NtQueryValueKey - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTREGAPI_H

/**
 * Queries the value of a registry key.
 *
 * \param[in] KeyHandle A handle to the key to be queried.
 * \param[in] ValueName A pointer to a UNICODE_STRING structure that specifies the name of the value to be queried.
 * \param[in] KeyValueInformationClass The type of information to be queried.
 * \param[out] KeyValueInformation A pointer to a buffer that receives the value information.
 * \param[in] Length The size of the buffer.
 * \param[out] ResultLength A pointer to a variable that receives the size of the data returned.
 * \return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryValueKey(
    _In_ HANDLE KeyHandle,
    _In_ PCUNICODE_STRING ValueName,
    _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
    _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation,
    _In_ ULONG Length,
    _Out_ PULONG ResultLength
    );

#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwQueryValueKey(
    _In_ HANDLE KeyHandle,
    _In_ PCUNICODE_STRING ValueName,
    _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
    _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation,
    _In_ ULONG Length,
    _Out_ PULONG ResultLength
    );

#endif

View code on GitHub
// wdm.h

NTSYSAPI NTSTATUS ZwQueryValueKey(
  [in]            HANDLE                      KeyHandle,
  [in]            PUNICODE_STRING             ValueName,
  [in]            KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
  [out, optional] PVOID                       KeyValueInformation,
  [in]            ULONG                       Length,
  [out]           PULONG                      ResultLength
);
View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (nf-wdm-zwqueryvaluekey)

Description

The ZwQueryValueKey routine returns a value entry for a registry key.

Parameters

KeyHandle [in]

Handle to the key to read value entries from. This handle is created by a successful call to ZwCreateKey or ZwOpenKey.

ValueName [in]

Pointer to the name of the value entry to obtain data for.

KeyValueInformationClass [in]

A KEY_VALUE_INFORMATION_CLASS value that determines the type of information returned in the KeyValueInformation buffer.

KeyValueInformation [out, optional]

Pointer to a caller-allocated buffer that receives the requested information.

Length [in]

Specifies the size, in bytes, of the KeyValueInformation buffer.

ResultLength [out]

Pointer to a variable that receives the size, in bytes, of the key information. If the ZwQueryValueKey routine returns STATUS_SUCCESS, callers can use the value of this variable to determine the amount of data returned. If the routine returns STATUS_BUFFER_OVERFLOW or STATUS_BUFFER_TOO_SMALL, callers can use the value of this variable to determine the size of buffer required to hold the key information.

Return value

ZwQueryValueKey returns STATUS_SUCCESS on success, or the appropriate error code on failure. Possible error code values include:

Return code Description
STATUS_OBJECT_NAME_NOT_FOUND The registry value was not available.
STATUS_BUFFER_OVERFLOW The buffer supplied is too small, and only partial data has been written to the buffer. ResultLength is set to the minimum size required to hold the requested information.
STATUS_BUFFER_TOO_SMALL The buffer supplied is too small, and no data has been written to the buffer. ResultLength is set to the minimum size required to hold the requested information.
STATUS_INVALID_PARAMETER The KeyInformationClass parameter is not a valid KEY_VALUE_INFORMATION_CLASS value.

Remarks

The KeyHandle passed to ZwQueryValueKey must have been opened with KEY_QUERY_VALUE access. This is accomplished by passing KEY_QUERY_VALUE, KEY_READ, or KEY_ALL_ACCESS as the DesiredAccess parameter to ZwCreateKey or ZwOpenKey.

For more information about working with registry keys, see Using the Registry in a Driver.

If the call to this function occurs in user mode, you should use the name "NtQueryValueKey" instead of "ZwQueryValueKey". For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.

See also

KEY_VALUE_BASIC_INFORMATION

KEY_VALUE_FULL_INFORMATION

KEY_VALUE_INFORMATION_CLASS

KEY_VALUE_PARTIAL_INFORMATION

Using Nt and Zw Versions of the Native System Services Routines

ZwCreateKey

ZwEnumerateValueKey

ZwOpenKey

View the official Windows Driver Kit DDI reference

Edit description on GitHub

NTinternals.net (undocumented.ntinternals.net)

This function is documented in Windows Driver Kit.

See ZwQueryValueKey in NT DDK or 2000 DDK for detailed description.

See also

Edit description on GitHub