From - Tue Sep 23 13:10:02 1997
Path: news.mitre.org!blanket.mitre.org!philabs!newsjunkie.ans.net!newsfeeds.ans.net!portc02.blue.aol.com!news.sprintisp.com!sprintisp!nntprelay.mathworks.com!news.mathworks.com!uunet!in4.uu.net!128.127.2.119!lard.ftp.com!not-for-mail
From: Slava Monich <monich@ftp.com>
Newsgroups: comp.os.ms-windows.programmer.nt.kernel-mode
Subject: Re: Where do queries to HKEY_PERFORMANCE_DATA go?
Date: Tue, 23 Sep 1997 11:10:02 -0400
Organization: FTP Software, Inc.
Lines: 52
Message-ID: <3427DBC9.F80CE6AA@ftp.com>
References: <3427B449.7E0@xetron.com>
NNTP-Posting-Host: smonich-3.ftp.com
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 4.03 [en] (WinNT; U)
To: thomasc@xetron.com

Tom Conrad wrote:
> 
> Does anyone know what (probably undocumented) function gets called 
> when you call RegQueryValueEx with to read from HKEY_PERFORMANCE_DATA?  
> I was playing around with the NtInternals registry monitor driver/GUI 
> and I noticed that the calls to this key don't show up in the display.

I traced RegQueryValueEx goes down into a function named 
LocalBaseRegQueryInfoKey which at its very beginning has code
which might look like this before it was compiled:

ULONG LocalBaseRegQueryInfoKey( HKEY hKey, PUNICODE_STRING ValueName,
.... )
{
    if ( hKey == HKEY_PERFORMANCE_DATA ||
         hKey == 0x80000050 ||
         hKey == 0x80000060 )
    {
        return PerfRegQueryValue( hKey, ValueName, 0, ... );
    }
    else
    {
        // Actually do registry stuff

        .....

    }
}

I wonder what 0x80000050 and 0x80000060 mean...

> I realize this data is stored in RAM rather than in the registry 
> files but I was surprised to see that the call never made it far 
> enough for the "hook" to be invoked.  

PerfRegQueryValue eventually calls another system call (through
NtQuerySystemInformation exported from ntdll.dll) which is not 
hooked by the registry monitor because it does not have much to 
do with registry.

NtQuerySystemInformation seems to be a very useful function by the 
way. A single call

  NtQuerySystemInformation( 2, BufferPtr, BufSize, &ReturnedBytes )

returns 138 bytes long structure which has all performance 
information you can possibly get from the system. Depending on 
the first parameter it returns different things, like process 
information, thread information etc. Of course it's undocumented...

Regards,
-Slava