Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / desktop / Win32

A .NET NT Registry Library and NT Registry Editor

4.82/5 (7 votes)
26 May 2012CPOL3 min read 24K   1.5K  
A .NET wrapper for NT Registry and a .NET NT RegEdit demo

Introduction

This article contributes a .NET wrapper for manipulating Windows Registry with NT native APIs, so-called NtRegistry. The library has almost identical interface to the Win32 Registry library of .NET framework. I also created an NT Registry Editor (ie NtRegEdit) both to demonstrate how to use the library, and potentially a(nother) registry editor. An interesting point is NtRegEdit can deal with hidden keys, as described in Dan Madden's article (see Background). 

Background 

This article is inspired from the popular article Registry Manipulation Using NT Native APIs by Dan Madden. Naughty readers are encouraged to read his article to gain some understanding about the NT native functions, and how it is possible to hide a key from Win32 registry API. 

Anyway, I will give a quick explanation: NT native functions work with Unicode string, with specified length, while Win32 uses NULL-terminated ANSI (8-bit) or wide character (16-bit), therefore if a key is created with NT native API and contain a NULL character, Win32 API will not be able to read it. Since many Registry Editor use Win32 API, the hidden key will remain hidden for them. Not for my NtRegEdit thought!  

Using the code 

Using the NTRe<code>gistry library should be straight forward, since class structure is identical to that of .NET registry library. All methods are well-documented. 

The following code demonstrates how to open the HKEY_CURRENT_USER and create a subkey "My Key" and add a value "Pi" into the newly created key. Note that if "My Key" already exists, it will simply be open, and if "Pi" already exists, it will simply be overwritten. 

C#
using NTRegistry; 

...

var hkcu = NtRegistry.CurrentUser;
var myKey = hkcu.CreateSubKey("My Key");
myKey.SetValue("Pi", "3.14");    

If you want to create a hidden key, simply put a "\0" into the key name.

C#
var myKey = hkcu.CreateSubKey("My\0Key");

Run regedit, and try to access the hidden key (it will be displayed as "My", since the rest has been stripped away when Win32 API encounters the NULL character), and you will see an error message, like below. 

  

Enumerate subkeys of a key:

C#
foreach (var subkeyName in key.GetSubKeyNames())
{
    var subkey = key.OpenSubKey(subkeyName);
    // Do whatever here...
}  

Enumerate values of a key: 

C#
foreach (var valueName in key.GetValueNames())
{
    var kind = key.GetValueKind(valueName);
    var data = key.GetValue(valueName);
    // Do whatever here...
}  

Easy, isn't it?

Using the NtRegEdit  

NtRegEdit mimics functionalities of Windows RegEdit utilities, but is less powerful. It is mainly for demo purpose, so don't ask too much.

However it can create / delete hidden keys, which is a fun thing to play with. I like seeing how Windows RegEdit complains about those keys. Hidden keys are displayed with backslashes replacing NULL character, eg if a key is displayed as "My\Secret" in NtRegEdit, that means its real name is {"M", "y", NULL, "S", "e", "c", "r", "e", "t"}

Known Problems   

Thought the class structure remains almost the same as .NET registry library,  NtRegistry may behave slightly different and not very optimized. It was not designed with speed in mind, but it should be fast enought for most purposes, unless you plan to massively flood the registry. 

NtRegEdit encounters some privilege-related problems when trying to access certain keys (this happens not very often). I just ignore these "invalid" keys.

Credits   

Apart from Dan Madden's article, the ntdll wrapper functions were copied from open source project Process Hacker. Icons were acquired from IconArchive.

History 

26 May, 2012 - Submitted first version.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)