NtNotifyChangeMultipleKeys - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTREGAPI_H

/**
 * Requests notification when a registry key or any of its subkeys changes.
 *
 * \param MasterKeyHandle A handle to an open key. The handle must be opened with the KEY_NOTIFY access right.
 * \param Count The number of subkeys under the key specified by the MasterKeyHandle parameter.
 * \param SubordinateObjects Pointer to an array of OBJECT_ATTRIBUTES structures, one for each subkey. This array can contain one OBJECT_ATTRIBUTES structure.
 * \param Event A handle to an event created by the caller. If Event is not NULL, the caller waits until the operation succeeds, at which time the event is signaled.
 * \param ApcRoutine A pointer to an asynchronous procedure call (APC) function supplied by the caller. If ApcRoutine is not NULL, the specified APC function executes after the operation completes.
 * \param ApcContext A pointer to a context supplied by the caller for its APC function. This value is passed to the APC function when it is executed. The Asynchronous parameter must be TRUE. If ApcContext is specified, the Event parameter must be NULL.
 * \param IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that contains the final status and information about the operation. For successful calls that return data, the number of bytes written to the Buffer parameter is supplied in the Information member of the IO_STATUS_BLOCK structure.
 * \param CompletionFilter A bitmap of operations that trigger notification. This parameter can be one or more of the following flags. REG_NOTIFY_CHANGE_NAME, REG_NOTIFY_CHANGE_ATTRIBUTES, REG_NOTIFY_CHANGE_LAST_SET, REG_NOTIFY_CHANGE_SECURITY.
 * \param WatchTree If this parameter is TRUE, the caller is notified about changes to all subkeys of the specified key. If this parameter is FALSE, the caller is notified only about changes to the specified key.
 * \param Buffer Reserved for system use. This parameter must be NULL.
 * \param BufferSize Reserved for system use. This parameter must be zero.
 * \param Asynchronous Whether the operation is asynchronous.
 * \return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtNotifyChangeMultipleKeys(
    _In_ HANDLE MasterKeyHandle,
    _In_opt_ ULONG Count,
    _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[],
    _In_opt_ HANDLE Event,
    _In_opt_ PIO_APC_ROUTINE ApcRoutine,
    _In_opt_ PVOID ApcContext,
    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
    _In_ ULONG CompletionFilter,
    _In_ BOOLEAN WatchTree,
    _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
    _In_ ULONG BufferSize,
    _In_ BOOLEAN Asynchronous
    );

#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwNotifyChangeMultipleKeys(
    _In_ HANDLE MasterKeyHandle,
    _In_opt_ ULONG Count,
    _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[],
    _In_opt_ HANDLE Event,
    _In_opt_ PIO_APC_ROUTINE ApcRoutine,
    _In_opt_ PVOID ApcContext,
    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
    _In_ ULONG CompletionFilter,
    _In_ BOOLEAN WatchTree,
    _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
    _In_ ULONG BufferSize,
    _In_ BOOLEAN Asynchronous
    );

#endif

View code on GitHub
// winternl.h

__kernel_entry NTSTATUS NtNotifyChangeMultipleKeys(
  [in]            HANDLE               MasterKeyHandle,
  [in, optional]  ULONG                Count,
  [in, optional]  OBJECT_ATTRIBUTES [] SubordinateObjects,
  [in, optional]  HANDLE               Event,
  [in, optional]  PIO_APC_ROUTINE      ApcRoutine,
  [in, optional]  PVOID                ApcContext,
  [out]           PIO_STATUS_BLOCK     IoStatusBlock,
  [in]            ULONG                CompletionFilter,
  [in]            BOOLEAN              WatchTree,
  [out, optional] PVOID                Buffer,
  [in]            ULONG                BufferSize,
  [in]            BOOLEAN              Asynchronous
);
View the official Win32 API reference

NtDoc

This function is documented in Windows SDK.

Edit description on GitHub

Win32 API reference (nf-winternl-ntnotifychangemultiplekeys)

NtNotifyChangeMultipleKeys function

Description

[This function may be changed or removed from Windows without further notice. ]

Requests notification when a registry key or any of its subkeys changes.

Parameters

MasterKeyHandle [in]

A handle to an open key. The handle must be opened with the KEY_NOTIFY access right.

Count [in, optional]

The number of keys objects provided in the SubordinateObjects parameter. This parameter must be 1.

SubordinateObjects [in, optional]

Pointer to an array of OBJECT_ATTRIBUTES structures, one for each key. This array can contain one OBJECT_ATTRIBUTES structure and must not be a key in the same hive as the MasterKeyHandle key.

Event [in, optional]

A handle to an event created by the caller. If Event is not NULL, the caller waits until the operation succeeds, at which time the event is signaled.

ApcRoutine [in, optional]

A pointer to an asynchronous procedure call (APC) function supplied by the caller. If ApcRoutine is not NULL, the specified APC function executes after the operation completes. A WORK_QUEUE_ITEM must be provided instead of ApcRoutine in the ZwNotifyChangeMultipleKeys variant.

ApcContext [in, optional]

A pointer to a context supplied by the caller for its APC function. This value is passed to the APC function when it is executed. The Asynchronous parameter must be TRUE. If ApcContext is specified, the Event parameter must be NULL. A WORK_QUEUE_TYPE must be provided instead of ApcContext in the ZwNotifyChangeMultipleKeys variant.

IoStatusBlock [out]

A pointer to an IO_STATUS_BLOCK structure that contains the final status and information about the operation. For successful calls that return data, the number of bytes written to the Buffer parameter is supplied in the Information member of the IO_STATUS_BLOCK structure.

CompletionFilter [in]

A bitmap of operations that trigger notification. This parameter can be one or more of the following flags.

Value Meaning
REG_NOTIFY_CHANGE_NAME Notify the caller if a subkey is added or deleted.
REG_NOTIFY_CHANGE_ATTRIBUTES Notify the caller of changes to the attributes of the key, such as the security descriptor information.
REG_NOTIFY_CHANGE_LAST_SET Notify the caller of changes to a value of the key. This can include adding or deleting a value, or changing an existing value.
REG_NOTIFY_CHANGE_SECURITY Notify the caller of changes to the security descriptor of the key.

WatchTree [in]

If this parameter is TRUE, the caller is notified about changes to all subkeys of the specified key. If this parameter is FALSE, the caller is notified only about changes to the specified key.

Buffer [out, optional]

Reserved for system use. This parameter must be NULL.

BufferSize [in]

Reserved for system use. This parameter must be zero.

Asynchronous [in]

If this parameter is TRUE, the function returns immediately. If this parameter is FALSE, the function does not return until the specified event occurs.

Return value

Returns an NTSTATUS or error code.

If the Asynchronous parameter is TRUE and the specified event has not yet occurred, the function returns STATUS_PENDING.

The forms and significance of NTSTATUS error codes are listed in the Ntstatus.h header file available in the WDK, and are described in the WDK documentation.

Remarks

This function has no associated header file. You can also use the LoadLibrary and GetProcAddress functions to dynamically link to Ntdll.dll.

See also

Registry Key Security and Access Rights

View the official Win32 API reference

Edit description on GitHub