viewer9 documentation | Index Home |
RegQueryValue PML Operation
BufferSize ("Length" in Procmon except on SUCCESS, when in Procmon "Length" is the number of bytes of evdata instead of the buffer size) is a 32-bit integer indicating the size of the buffer provided (not the size needed). After a ResultCode of BUFFER TOO SMALL or BUFFER OVERFLOW (indicating insufficient buffer size, not an overflow), there is often a repeat event with the same Path but a larger BufferSize.
QueryValType (not shown in Procmon) is 0, 1, or 2 to indicate the format of evresults returned on ResultCode SUCCESS. The following are the evresults fields:
Name is provided when QueryValType is 1 unless it is the default value without a name. For QueryValType 0 the first two characters of Name are provided (not shown in Procmon), and the full byte length of the wide string Name is the 32-bit integer at evresults[8] (see PML Binary Data and Results Offsets).
RegType ("Type" in Procmon) is an enumerated code such as REG_SZ, and it is provided whether QueryValType is 0, 1 or 2.
Length is the number of bytes of RegData that appears when QueryValType is 1 or 2 ("Length" in Procmon as well on SUCCESS, but otherwise in Procmon "Length" is buffer size, see above). Note that if RegType is one of the SZ string types, the RegData is interpreted as wide, meaning each char is generally 2 bytes, and there is a 2 byte null terminator, so the typical Length of RegType REG_SZ RegData "A" would be 4.
RegData ("Data" in Procmon) is converted for display according to RegType. Normally a PML only includes up to 16 bytes for RegType REG_BINARY/REG_NONE and up to 2KB for other types. But the Length will still indicate the full size even if RegData is incomplete.
Note that Procmon can show junk on the end of the Data it displays (see Procmon Bug: Garbage in Registry Data).
Example from 64-bit PML
Hover over field values like Time, ResultCode, RegType, and bytes of evdata and evresults in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.
RegQueryValue opcode=2,5
ev=86 regread=4 B
Time: | 2022-05-17 16:06:20.1793899 |
Duration: | 0.0000084 |
ResultCode: | SUCCESS |
Tid: | 3024 |
Path: | HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\ThrottleDrege |
BufferSize: | 144 |
QueryValType: | 2 |
RegType: | REG_DWORD |
Length: | 4 |
RegData: | 1 |
evdata[0-61] file offset 18153
0 | 30 80 00 00 90 00 00 00 | 0....... |
8 | 02 00 00 00 48 4b 4c 4d | ....HKLM |
16 | 5c 53 4f 46 54 57 41 52 | \SOFTWAR |
24 | 45 5c 4d 69 63 72 6f 73 | E\Micros |
32 | 6f 66 74 5c 57 42 45 4d | oft\WBEM |
40 | 5c 43 49 4d 4f 4d 5c 54 | \CIMOM\T |
48 | 68 72 6f 74 74 6c 65 44 | hrottleD |
56 | 72 65 67 65 00 00 | rege.. |
evresults[0-15] file offset 18217
0 | 00 00 00 00 04 00 00 00 | ........ |
8 | 04 00 00 00 01 00 00 00 | ........ |
Call Stack stacksize=16
StackAddress | mod | ModName | ModPath |
---|---|---|---|
0xfffff80002c2e470 | 161 | ntoskrnl.exe + 0x3e0470 | C:\Windows\system32\ntoskrnl.exe |
0xfffff80002bcf993 | 161 | ntoskrnl.exe + 0x381993 | C:\Windows\system32\ntoskrnl.exe |
0xfffff800028eff53 | 161 | ntoskrnl.exe + 0xa1f53 | C:\Windows\system32\ntoskrnl.exe |
0x77c8991a | 2 | ntdll.dll + 0x6991a | C:\Windows\SYSTEM32\ntdll.dll |
0x77a1398c | 0 | kernel32.dll + 0x1398c | C:\Windows\system32\kernel32.dll |
0x77a13b92 | 0 | kernel32.dll + 0x13b92 | C:\Windows\system32\kernel32.dll |
0x7fef8d839ad | 10 | wbemcomn.dll + 0x439ad | C:\Windows\system32\wbemcomn.dll |
0x7fef8d513dc | 10 | wbemcomn.dll + 0x113dc | C:\Windows\system32\wbemcomn.dll |
0xff95e635 | 707 | WMIADAP.EXE + 0xe635 | C:\Windows\system32\wbem\WMIADAP.EXE |
0xff95be9d | 707 | WMIADAP.EXE + 0xbe9d | C:\Windows\system32\wbem\WMIADAP.EXE |
0xff95bc2f | 707 | WMIADAP.EXE + 0xbc2f | C:\Windows\system32\wbem\WMIADAP.EXE |
0xff95a1d9 | 707 | WMIADAP.EXE + 0xa1d9 | C:\Windows\system32\wbem\WMIADAP.EXE |
0xff958cee | 707 | WMIADAP.EXE + 0x8cee | C:\Windows\system32\wbem\WMIADAP.EXE |
0xff969eca | 707 | WMIADAP.EXE + 0x19eca | C:\Windows\system32\wbem\WMIADAP.EXE |
0x77a1556d | 0 | kernel32.dll + 0x1556d | C:\Windows\system32\kernel32.dll |
0x77c7372d | 2 | ntdll.dll + 0x5372d | C:\Windows\SYSTEM32\ntdll.dll |
See also
Posted 4 Jul 2022 last updated 15 Nov 2022 As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.
Copyright 2022, bryantlite, Inc.