Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

@regexist function does not unload (offline) registry with loaded hives

Dec
20
2
After using the @regexist function with a offline registry the loaded registry can't unloaded.
We get a access denied message.

tested:
type regexist_loaded_hives.bat

Code:
setlocal
unalias *
echo TCCver=%@VerInfo[%_cmdspec,FileVersion]  OSbuild=%_OSBuildEx

set msRegHKCU=HKCU\Software\Microsoft\Clipboard
set msRegLoadedHKCU=HKLM\HiveHKCU\Software\Microsoft\Clipboard
set HKCUFile=R:\NTUSER.DAT

echo.
reg load HKLM\hiveHKCU %HKCUFile>nul
echo Online registry key exist = %@regexist[%msRegHKCU]
reg unload HKLM\hiveHKCU>nul & echo 1.unload returnCode=%?
reg load HKLM\hiveHKCU %HKCUFile>nul & echo load returnCode=%?

echo.
echo offline Registry Key Loaded Hive Exist = %@regexist[%msRegLoadedHKCU]
reg unload HKLM\hiveHKCU>nul & echo 2.unload returnCode=%?


Result:
Code:
TCCver=28.02.18  OSbuild=22000.556

Online registry key exist = 1
1.unload returnCode=0
load returnCode=0

offline Registry Key Loaded Hive Exist = 1
ERROR: Access is denied.
2.unload returnCode=1

Maybe its a windows issue or something is wrong with this batch file.
Terminating of TCC unloads the registry.
 
HANDLE64.EXE (sysinternals) shows that, after using @REGEXIST, TCC has an open handle to the loaded registry key. After closing that handle with an elevated HANDLE64, the key can be unloaded while TCC is still running.

Note that the same thing happens (can't unload) if I use @REGQUERY (instead of @REGEXIST) on the loaded key.
 
HANDLE64 shows only PID 4 (system) for NTUSER.DAT.
Process Explorer show the same.

HANDLE64 -p %_pid show a few handles for TCC but none of them refers to NTUSER.DAT.

%@FILELOCK[R:\NTUSER.DAT] gives two PID's , 4 (System) and 120 (Registry).

So there is not a handle for me to close NTUSER.DAT.
 
The handle is to the mounted registry key. In my case that was HKLM\test\.

1652029825740.png
 
Thanks, The focus was on NTUSER.DAT, so i missed the registry key entry handle.

Why does TCC not close the (offline) registry key handler as for the online registry?
 
Why does TCC not close the (offline) registry key handler as for the online registry?
I think it's just an oversight. It doesn't close online ones either (but that doesn't matter much).
 

Similar threads

Back
Top