RtlQueryRegistryValueWithFallback - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTRTL_H
#if (PHNT_VERSION >= PHNT_WINDOWS_10_RS4)

NTSYSAPI
NTSTATUS
NTAPI
RtlQueryRegistryValueWithFallback(
    _In_opt_ HANDLE PrimaryHandle,
    _In_opt_ HANDLE FallbackHandle,
    _In_ PCUNICODE_STRING ValueName,
    _In_ ULONG ValueLength,
    _Out_opt_ PULONG ValueType,
    _Out_writes_bytes_to_(ValueLength, *ResultLength) PVOID ValueData,
    _Out_range_(<= , ValueLength) PULONG ResultLength
    );

#endif
#endif

View code on GitHub
// ntddk.h

NTSYSAPI NTSTATUS RtlQueryRegistryValueWithFallback(
  [in]  HANDLE          PrimaryHandle,
  [in]  HANDLE          FallbackHandle,
  [in]  PUNICODE_STRING ValueName,
  [in]  ULONG           ValueLength,
  [Out] PULONG          ValueType,
  [out] PVOID           ValueData,
  [out] PULONG          ResultLength
);
View the official Windows Driver Kit DDI reference

NtDoc

This function is documented in Windows Driver Kit.

Edit description on GitHub

Windows Driver Kit DDI reference (nf-ntddk-rtlqueryregistryvaluewithfallback)

RtlQueryRegistryValueWithFallback function

Description

Retrieves a value entry for a registry key by using, a primary handle; if not found, uses the fallback handle.

Parameters

PrimaryHandle [in]

The handle to the key that is first used to query the value entries. This handle is created by a successful call to ZwCreateKey or ZwOpenKey.

FallbackHandle [in]

The handle to use for querying the key if value is not found using the handle specified by _PrimaryHandle_.

ValueName [in]

A pointer to string that contains the name of the value for which to retrieve data.

ValueLength [in]

Specifies the size, in bytes, of the _ValueName_ string.

ValueType [Out]

A pointer to a ULONG variable that receives the type of the value being queried.

ValueData [out]

A pointer to a buffer that receives the value data.

ResultLength [out]

A pointer to a variable that receives the value data size, in bytes. If the return value is STATUS_SUCCESS, indicates the number of bytes written to the _ValueData_ buffer. If the call returns STATUS_BUFFER_OVERFLOW, indicates the number of bytes required. Callers can use that value to determine the size of _ValueData_ buffer required to hold the data information.

Return value

Returns STATUS_SUCCESS on success, or the appropriate error code on failure.

Remarks

See also

Using the Registry in a Driver

View the official Windows Driver Kit DDI reference

Edit description on GitHub