viewer9 documentation

RegRenameKey PML Operation

On Windows XP, renaming a key with RegEdit yields RegDeleteKey and RegCreateKey events, instead of a RegRenameKey.

Example from 64-bit PML

Hover over field values like Time, ResultCode, and bytes of evdata in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.

RegRenameKey opcode=2,14

ev=0 modify=1

Time:2020-12-31 18:03:54.9174416
Duration:0.0009162
ResultCode:SUCCESS
Tid:19720
Path:HKCU\Software\RegRenamKeyTest\oldkey1
NewName:oldkey1_rename1

evdata[0-72] file offset 1148

025 80 0f 00 48 4b 43 55 %...HKCU
85c 53 6f 66 74 77 61 72 \Softwar
1665 5c 52 65 67 52 65 6e e\RegRen
2461 6d 4b 65 79 54 65 73 amKeyTes
3274 5c 6f 6c 64 6b 65 79 t\oldkey
4031 6f 00 6c 00 64 00 6b 1o.l.d.k
4800 65 00 79 00 31 00 5f .e.y.1._
5600 72 00 65 00 6e 00 61 .r.e.n.a
6400 6d 00 65 00 31 00 47 .m.e.1.G
7200 .

Call Stack stacksize=20

StackAddressmodModNameModPath
0xfffff800037faf0049ntoskrnl.exe + 0x3e2f00C:\windows\system32\ntoskrnl.exe
0xfffff800038c42ef49ntoskrnl.exe + 0x4ac2efC:\windows\system32\ntoskrnl.exe
0xfffff800034b9bd349ntoskrnl.exe + 0xa1bd3C:\windows\system32\ntoskrnl.exe
0x7713ac6a4ntdll.dll + 0x6ac6aC:\Windows\System32\ntdll.dll
0x7fefdc540f337ADVAPI32.dll + 0x440f3C:\Windows\System32\advapi32.dll
0xff95bc9d236regedit.exe + 0xbc9dC:\windows\regedit.exe
0xff95409d236regedit.exe + 0x409dC:\windows\regedit.exe
0xff95270d236regedit.exe + 0x270dC:\windows\regedit.exe
0x76fe9bbd3USER32.dll + 0x19bbdC:\Windows\System32\user32.dll
0x76fe6a5c3USER32.dll + 0x16a5cC:\Windows\System32\user32.dll
0x76fe6b613USER32.dll + 0x16b61C:\Windows\System32\user32.dll
0x7fefb049845247COMCTL32.dll + 0x29845C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\COMCTL32.dll
0x7fefb0b9a4e247COMCTL32.dll + 0x99a4eC:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\COMCTL32.dll
0x7fefb0b963f247COMCTL32.dll + 0x9963fC:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\COMCTL32.dll
0x76fe9bbd3USER32.dll + 0x19bbdC:\Windows\System32\user32.dll
0x76fe98c23USER32.dll + 0x198c2C:\Windows\System32\user32.dll
0xff9512c2236regedit.exe + 0x12c2C:\windows\regedit.exe
0xff9516e8236regedit.exe + 0x16e8C:\windows\regedit.exe
0x76ec570d2kernel32.dll + 0x1570dC:\Windows\System32\kernel32.dll
0x7712385d4ntdll.dll + 0x5385dC:\Windows\System32\ntdll.dll

Procmon displays the NewName field as "New Name".

See also

Posted 4 Jul 2022 last updated 15 Nov 2022   As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.

Copyright 2022, bryantlite, Inc.