Geoff Chappell, Software Analyst
This function produces the registry key for reading a given executable’s Image File Execution Options.
NTSTATUS LdrOpenImageFileOptionsKey ( UNICODE_STRING *SubKey, BOOLEAN Wow64, HANDLE *KeyHandle);
The SubKey argument specifies the subkey in which to look for the options. Note however that the subkey is not necessarily used whole. See below for details.
The Wow64 argument is TRUE to get the key from the Wow6432Node branch.
The KeyHandle argument is the address of a variable that is to receive the opened key.
The function returns zero for success, else an error code.
NTDLL supports a variety of Image File Execution Options which can be specified in the registry. The parent key for this configurability is:
Each of these parent keys is opened (for KEY_QUERY_VALUE and KEY_ENUMERATE_SUB_KEYS access) on the first call with matching Wow64 argument to any of the following functions, and is then kept open:
If the parent key is not already open and the function cannot open it, then the function fails.
The general scheme provides for subkeys in which to specify options for different executables. The subkey for a particular executable is the executable’s filename, but the function provides that a whole pathname may be given as the SubKey argument. If the given SubKey contains a backslash, then the subkey that is used is just whatever follows the last backslash. The function opens the subkey, again asking only for KEY_QUERY_VALUE and KEY_ENUMERATE_SUB_KEYS access. If the function cannot open the subkey, it fails. Otherwise, it stores the handle at the address given by the KeyHandle argument.
The LdrOpenImageFileOptionsKey function is exported by name from NTDLL.DLL in version 5.2 starting from Windows Server 2003 SP1, and higher.