One user was trying to use Process Monitor to figure out what a program is looking for in the Registry. The relevant value was not present, so the RegQueryValue operation's result was NAME NOT FOUND. When the query is successful, Process Monitor reports the data type, but it does not when the value is not found. This is because the API call used to query the Registry does not take the desired data type - the Registry just stores chunks of data for the application to interpret. When a value is found, the Registry returns its kind, but if the value isn't there, there's no kind to report.
There is one piece of information that can allow a guess to be made about the value type (in some cases). Applications need to pass in a buffer for the returned data and the buffer's length. Process Monitor reports a "length" even for unsuccessful Registry queries, but (at least on 64-bit systems), its number is 12 bytes more than the application supplied. So subtracting 12 from the "length" gives the size the application is expecting for the results. A DWord occupies 4 bytes and a QWord occupies 8 bytes. All the other kinds (mostly strings) are variable-length.
No comments:
Post a Comment