Windows Driver Kit: Kernel-Mode Driver Architecture
ZwCreateKey
The ZwCreateKey routine creates a new registry key or opens an existing one.
NTSTATUS
ZwCreateKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
OUT PULONG Disposition OPTIONAL
);
Parameters
- KeyHandle
- Pointer to a HANDLE variable that receives a handle to the key.
- DesiredAccess
- Specifies an ACCESS_MASK value that determines the requested access to the object. In addition to the access rights that are defined for all types of objects (see ACCESS_MASK), the caller can specify one or more of the following access rights, which are specific to object directories:
| DesiredAccess Flag | Allows Caller to Do This |
|---|
| KEY_QUERY_VALUE | Read key values. |
| KEY_SET_VALUE | Write key values. |
| KEY_CREATE_SUB_KEY | Create subkeys for the key. |
| KEY_ENUMERATE_SUB_KEYS | Read the key's subkeys. |
| KEY_CREATE_LINK | Create a symbolic link to the key. This flag is not used by device and intermediate drivers. |
| KEY_NOTIFY | Do not use. |
The caller can also specify one of the following constants, which combines several ACCESS_MASK flags.
| Constant | Consists of these ACCESS_MASK flags |
|---|
| KEY_READ | STANDARD_RIGHTS_READ, KEY_QUERY_VALUE, KEY_ENUMERATE_SUB_KEYS, and KEY_NOTIFY |
| KEY_WRITE | STANDARD_RIGHTS_WRITE, KEY_SET_VALUE, and KEY_CREATE_SUBKEY |
| KEY_EXECUTE | Same as KEY_READ. |
| KEY_ALL_ACCESS | STANDARD_RIGHTS_ALL, KEY_QUERY_VALUE, KEY_SET_VALUE, KEY_CREATE_SUB_KEY, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY and KEY_CREATE_LINK |
- ObjectAttributes
- Pointer to an OBJECT_ATTRIBUTES structure that specifies the object name and other attributes. Use InitializeObjectAttributes to initialize this structure. If the caller is not running in a system thread context, it must set the OBJ_KERNEL_HANDLE attribute when it calls InitializeObjectAttributes.
- TitleIndex
- Device and intermediate drivers set this parameter to zero.
- Class
- Pointer to a Unicode string that contains the key's object class. This information is used by the configuration manager.
- CreateOptions
- Specifies the options to apply when creating or opening a key, specified as a compatible combination of the following flags.
| CreateOptions Flag | Description |
|---|
| REG_OPTION_VOLATILE | Key is not preserved when the system is rebooted. |
| REG_OPTION_NON_VOLATILE | Key is preserved when the system is rebooted. |
| REG_OPTION_CREATE_LINK | The newly created key is a symbolic link. This flag is not used by device and intermediate drivers. |
| REG_OPTION_BACKUP_RESTORE | Key should be created or opened with special privileges that allow backup and restore operations. This flag is not used by device and intermediate drivers. |
- Disposition
- Pointer to a variable that receives a value indicating whether a new key was created or an existing one opened.
| Disposition Value | Description |
|---|
| REG_CREATED_NEW_KEY | A new key was created. |
| REG_OPENED_EXISTING_KEY | An existing key was opened. |
Return Value
ZwCreateKey returns STATUS_SUCCESS on success, or the appropriate NTSTATUS error code on failure.
Comments
ZwCreateKey supplies a handle that the caller can use to manipulate a registry key. For more information, see Using the Registry in a Driver.
Once the handle pointed to by KeyHandle is no longer in use, the driver must call ZwClose to close it.
There are two alternate ways to specify the name of the file to be created or opened with ZwCreateKey:
- As a fully qualified pathname, supplied in the ObjectName member of the input ObjectAttributes. The pathnames of registry keys begin with \Registry.
- As pathname relative to another registry key, represented by the handle in the RootDirectory member of the input ObjectAttributes
If the key specified by ObjectAttributes does not exist, an attempt is made to create it. For this attempt to succeed, the new key must be a direct subkey of the key referred to by KeyHandle, and the given KeyHandle must have been opened for KEY_CREATE_SUB_KEY access.
If the specified key already exists, it is opened and its value is not affected in any way.
The security attributes specified by ObjectAttributes when a key is created determine whether the specified DesiredAccess is granted on subsequent calls to ZwCreateKey and ZwOpenKey.
If the caller is not running in a system thread context, it must ensure that any handles it creates are private handles. Otherwise, the handle can be accessed by the process in whose context the driver is running. For more information, see Object Handles.
For more information about working with registry keys, see Using the Registry in a Driver.
Note If the call to this function occurs in user mode, you should use the name "NtCreateKey" instead of "ZwCreateKey".
Requirements
IRQL: PASSIVE_LEVEL
Headers: Declared in Wdm.h. Include Wdm.h, Ntddk.h, or Ntifs.h.
See Also
ACCESS_MASK, InitializeObjectAttributes, ZwClose, ZwDeleteKey, ZwEnumerateKey, ZwEnumerateValueKey, ZwFlushKey, ZwOpenKey, ZwQueryValueKey, ZwSetValueKey