@regexist function does not unload (offline) registry with loaded hives

Dec 29, 2021
After using the @regexist function with a offline registry the loaded registry can't unloaded.
We get a access denied message.

type regexist_loaded_hives.bat

unalias *
echo TCCver=%@VerInfo[%_cmdspec,FileVersion]  OSbuild=%_OSBuildEx

set msRegHKCU=HKCU\Software\Microsoft\Clipboard
set msRegLoadedHKCU=HKLM\HiveHKCU\Software\Microsoft\Clipboard

reg load HKLM\hiveHKCU %HKCUFile>nul
echo Online registry key exist = %@regexist[%msRegHKCU]
reg unload HKLM\hiveHKCU>nul & echo 1.unload returnCode=%?
reg load HKLM\hiveHKCU %HKCUFile>nul & echo load returnCode=%?

echo offline Registry Key Loaded Hive Exist = %@regexist[%msRegLoadedHKCU]
reg unload HKLM\hiveHKCU>nul & echo 2.unload returnCode=%?

TCCver=28.02.18  OSbuild=22000.556

Online registry key exist = 1
1.unload returnCode=0
load returnCode=0

offline Registry Key Loaded Hive Exist = 1
ERROR: Access is denied.
2.unload returnCode=1

Maybe its a windows issue or something is wrong with this batch file.
Terminating of TCC unloads the registry.
HANDLE64.EXE (sysinternals) shows that, after using @REGEXIST, TCC has an open handle to the loaded registry key. After closing that handle with an elevated HANDLE64, the key can be unloaded while TCC is still running.

Note that the same thing happens (can't unload) if I use @REGQUERY (instead of @REGEXIST) on the loaded key.
HANDLE64 shows only PID 4 (system) for NTUSER.DAT.
Process Explorer show the same.

HANDLE64 -p %_pid show a few handles for TCC but none of them refers to NTUSER.DAT.

%@FILELOCK[R:\NTUSER.DAT] gives two PID's , 4 (System) and 120 (Registry).

So there is not a handle for me to close NTUSER.DAT.
The handle is to the mounted registry key. In my case that was HKLM\test\.

Thanks, The focus was on NTUSER.DAT, so i missed the registry key entry handle.

Why does TCC not close the (offline) registry key handler as for the online registry?

Similar threads