Introduction
This article contributes a .NET wrapper for manipulating Windows Registry with NT native APIs, so-called NtRegistry
. The library has almost identical interface to the Win32 Registry library of .NET framework. I also created an NT Registry Editor (ie NtRegEdit
) both to demonstrate how to use the library, and potentially a(nother) registry editor. An interesting point is NtRegEdit
can deal with hidden keys, as described in Dan Madden's article (see Background).
Background
This article is inspired from the popular article Registry Manipulation Using NT Native APIs by Dan Madden. Naughty readers are encouraged to read his article to gain some understanding about the NT native functions, and how it is possible to hide a key from Win32 registry API.
Anyway, I will give a quick explanation: NT native functions work with Unicode string, with specified length, while Win32 uses NULL
-terminated ANSI (8-bit) or wide character (16-bit), therefore if a key is created with NT native API and contain a NULL character, Win32 API will not be able to read it. Since many Registry Editor use Win32 API, the hidden key will remain hidden for them. Not for my NtRegEdit thought!
Using the code
Using the NTRe<code>g
istry library should be straight forward, since class structure is identical to that of .NET registry library. All methods are well-documented.
The following code demonstrates how to open the HKEY_CURRENT_USER and create a subkey "My Key"
and add a value "Pi"
into the newly created key. Note that if "My Key"
already exists, it will simply be open, and if "Pi"
already exists, it will simply be overwritten.
using NTRegistry;
...
var hkcu = NtRegistry.CurrentUser;
var myKey = hkcu.CreateSubKey("My Key");
myKey.SetValue("Pi", "3.14");
If you want to create a hidden key, simply put a "\0"
into the key name.
var myKey = hkcu.CreateSubKey("My\0Key");
Run regedit, and try to access the hidden key (it will be displayed as "My"
, since the rest has been stripped away when Win32 API encounters the NULL character), and you will see an error message, like below.
Enumerate subkeys of a key:
foreach (var subkeyName in key.GetSubKeyNames())
{
var subkey = key.OpenSubKey(subkeyName);
}
Enumerate values of a key:
foreach (var valueName in key.GetValueNames())
{
var kind = key.GetValueKind(valueName);
var data = key.GetValue(valueName);
}
Easy, isn't it?
Using the NtRegEdit
NtRegEdit
mimics functionalities of Windows RegEdit utilities, but is less powerful. It is mainly for demo purpose, so don't ask too much.
However it can create / delete hidden keys, which is a fun thing to play with. I like seeing how Windows RegEdit complains about those keys. Hidden keys are displayed with backslashes replacing NULL character, eg if a key is displayed as "My\Secret"
in NtRegEdit
, that means its real name is {"M", "y", NULL, "S", "e", "c", "r", "e", "t"}
.
Known Problems
Thought the class structure remains almost the same as .NET registry library, NtRegistry
may behave slightly different and not very optimized. It was not designed with speed in mind, but it should be fast enought for most purposes, unless you plan to massively flood the registry.
NtRegEdit
encounters some privilege-related problems when trying to access certain keys (this happens not very often). I just ignore these "invalid" keys.
Credits
Apart from Dan Madden's article, the ntdll wrapper functions were copied from open source project Process Hacker. Icons were acquired from IconArchive.
History
26 May, 2012 - Submitted first version.