NtLoadKey - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers
#ifndef _NTREGAPI_H

/**
 * Loads a registry key from a file.
 * 
 * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key.
 * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file.
 * @return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtLoadKey(
    _In_ POBJECT_ATTRIBUTES TargetKey,
    _In_ POBJECT_ATTRIBUTES SourceFile
    );

#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwLoadKey(
    _In_ POBJECT_ATTRIBUTES TargetKey,
    _In_ POBJECT_ATTRIBUTES SourceFile
    );

#endif

View code on GitHub

Function NtLoadKey is used to make available registry keys and values stored in Hive File. Hive file can be created by calling NtSaveKey. If loaded Hive is no longer needed (for example when user logout for HKCU Hive), it can be unloaded by call NtUnloadKey.

DestinationKeyName

Pointer to OBJECT_ATTRIBUTES structure contains destination key name and HANDLE to root key. Root can be /REGISTRY/machine or /REGISTRY/user. All other keys are invalid.

HiveFileName

Pointer to OBJECT_ATTRIBUTES structure contains Hive file path and name.

Documented by

Requirements

Privilege: SE_RESTORE_PRIVILEGE

See also