NtReplaceKey - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTREGAPI_H

/**
 * Replaces a registry key.
 * 
 * @param[in] NewFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the new file.
 * @param[in] TargetHandle A handle to the target key.
 * @param[in] OldFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the old file.
 * @return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtReplaceKey(
    _In_ POBJECT_ATTRIBUTES NewFile,
    _In_ HANDLE TargetHandle,
    _In_ POBJECT_ATTRIBUTES OldFile
    );

#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwReplaceKey(
    _In_ POBJECT_ATTRIBUTES NewFile,
    _In_ HANDLE TargetHandle,
    _In_ POBJECT_ATTRIBUTES OldFile
    );

#endif

View code on GitHub

Function NtReplaceKey save specified hive key to file, and starts use this file instead of original hive file. Original hive file contents is replaced with contents of third hive file, specified below.

NewHiveFileName

Pointer to OBJECT_ATTRIBUTES structure containing name of third file (file with new contents).

KeyHandle

HANDLE to Key Object. Backed up and replaced are all keys from hive which contains key specified by KeyHandle parameter.

BackupHiveFileName

Pointer to OBJECT_ATTRIBUTES structure containing name of first file (new hive file).

Example:

NewHiveFile -> OriginalHiveFile -> BackupHiveFile

Before call to NtReplaceKey system uses OriginalHiveFile.

After call, system use BackupHiveFile.

Documented by

See also

Edit description on GitHub