New and Updated in June 2020

If only to start with, June is about picking up some loose ends from May’s work with Event Tracing for Windows (ETW).

One point to the term “loose end” is that what’s talked of is some small or slight thing among the bits and pieces at the end of this, that or the other. If there is any one kernel-mode API to dismiss as a loose end without its being small or slight, it is the ancient RtlQueryRegistryValues function. It was clearly intended as a convenience for low-level programmers to load all the configurable settings for their driver or service in one go from definitions in tables. But anyone’s thought that this was standardised handling that would be more robust for being written by the system’s manufacturer is long, long gone. It seems fair, if not generous, to say the RtlQueryRegistryValues function has for decades been regarded by its intended users as much too fickle to count as any sort of convenience. It can have surprised nobody when Microsoft’s documentation started warning (in 2010 to 2012) that one flag was unsafe and that with another “an untrusted user-mode application may be able to cause a buffer overflow.” Alarmingly, these problems were deemed so serious that not only was a new flag introduced for mitigation but its omission “by a call from kernel-mode causes a 0x139 bug check (KERNEL_SECURITY_CHECK_FAILURE)” in some circumstances.

Given such history, it is well past time that RtlQueryRegistryValues is documented here—and it will be, but not in what remains of June. One thing leads to another, which leads to another, and so on, especially when the first thing is such a mess. Somehow, the sequence led me to the Object Manager, whose structures and functions and bug checks have, like ETW, been on my to-do list for decades, but unlike ETW, not before produced even one page I’ve felt was good enough to publish. What I offer now, today at the end of the month, wouldn’t have passed muster years ago. My standards may be slipping. But at long last I have at least broken the ground. There will be more.

Kernel Mode

Kernel
- API
  - Executive
    - Resources (new)
      - Functions
        
        ExIsResourceAcquiredShared (new)
        
        ExIsResourceAcquiredSharedLite (new)
      - Structures
        
        ERESOURCE (new)
        
        RTL_PROCESS_LOCK_INFORMATION
    - System Information
      - Structures
        
        SYSTEM_HANDLE_TABLE_ENTRY_INFO
        
        SYSTEM_OBJECTTYPE_INFORMATION
  - Object Manager
    - Query
      - Structures
        
        OBJECT_BASIC_INFORMATION (new)
        
        OBJECT_HANDLE_FLAG_INFORMATION (new)
        
        OBJECT_TYPE_INFORMATION (new)
        
        OBJECT_TYPES_INFORMATION (new)
      - Enumerations
        
        OBJECT_INFORMATION_CLASS (new)
    - Structures
      - OBJECT_HEADER (new)
        
        Flags (new)
        
        InfoMask (new)
        
        TraceFlags (new)
      - OBJECT_HEADER_AUDIT_INFO (new)
      - OBJECT_HEADER_CREATOR_INFO (new)
      - OBJECT_HEADER_HANDLE_INFO (new)
      - OBJECT_HEADER_HANDLE_REVOCATION_INFO (new)
      - OBJECT_HEADER_NAME_INFO (new)
      - OBJECT_HEADER_PROCESS_INFO (new)
      - OBJECT_HEADER_QUOTA_INFO (new)
  - Run Time Library
    - NLS
      - Functions
        
        RtlAppendUnicodeToString (new)
        
        RtlCreateUnicodeString (new)
    - Stack Trace Database
      - Structures
        
        RTL_PROCESS_BACKTRACES
    - Strings
      - Structures
        
        UNICODE_STRING (new)