Mysterious, Native “A” Registry Key with Path: Reg

2020-07-09 08:22发布

I recently wrote a native NT registry editor for Windows, and ran it on Windows 7. To my surprise, in addition to the two standard root keys, MACHINE and USER, that are present on Windows XP, there was also a mysterious key named "A", that cannot be opened in any way, whether by permission changes or backup privileges or otherwise:

Snapshot

Does anyone know what this key is for? I don't believe it's for any software, because it was there before I installed anything on the machine, and I believe I saw it on another fresh installation as well. It's rather very suspicious, and I'm curious as to why it's there. (If I'm curious enough, I might end up writing a driver to open it up without a privilege check, to see what happens!)

(I wasn't sure whether to put this on SuperUser or StackOverflow, since I think it could go in either one. I could be wrong, though; sorry if this isn't the appropriate place.)

Edit:

If forgot to say, I don't believe you can even see this key using the Win32 API, like RegOpenKey -- you have to use the native API like NtEnumerateKey instead.

2条回答
老娘就宠你
2楼-- · 2020-07-09 08:51

Interesting...

The key indeed can be opened with a relative path, but not with an absolute path.

And it seems to contain information about all file systems and whatnot. Looks mysterious, indeed...

查看更多
【Aperson】
3楼-- · 2020-07-09 08:59

Here is the comment from one of our driver writers: "DISCACHE.sys driver seems to be caching system file attributes and using \REGISTRY\A in an undocumented way. This driver is part of the kernel so it can load any hive wherever it wants."

查看更多
登录 后发表回答