티스토리 뷰
How To Implement a Recursive RegDeleteKey for Windows NT
| Article ID | : | 142491 |
| Last Review | : | November 21, 2006 |
| Revision | : | 3.3 |
This article was previously published under Q142491
SUMMARY
In Windows 95, the RegDeleteKey function not only deletes the particular key specified but also any subkey descendants. In contrast, the Windows NT version of this function deletes only the particular key specified and will not delete any key that has subkey descendants.
To delete a key and all of its subkeys in Windows NT, a recursive delete function is implemented using RegEnumKeyEx and RegDeleteKey. This recursive delete function uses the following simple two-step algorithm:
To delete a key and all of its subkeys in Windows NT, a recursive delete function is implemented using RegEnumKeyEx and RegDeleteKey. This recursive delete function uses the following simple two-step algorithm:
| 1. | Traverse down each subkey branch, one branch at a time, enumerating keys at each subkey level, until the last subkey leaf is reached. |
| 2. | Individually delete each subkey in reverse succession, one branch at a time, until the specified key is deleted. |
Back to the topMORE INFORMATION
Starting at the particular key specified, each key is traversed by using RegEnumKeyEx, which determines if there are any subkeys. If so, the subkey's name is passed to the recursive delete function in order to traverse to the next subkey. This process is repeated for all subkey descendants. When RegEnumKeyEx reports that there are no more subkeys (that is, ERROR_NO_MORE_ITEMS) for the current key, a subkey leaf has been reached.
Once the subkey leaf is deleted using RegDeleteKey, the recursive delete function re-examines the parent key for any remaining subkeys. If a subkey does exist, it is also traversed until a subkey leaf is reached and deleted allowing the recursive delete function to re-examine the parent key. The process is repeated for each subkey branch until no subkey branches remain. Then the particular key specified may itself be deleted.
A point to remember when enumerating and deleting subkeys is to always enumerate subkey index zero (that is, DWORD iSubkey = 0). Because keys are re-indexed after each key is deleted, the use of a non-zero subkey index would result in keys not being deleted. This in turn would result in the failure of the RegDeleteKey function when an attempt is made to delete the subkey's parent key.
To protect against partial deletions caused by protected keys, you should test each individual key to ensure that it is not protected from deletion. To test if the current user has deletion rights on all the keys to be deleted, you must traverse, enumerate, and open all subkeys with DELETE privilege requested:
Note that the DELETE privilege is not explicitly defined in the RegOpenKeyEx() documentation under the "samDesired" parameter. But most securable objects under Windows NT, including registry keys, have a set of standard access rights that correspond to operations specific to that type of object. And, DELETE is one of these standard access rights that applies to all registry keys, in addition to READ_CONTROL, RIGHT_DAC, and RIGHT_OWNER rights. So, using the DELETE constant in the RegOpenKeyEx() call above will work correctly.
To truly protect the registry against partial deletion, you need to follow a two-step process. First, prior to the deletion attempt, save the initial state of the registry path to be deleted. Then, to recover from a partial deletion, you could restore the registry to its former state using the information already saved. If partial deletions are acceptable, however, failure to delete a key could trigger the recursive delete function to fail or the key to be skipped.
Once the subkey leaf is deleted using RegDeleteKey, the recursive delete function re-examines the parent key for any remaining subkeys. If a subkey does exist, it is also traversed until a subkey leaf is reached and deleted allowing the recursive delete function to re-examine the parent key. The process is repeated for each subkey branch until no subkey branches remain. Then the particular key specified may itself be deleted.
A point to remember when enumerating and deleting subkeys is to always enumerate subkey index zero (that is, DWORD iSubkey = 0). Because keys are re-indexed after each key is deleted, the use of a non-zero subkey index would result in keys not being deleted. This in turn would result in the failure of the RegDeleteKey function when an attempt is made to delete the subkey's parent key.
Partial Deletions
Failure to fully delete the particular key specified can be the result of 'partial deletions' (the failure to delete all available subkeys). Although partial deletions can result from several situations, one possible cause is individual key protection.To protect against partial deletions caused by protected keys, you should test each individual key to ensure that it is not protected from deletion. To test if the current user has deletion rights on all the keys to be deleted, you must traverse, enumerate, and open all subkeys with DELETE privilege requested:
RegOpenKeyEx(
hStartKey,pKeyName, 0,
KEY_ENUMERATE_SUB_KEYS | DELETE,
&hKey ))
Note that the DELETE privilege is not explicitly defined in the RegOpenKeyEx() documentation under the "samDesired" parameter. But most securable objects under Windows NT, including registry keys, have a set of standard access rights that correspond to operations specific to that type of object. And, DELETE is one of these standard access rights that applies to all registry keys, in addition to READ_CONTROL, RIGHT_DAC, and RIGHT_OWNER rights. So, using the DELETE constant in the RegOpenKeyEx() call above will work correctly.
To truly protect the registry against partial deletion, you need to follow a two-step process. First, prior to the deletion attempt, save the initial state of the registry path to be deleted. Then, to recover from a partial deletion, you could restore the registry to its former state using the information already saved. If partial deletions are acceptable, however, failure to delete a key could trigger the recursive delete function to fail or the key to be skipped.
Sample Code
// The sample code makes no attempt to check or recover from partial
// deletions.
//
// A registry key that is opened by an application can be deleted
// without error by another application in both Windows 95 and
// Windows NT. This is by design.
DWORD RegDeleteKeyNT(HKEY hStartKey , LPTSTR pKeyName )
{
DWORD dwRtn, dwSubKeyLength;
LPTSTR pSubKey = NULL;
TCHAR szSubKey[MAX_KEY_LENGTH]; // (256) this should be dynamic.
HKEY hKey;
// Do not allow NULL or empty key name
if ( pKeyName && lstrlen(pKeyName))
{
if( (dwRtn=RegOpenKeyEx(hStartKey,pKeyName,
0, KEY_ENUMERATE_SUB_KEYS | DELETE, &hKey )) == ERROR_SUCCESS)
{
while (dwRtn == ERROR_SUCCESS )
{
dwSubKeyLength = MAX_KEY_LENGTH;
dwRtn=RegEnumKeyEx(
hKey,
0, // always index zero
szSubKey,
&dwSubKeyLength,
NULL,
NULL,
NULL,
NULL
);
if(dwRtn == ERROR_NO_MORE_ITEMS)
{
dwRtn = RegDeleteKey(hStartKey, pKeyName);
break;
}
else if(dwRtn == ERROR_SUCCESS)
dwRtn=RegDeleteKeyNT(hKey, szSubKey);
}
RegCloseKey(hKey);
// Do not save return code because error
// has already occurred
}
}
else
dwRtn = ERROR_BADKEY;
return dwRtn;
}
APPLIES TO
| • | Microsoft Win32 Application Programming Interface, when used with: | ||||||||||||||||||
| |||||||||||||||||||
'IT > 프로그래밍' 카테고리의 다른 글
| data_seg pragma를 이용한 공유 섹션 DLL [펌 blog.naver.com/sim9108] (1) | 2008.01.21 |
|---|---|
| 전처리문 (#include, #define, #if, #error, #line, #pragma, ...) [펌 cafe.naver.com/devctrl.cafe] (0) | 2008.01.21 |
| How To sscanf() Example Using a Comma (,) as Delimiter (0) | 2008.01.18 |
| MSDN CFileDialog - 한글 (1) | 2008.01.18 |
| __stdcall, __cdecl [펌 keegan.tistory.com] (0) | 2008.01.16 |
공지사항
최근에 올라온 글
최근에 달린 댓글
- Total
- Today
- Yesterday
링크
- 지루박멸연구센타
- 열정의 힘을 믿는다
- Le4rN TO Cr4cK
- 디버깅에관한모든것(DebugLab)
- sysinternals
- FoundStone
- hashtab
- 보안-coderant
- 디바이스드라이버 개발자 포럼
- dualpage.muz.ro
- osronline.com - 드라이버 관련 정보 사이트
- NtInternals - NativeAPI Refere…
- pcthreat - spyware 정보 제공
- rootkit.com - 루트킷 관련 정보
- www.ntinternals.net
- WINE CrossRef. - source.winehq…
- tuts4you
- hex-rays
- idapalace
- idefense
- immunityinc
- threatexpert
- hdp.null2root.org
- www.crackstore.com
- crackmes.de
- www.who.is
- www.cracklab.ru
- community.reverse-engineering.…
- video.reverse-engineering.net
- SnD
- 클레이 키위
- reversengineering.wordpress.co…
- www.openrce.org
- www.woodmann.com
- PEID.Plusins.BobSoft
- roxik.com/pictaps/
- regexlib.com
- spyware-browser.com
- www.usboffice.kr
- regulator
- www.txt2re.com
- ietab.mozdev.org
- zesrever.xstone.org
- www.heaventools.com/PE-file-he…
- www.heaventools.com
- www.innomp3.com
- 울지않는벌새
- exetools.com-forum
- exetools.com
- utf8 conv
- robtex - IP trace
- onsamehost - same IP sites
- JpopSuki
- jsunpack.jeek.org
- wepawet.iseclab.org
- www.jswiff.com
- www.hackeroo.com
- winesearcher.co.kr
- khpga.org
- malwareurl.com
- anubis.iseclab.org
- www.crummy.com-eautifulSoup
- malwarebytes.org/forums
- bbs.janmeng.com
- blackip.ustc.edu.cn
- eureka.cyber-ta.org
- exploit-db.com
TAG
- 시스템트래이딩
- logrotate
- 전세매매지수
- ChatGPT
- 주택구매력지수
- ElasticSearch
- 사회간접자본
- CriticalSection
- 주식트래이딩
- 피봇
- systemd
- 실시간트래이딩
- 자동트래이딩
- hai
- ubuntu
- 레고랜드
- PIR
- 다올저축은행
- SBI저축은행
- 군함도
- 맥쿼리인프라
- ROA
- 매매가격지수
- INVOICE
- O365
- 공공인프라
- Pivot
- 신한저축은행
- 미국주식
- 주식
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
글 보관함