调用PdhEnumObjectItemsA()修改应用程序的注册表 [英] Call to PdhEnumObjectItemsA() modifies an application's registry
问题描述
您好,
我们的软件调用PdhEnumObjectItems()来查询外部软件对象的计数器和实例列表。 / span>
但是,我们注意到我们的软件正在修改外部软件的一个注册表项。
我们在修改注册表的位置解压缩了调用堆栈。 (调用堆栈是从ProcessMonitor的输出中提取的。
要监视注册表活动,应启用"显示注册表活动",并且必须为特定注册表项添加路径筛选器修改。)
注册表值应该是是4,但被改为1.
在注册表更改时调用堆栈从4到1:
框架模块位置地址路径
0 ntoskrnl.exe NtWaitForSingleObject + 0x8e9 0xfffff802dee20 ca9 C:\ Windows\system32 \\\
toskrnl.exe
1 ntoskrnl.exe SeDeassignSecurity + 0xb88a 0xfffff802dee64512 C:\ Windows \ system32 \ antoskrnl.exe
2 NTOSKRNL.EXE setjmpex + 0x34b3 0xfffff802debd04b3 C:\Windows\system32\\\
toskrnl.exe
3分配NTDLL.DLL ZwSetValueKey +是0xA 0x7ff847e96b7a C:\Windows\SYSTEM32\\\
tdll。 dll
4 wow64.dll wow64.dll + 0x8e37 0x76e18e37 C:\ Windows \SYSTEM32 \wow64.dll
5 wow64.dll wow64.dll + 0x8da8 0x76e18da8 C:\ Windows \SYSTEM32 \wow64.dll
6 wow64.dll Wow64SystemServiceEx + 0xd4 0x76e1bb64 C:\ Windows \SYSTEM32 \wow64.dll
7 wow64cpu.dll TurboDispatchJumpAddressEnd + 0xb 0x76e621e5 C:\ Windows \system32 \wow64cpu.dll
8 wow64.dll Wow64LdrpInitialize + 0x22e 0x76e2323a C:\ Windows \SYSTEM32 \wow64.dll
9 wow64.dll Wow64LdrpInitialize + 0x172 0x76e2317e C:\ Windows \SYSTEM32 \\ wow64.dll
10 ntdll.dll LdrInitializeThunk + 0x138 0x7ff847e27004 C:\ Windows \SYSTEM32 \ antdll.dll
11 ntdll.dll LdrInitializeThunk + 0xe 0x7ff847e26eda C :\ Windows \ SYSTEM32 \ antdll.dll
12 ntdll.dll ZwSetValueKey + 0xc 0x76f1c1fc C:\ Windows \SysWOW64 \ antdll.dll
13 KERNELBASE.dll CompareStringA + 0x417 0x74c96012 C:\Windows\SysWOW64\KERNELBASE.dll
14分配KERNELBASE.dll RegSetValueExW + 0x11e 0x74c96166 C:\Windows\SysWOW64\KERNELBASE.dll
15 ADVAPI32.dll PerfRegSetValue + 0x11ab 0x75ad9c48 C:\ Windows \ SysWOW64 \ ADVAPI32.dll
16 ADVAPI32.dll PerfRegSetValue + 0x121c 0x75ad9cb9 C:\\ \\ windows \ SysWOW64 \ ADVAPI32.dll
17 ADVAPI32.dll EtwLogSysConfigExtension + 0x71dc 0x75aa3823 C:\ Windows \SysWOW64 \ ADVAPI32.dll
18 ADVAPI32.dll CryptGetDefaultProviderW + 0x4fd 0x75a9b79f C:\ Windows \\ SysWOW64 \ ADVAPI32.dll
$
19 KERNELBASE.dll WaitNamedPipeW + 0x26e 0x74cd13d3 C:\ Windows \SysWOW64 \ KERNELBASE.dll
20 KERNELBASE.dll RegQueryValueExW + 0xd3 0x74c92d28 C:\ Windows \ SysWOW64 \ KERNELBASE.dll
21 pdh.dll PdhCollectQueryData + 0x2dd 0x743531ca C:\ Windows \SysWOW64 \ pdh.dll
22 pdh.dll PdhCloseQuery + 0x922 0x74354836 C:\ Windows \ SysWOW64 \ pdh.dll
23 pdh.dll PdhAddCounterW + 0x1b72 0x74358b80 C:\ Windows \ SysWOW64 \ pdh。 dll
24 pdh.dll PdhValidatePathW + 0x29a 0x7438613b C:\ Windows \ SysWOW64 \ pdh.dll
25 pdh.dll PdhEnumObjectItemsHA + 0x235 0x74383206 C:\ Windows \SysWOW64 \pdh.dll
26 pdh.dll PdhEnumObjectItemsA + 0x190 0x74382f71 C:\ Windows \ SysWOW64 \ pdh.dll
....
36 sechost.dll SetServiceStatus + 0x211 0x74eb78c2 C:\ Windows \SysWOW64 \sechost.dll
37 KERNEL32.DLL BaseThreadInitThunk + 0xe 0x7513495d C:\ Windows \SysWOW64 \ KERNEL32.DLL
38 ntdll.dll RtlInitializeExceptionChain + 0x84 0x76f298ee C:\ Windows \\ \\ SysWOW64\\\
tdll.dll
39 ntdll.dll RtlInitializeExceptionChain + 0x5a 0x76f298c4 C:\ Windows \ SysWOW64 \ antdll.dll
第26帧是我们的软件调用PdhEnumObjectItems()的地方。注意在第16帧,调用堆栈的 PdhEnumObjectItems()
最终调用PerfRegSetValues()。
我们已经仔细检查过我们的软件没有在注册表中设置任何值。
我想知道为什么 PdhEnumObjectItems()设置注册表值。
问候,
Mau
谢谢你在这里发帖。
据我所知,实例在每种语言中都没有用户友好名称。在非英文版的Windows NT或Windows 2000中,对象和计数器字符串以系统的母语和英语存储。
每个对象或计数器分别由对象或计数器索引标识。
对象或计数器索引和名称映射信息存储在以下注册表项下的
Counter 注册表值中: / p>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \ Windows NT \ CurrentVersion \ Perflib \ LangId如果应用程序只知道对象和计数器名称为英文字符串,则可以将这些名称转换为相应的本地化名称。
这里我该文档还提供有关更改注册表值的相关信息。
https://support.microsoft.com/en-us/help/287159/using-pdh-apis-correctly-in-a-localized-language
使用RegQueryValueEx 注册表API获取英文版的计数器标题和索引。
我认为这是一个原因。
我还建议你发表你的意见
网站结尾,作者将反馈。
您是否尝试发表评论代码?情况是否仍然存在?
我希望答复对您有所帮助。
最好的问候,
Hart
Hello,
Our software calls PdhEnumObjectItems() to query an external software's object's counter and instance lists.
However, we have noticed that one of the registry keys of the external softwareis being modified by our software.
We have extracted the call stack at the point where the registry was modified. (The call stack was extracted from the output of ProcessMonitor. To monitor registry activities, "Show Registry Activity" should be enabled and path Filter must be added for the particular registry item that is modified.)
The registry value is supposed to be 4, but was changed to 1.
Call stack upon registry change from 4 to 1:
Frame Module Location Address Path
0 ntoskrnl.exe NtWaitForSingleObject + 0x8e9 0xfffff802dee20ca9 C:\Windows\system32\ntoskrnl.exe
1 ntoskrnl.exe SeDeassignSecurity + 0xb88a 0xfffff802dee64512 C:\Windows\system32\ntoskrnl.exe
2 ntoskrnl.exe setjmpex + 0x34b3 0xfffff802debd04b3 C:\Windows\system32\ntoskrnl.exe
3 ntdll.dll ZwSetValueKey + 0xa 0x7ff847e96b7a C:\Windows\SYSTEM32\ntdll.dll
4 wow64.dll wow64.dll + 0x8e37 0x76e18e37 C:\Windows\SYSTEM32\wow64.dll
5 wow64.dll wow64.dll + 0x8da8 0x76e18da8 C:\Windows\SYSTEM32\wow64.dll
6 wow64.dll Wow64SystemServiceEx + 0xd4 0x76e1bb64 C:\Windows\SYSTEM32\wow64.dll
7 wow64cpu.dll TurboDispatchJumpAddressEnd + 0xb 0x76e621e5 C:\Windows\system32\wow64cpu.dll
8 wow64.dll Wow64LdrpInitialize + 0x22e 0x76e2323a C:\Windows\SYSTEM32\wow64.dll
9 wow64.dll Wow64LdrpInitialize + 0x172 0x76e2317e C:\Windows\SYSTEM32\wow64.dll
10 ntdll.dll LdrInitializeThunk + 0x138 0x7ff847e27004 C:\Windows\SYSTEM32\ntdll.dll
11 ntdll.dll LdrInitializeThunk + 0xe 0x7ff847e26eda C:\Windows\SYSTEM32\ntdll.dll
12 ntdll.dll ZwSetValueKey + 0xc 0x76f1c1fc C:\Windows\SysWOW64\ntdll.dll
13 KERNELBASE.dll CompareStringA + 0x417 0x74c96012 C:\Windows\SysWOW64\KERNELBASE.dll
14 KERNELBASE.dll RegSetValueExW + 0x11e 0x74c96166 C:\Windows\SysWOW64\KERNELBASE.dll
15 ADVAPI32.dll PerfRegSetValue + 0x11ab 0x75ad9c48 C:\Windows\SysWOW64\ADVAPI32.dll
16 ADVAPI32.dll PerfRegSetValue + 0x121c 0x75ad9cb9 C:\Windows\SysWOW64\ADVAPI32.dll
17 ADVAPI32.dll EtwLogSysConfigExtension + 0x71dc 0x75aa3823 C:\Windows\SysWOW64\ADVAPI32.dll
18 ADVAPI32.dll CryptGetDefaultProviderW + 0x4fd 0x75a9b79f C:\Windows\SysWOW64\ADVAPI32.dll
19 KERNELBASE.dll WaitNamedPipeW + 0x26e 0x74cd13d3 C:\Windows\SysWOW64\KERNELBASE.dll
20 KERNELBASE.dll RegQueryValueExW + 0xd3 0x74c92d28 C:\Windows\SysWOW64\KERNELBASE.dll
21 pdh.dll PdhCollectQueryData + 0x2dd 0x743531ca C:\Windows\SysWOW64\pdh.dll
22 pdh.dll PdhCloseQuery + 0x922 0x74354836 C:\Windows\SysWOW64\pdh.dll
23 pdh.dll PdhAddCounterW + 0x1b72 0x74358b80 C:\Windows\SysWOW64\pdh.dll
24 pdh.dll PdhValidatePathW + 0x29a 0x7438613b C:\Windows\SysWOW64\pdh.dll
25 pdh.dll PdhEnumObjectItemsHA + 0x235 0x74383206 C:\Windows\SysWOW64\pdh.dll
26 pdh.dll PdhEnumObjectItemsA + 0x190 0x74382f71 C:\Windows\SysWOW64\pdh.dll
....
36 sechost.dll SetServiceStatus + 0x211 0x74eb78c2 C:\Windows\SysWOW64\sechost.dll
37 KERNEL32.DLL BaseThreadInitThunk + 0xe 0x7513495d C:\Windows\SysWOW64\KERNEL32.DLL
38 ntdll.dll RtlInitializeExceptionChain + 0x84 0x76f298ee C:\Windows\SysWOW64\ntdll.dll
39 ntdll.dll RtlInitializeExceptionChain + 0x5a 0x76f298c4 C:\Windows\SysWOW64\ntdll.dll
Frame 26 is where our software calls PdhEnumObjectItems(). Notice that at Frame 16, the call stack of PdhEnumObjectItems()
eventually calls PerfRegSetValues().
We have double checked that our software is not setting any value in the registry.
I would like to know why PdhEnumObjectItems() sets registry values.
Regards,
Mau
Hi,
Thank you for posting here.
As far as I know that instances do not have a user friendly name in each language. In a non-English version of Windows NT or Windows 2000, object and counter strings are stored both in the native language of the system and in English.
Each object or counter is identified by an object or counter index respectively.
The object or counter index and name mapping information is stored in the Counter registry value under the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\LangIdIf the application knows the object and counter names only as English strings, these names can be converted to the corresponding localized names.
Here is a document that also provide the relevant information about changing registry value.
https://support.microsoft.com/en-us/help/287159/using-pdh-apis-correctly-in-a-localized-language
Use the RegQueryValueEx Registry API to obtain the counter titles and indexes in English.
I think that this is a reason.
I also suggest that you can post the your feedback at the end of website, the author will feedback.
Did you try to comment the code? Did the situation still occur?
I hope that the reply would be helpful for you.
Best Regards,
Hart
这篇关于调用PdhEnumObjectItemsA()修改应用程序的注册表的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
