dcerpc_winreg_QueryValue

Michael B Allen mba2000 at ioplex.com
Mon Dec 6 23:48:43 GMT 2004


Karl Melcher said:
> I have done a bunch of packet captures on QueryValue and the desired
> values are being returned in the reply, it is just not getting
> loaded back into the .out. structure and a bunch of bytes are
> being ignored.

I have this working in the Java env with our compiler. I have to admit
this is an odd call. The following MIDL works but of course an extra layer
is going to be necessary to make using this call sane.

int RegQueryValue([in] policy_handle *handle, /* from OpenHLKM */
	[in] unicode_string *value_name,     /* e.g. "Version" */
	[in,unique] uint32_t *reserved,        /* pointer to 0 */
	[in,unique] uint32_t *size1,           /* size of data */
	[in] uint32_t unknown1,                           /* 0 */
	[in] uint32_t unknown2,                           /* 0 */
	[out,unique] uint32_t *type,           /* pointer to 0 */
	[out,unique,size_is(*count_data),length_is(*count_data)] uint8_t *data,
	[in,out,unique] uint32_t *size2,       /* size of data */
	[in,out,unique] uint32_t *count_data); /* pointer to 0, size of data on
ret */

Note the value_name parameter looks a standard unicode string at first
glance but the buffer is actually zero terminated. This is different from
unicode strings observed elsewhere such as in lsarpc and samr.

So it looks like the current PIDL IDL is ok except the data parameter just
needs size_is(*val_length),length_is(*val_length). Also you might strip
the pointers for unknown1 and unknown2 as I never saw any evidence to
suggest they are actually pointers. Which give you:

WERROR winreg_QueryValue(
	[in,ref] policy_handle *handle,
	[in] winreg_String valuename,
	[in] uint32 *reserved,
	[in] uint32 *offered,
	[in] uint32 unknown1,
	[in] uint32 unknown2,
	[out] uint32 *type,
	[out,size_is(*val_length),length_is(*val_length)] uint8 *data,
	[in,out] uint32 *offered2,
	[in,out] uint32 *val_length
);

Try it out.

Mike


More information about the samba-technical mailing list