NtEnumerateValueKey - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTREGAPI_H

/**
 * Enumerates the values of a registry key.
 *
 * @param[in] KeyHandle A handle to the key to be enumerated.
 * @param[in] Index The index of the value to be enumerated.
 * @param[in] KeyValueInformationClass The type of information to be queried.
 * @param[out] KeyValueInformation A pointer to a buffer that receives the value information.
 * @param[in] Length The size of the buffer.
 * @param[out] ResultLength A pointer to a variable that receives the size of the data returned.
 * @return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtEnumerateValueKey(
    _In_ HANDLE KeyHandle,
    _In_ ULONG Index,
    _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
    _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation,
    _In_ ULONG Length,
    _Out_ PULONG ResultLength
    );

#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwEnumerateValueKey(
    _In_ HANDLE KeyHandle,
    _In_ ULONG Index,
    _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
    _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation,
    _In_ ULONG Length,
    _Out_ PULONG ResultLength
    );

#endif

View code on GitHub
// wdm.h

NTSYSAPI NTSTATUS ZwEnumerateValueKey(
  [in]            HANDLE                      KeyHandle,
  [in]            ULONG                       Index,
  [in]            KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
  [out, optional] PVOID                       KeyValueInformation,
  [in]            ULONG                       Length,
  [out]           PULONG                      ResultLength
);
View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (nf-wdm-zwenumeratevaluekey)

Description

The ZwEnumerateValueKey routine gets information about the value entries of an open key.

Parameters

KeyHandle [in]

Handle to the registry key that you want to enumerate value entries for. A successful call to ZwCreateKey or ZwOpenKey creates this handle.

Index [in]

The zero-based index of the subkey that you want value information for.

KeyValueInformationClass [in]

Specifies a KEY_VALUE_INFORMATION_CLASS value that determines the type of information returned in the KeyValueInformation buffer.

KeyValueInformation [out, optional]

Pointer to a caller-allocated buffer that receives the requested information.

Length [in]

Specifies the size, in bytes, of the KeyValueInformation buffer.

ResultLength [out]

Pointer to a variable that receives the size, in bytes, of the value information. If this routine returns STATUS_SUCCESS, the variable indicates the amount of data returned. If this routine returns STATUS_BUFFER_OVERFLOW or STATUS_BUFFER_TOO_SMALL, the variable indicates the buffer size that is required to hold the value information.

Return value

ZwEnumerateValueKey returns STATUS_SUCCESS on success, or the appropriate error code on failure. Possible error code values include:

Return code Description
STATUS_BUFFER_OVERFLOW The buffer supplied is too small, and only partial data has been written to the buffer. *ResultLength is set to the minimum size required to hold the requested information.
STATUS_BUFFER_TOO_SMALL The buffer supplied is too small, and no data has been written to the buffer. *ResultLength is set to the minimum size required to hold the requested information.
STATUS_INVALID_PARAMETER The KeyInformationClass parameter is not a valid KEY_VALUE_INFORMATION_CLASS value.
STATUS_NO_MORE_ENTRIES The Index value is out of range for the registry key specified by KeyHandle. For example, if a key has n subkeys, then for any value greater than n-1 the routine returns STATUS_NO_MORE_ENTRIES.

Remarks

The KeyHandle passed to ZwEnumerateValueKey must have been opened with KEY_QUERY_VALUE access. This is accomplished by passing KEY_QUERY_VALUE, KEY_READ, or KEY_ALL_ACCESS as the DesiredAccess parameter to ZwCreateKey or ZwOpenKey.

The Index is simply a way to select among subkeys with value entries. Two calls to ZwEnumerateValueKey with the same Index are not guaranteed to return the same results.

For more information about working with registry keys, see Using the Registry in a Driver.

If the call to this function occurs in user mode, you should use the name "NtEnumerateValueKey" instead of "ZwEnumerateValueKey".

For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.

See also

KEY_VALUE_BASIC_INFORMATION

KEY_VALUE_FULL_INFORMATION

KEY_VALUE_PARTIAL_INFORMATION

Using Nt and Zw Versions of the Native System Services Routines

ZwClose

ZwCreateKey

ZwOpenKey

ZwQueryValueKey

View the official Windows Driver Kit DDI reference

Edit description on GitHub

NTinternals.net (undocumented.ntinternals.net)

This function is documented in Windows Driver Kit.

See ZwEnumerateValueKey in NT DDK or 2000 DDK for detailed description.

See also

Edit description on GitHub