Geoff Chappell - Software Analyst
If only to start with, June is about picking up some loose ends from May’s work with Event Tracing for Windows (ETW).
One point to the term loose end is that what’s talked of is small or slight in some way, among the bits and pieces at the end of this or that. If there is any one kernel-mode API to dismiss as a loose end without its being small or slight, it is the ancient RtlQueryRegistryValues function. It was clearly intended as a convenience for low-level programmers to load all the configurable settings for their driver or service in go from definitions in tables. But all thought that this was standardised handling that would be more robust for being written by the system’s manufacturer is long, long gone. It seems fair, if not generous, to say the RtlQueryRegistryValues function has for decades been regarded by its intended users as much too fickle to count as convenience. It will have surprised none of them in 2010 to 2012 when Microsoft’s documentation started warning that one flag was unsafe and that with another “an untrusted user-mode application may be able to cause a buffer overflow.” Alarmingly, these problems were deemed so serious that not only was a new flag introduced for mitigation but its omission in some circumstances “by a call from kernel-mode causes a 0x139 bug check (KERNEL_SECURITY_CHECK_FAILURE).”
Given such history, it is well past time that RtlQueryRegistryValues is documented here—and it will be, but not in what remains of June. One thing leads to another, which leads to another, and so on, especially when the first thing is such a mess. Somehow, the sequence led me to the Object Manager, whose structures and functions and bug checks have, like ETW, been on my to-do list for decades, but unlike ETW, not before produced even on page I’ve felt was good enough to publish. What I offer now, today at the end of the month, wouldn’t have passed muster years ago. My standards may be slipping. But at long last I have at least broken the ground. There will be more.