@regexist function does not unload (offline) registry with loaded hives

Dec 29, 2021
18
2
After using the @regexist function with a offline registry the loaded registry can't unloaded.
We get a access denied message.

tested:
type regexist_loaded_hives.bat

Code:
setlocal
unalias *
echo TCCver=%@VerInfo[%_cmdspec,FileVersion]  OSbuild=%_OSBuildEx

set msRegHKCU=HKCU\Software\Microsoft\Clipboard
set msRegLoadedHKCU=HKLM\HiveHKCU\Software\Microsoft\Clipboard
set HKCUFile=R:\NTUSER.DAT

echo.
reg load HKLM\hiveHKCU %HKCUFile>nul
echo Online registry key exist = %@regexist[%msRegHKCU]
reg unload HKLM\hiveHKCU>nul & echo 1.unload returnCode=%?
reg load HKLM\hiveHKCU %HKCUFile>nul & echo load returnCode=%?

echo.
echo offline Registry Key Loaded Hive Exist = %@regexist[%msRegLoadedHKCU]
reg unload HKLM\hiveHKCU>nul & echo 2.unload returnCode=%?


Result:
Code:
TCCver=28.02.18  OSbuild=22000.556

Online registry key exist = 1
1.unload returnCode=0
load returnCode=0

offline Registry Key Loaded Hive Exist = 1
ERROR: Access is denied.
2.unload returnCode=1

Maybe its a windows issue or something is wrong with this batch file.
Terminating of TCC unloads the registry.
 
May 20, 2008
11,840
120
Syracuse, NY, USA
HANDLE64.EXE (sysinternals) shows that, after using @REGEXIST, TCC has an open handle to the loaded registry key. After closing that handle with an elevated HANDLE64, the key can be unloaded while TCC is still running.

Note that the same thing happens (can't unload) if I use @REGQUERY (instead of @REGEXIST) on the loaded key.
 
Dec 29, 2021
18
2
HANDLE64 shows only PID 4 (system) for NTUSER.DAT.
Process Explorer show the same.

HANDLE64 -p %_pid show a few handles for TCC but none of them refers to NTUSER.DAT.

%@FILELOCK[R:\NTUSER.DAT] gives two PID's , 4 (System) and 120 (Registry).

So there is not a handle for me to close NTUSER.DAT.
 
May 20, 2008
11,840
120
Syracuse, NY, USA
The handle is to the mounted registry key. In my case that was HKLM\test\.

1652029825740.png
 
Dec 29, 2021
18
2
Thanks, The focus was on NTUSER.DAT, so i missed the registry key entry handle.

Why does TCC not close the (offline) registry key handler as for the online registry?
 

Similar threads