITCODE VOID QueryRegTest() { UNICODE_STRING RegUnicodeString; HANDLE hRegister; //初始化UNICODE_STRING字符串 RtlInitUnicodeString( &RegUnicodeString, MY_REG_SOFTWARE_KEY_NAME); OBJECT_ATTRIBUTES objectAttributes; //初始化objectAttributes InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE,//对大小写敏感 NULL, NULL ); //打开注册表 NTSTATUS ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes); if (NT_SUCCESS(ntStatus)) { KdPrint(("Open register successfully\n")); } UNICODE_STRING ValueName; //初始化ValueName RtlInitUnicodeString( &ValueName, L"REG_DWORD value"); //读取REG_DWORD子键 ULONG ulSize; ntStatus = ZwQueryValueKey(hRegister, &ValueName, KeyValuePartialInformation , NULL, 0, &ulSize); if (ntStatus==STATUS_OBJECT_NAME_NOT_FOUND || ulSize==0) { ZwClose(hRegister); KdPrint(("The item is not exist\n")); return; } PKEY_VALUE_PARTIAL_INFORMATION pvpi = (PKEY_VALUE_PARTIAL_INFORMATION) ExAllocatePool(PagedPool,ulSize); ntStatus = ZwQueryValueKey(hRegister, &ValueName, KeyValuePartialInformation , pvpi, ulSize, &ulSize); if (!NT_SUCCESS(ntStatus)) { ZwClose(hRegister); KdPrint(("Read regsiter error\n")); return; } //判断是否为REG_DWORD类型 if (pvpi->Type==REG_DWORD && pvpi->DataLength==sizeof(ULONG)) { PULONG pulValue = (PULONG) pvpi->Data; KdPrint(("The value:%d\n",*pulValue)); } ExFreePool(pvpi); //初始化ValueName RtlInitUnicodeString( &ValueName, L"REG_SZ value"); //读取REG_SZ子键 ntStatus = ZwQueryValueKey(hRegister, &ValueName, KeyValuePartialInformation , NULL, 0, &ulSize); if (ntStatus==STATUS_OBJECT_NAME_NOT_FOUND || ulSize==0) { ZwClose(hRegister); KdPrint(("The item is not exist\n")); return; } pvpi = (PKEY_VALUE_PARTIAL_INFORMATION) ExAllocatePool(PagedPool,ulSize); ntStatus = ZwQueryValueKey(hRegister, &ValueName, KeyValuePartialInformation , pvpi, ulSize, &ulSize); if (!NT_SUCCESS(ntStatus)) { ZwClose(hRegister); KdPrint(("Read regsiter error\n")); return; } //判断是否为REG_SZ类型 if (pvpi->Type==REG_SZ) { KdPrint(("The value:%S\n",pvpi->Data)); } ZwClose(hRegister); } ``` 枚举子项 ``` #pragma INITCODE VOID EnumerateSubItemRegTest() { UNICODE_STRING RegUnicodeString; HANDLE hRegister; //初始化UNICODE_STRING字符串 RtlInitUnicodeString( &RegUnicodeString, MY_REG_SOFTWARE_KEY_NAME); OBJECT_ATTRIBUTES objectAttributes; //初始化objectAttributes InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE,//对大小写敏感 NULL, NULL ); //打开注册表 NTSTATUS ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes); if (NT_SUCCESS(ntStatus)) { KdPrint(("Open register successfully\n")); } ULONG ulSize; //第一次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的长度 ZwQueryKey(hRegister, KeyFullInformation, NULL, 0, &ulSize); PKEY_FULL_INFORMATION pfi = (PKEY_FULL_INFORMATION) ExAllocatePool(PagedPool,ulSize); //第二次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的数据 ZwQueryKey(hRegister, KeyFullInformation, pfi, ulSize, &ulSize); for (ULONG i=0;i<pfi->SubKeys;i++) { //第一次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的长度 ZwEnumerateKey(hRegister, i, KeyBasicInformation, NULL, 0, &ulSize); PKEY_BASIC_INFORMATION pbi = (PKEY_BASIC_INFORMATION) ExAllocatePool(PagedPool,ulSize); //第二次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的数据 ZwEnumerateKey(hRegister, i, KeyBasicInformation, pbi, ulSize, &ulSize); UNICODE_STRING uniKeyName; uniKeyName.Length = uniKeyName.MaximumLength = (USHORT)pbi->NameLength; uniKeyName.Buffer = pbi->Name; KdPrint(("The %d sub item name:%wZ\n",i,&uniKeyName)); ExFreePool(pbi); } ExFreePool(pfi); ZwClose(hRegister); } ``` 枚举子健 ``` #pragma INITCODE VOID EnumerateSubValueRegTest() { UNICODE_STRING RegUnicodeString; HANDLE hRegister; //初始化UNICODE_STRING字符串 RtlInitUnicodeString( &RegUnicodeString, MY_REG_SOFTWARE_KEY_NAME); OBJECT_ATTRIBUTES objectAttributes; //初始化objectAttributes InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE,//对大小写敏感 NULL, NULL ); //打开注册表 NTSTATUS ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes); if (NT_SUCCESS(ntStatus)) { KdPrint(("Open register successfully\n")); } ULONG ulSize; ZwQueryKey(hRegister, KeyFullInformation, NULL, 0, &ulSize); PKEY_FULL_INFORMATION pfi = (PKEY_FULL_INFORMATION) ExAllocatePool(PagedPool,ulSize); ZwQueryKey(hRegister, KeyFullInformation, pfi, ulSize, &ulSize); for (ULONG i=0;i<pfi->Values;i++) { ZwEnumerateValueKey(hRegister, i, KeyValueBasicInformation, NULL, 0, &ulSize); PKEY_VALUE_BASIC_INFORMATION pvbi = (PKEY_VALUE_BASIC_INFORMATION) ExAllocatePool(PagedPool,ulSize); ZwEnumerateValueKey(hRegister, i, KeyValueBasicInformation, pvbi, ulSize, &ulSize); UNICODE_STRING uniKeyName; uniKeyName.Length = uniKeyName.MaximumLength = (USHORT)pvbi->NameLength; uniKeyName.Buffer = pvbi->Name; KdPrint(("The %d sub value name:%wZ\n",i,&uniKeyName)); if (pvbi->Type==REG_SZ) { KdPrint(("The sub value type:REG_SZ\n")); }else if (pvbi->Type==REG_MULTI_SZ) { KdPrint(("The sub value type:REG_MULTI_SZ\n")); }else if (pvbi->Type==REG_DWORD) { KdPrint(("The sub value type:REG_DWORD\n")); }else if (pvbi->Type==REG_BINARY) { KdPrint(("The sub value type:REG_BINARY\n")); } ExFreePool(pvbi); } ExFreePool(pfi); ZwClose(hRegister); } ``` 删除子健 ``` #pragma INITCODE VOID DeleteItemRegTest() { UNICODE_STRING RegUnicodeString; HANDLE hRegister; #define MY_REG_SOFTWARE_KEY_NAME1 L"\\Registry\\Machine\\Software\\Zhangfan\\SubItem" //初始化UNICODE_STRING字符串 RtlInitUnicodeString( &RegUnicodeString, MY_REG_SOFTWARE_KEY_NAME1); OBJECT_ATTRIBUTES objectAttributes; //初始化objectAttributes InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE,//对大小写敏感 NULL, NULL ); //打开注册表 NTSTATUS ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes); if (NT_SUCCESS(ntStatus)) { KdPrint(("Open register successfully\n")); } ntStatus = ZwDeleteKey(hRegister); if (NT_SUCCESS(ntStatus)) { KdPrint(("Delete the item successfully\n")); }else if(ntStatus == STATUS_ACCESS_DENIED) { KdPrint(("STATUS_ACCESS_DENIED\n")); }else if(ntStatus == STATUS_INVALID_HANDLE) { KdPrint(("STATUS_INVALID_HANDLE\n")); }else { KdPrint(("Maybe the item has sub item to delete\n")); } ZwClose(hRegister); } ``` 最后修改:2021 年 03 月 28 日 © 允许规范转载 赞 0 如果觉得我的文章对你有用,请随意赞赏
1 条评论
感谢分享!