Registry Callback Tests

This automated test exercises basic test cases for a registry filter driver.

Test details

Specifications	Filter.Driver.FileSystem.MiniFilter Filter.Driver.FileSystem.RegistryAndProcess Filter.Driver.AntiVirus.RegistryAndProcess Filter.Driver.AntiVirus.MiniFilter
Platforms	Windows 10, client editions (x86) Windows 10, client editions (x64) Windows Server 2016 (x64)
Supported Releases	Windows 10 Windows 10, version 1511 Windows 10, version 1607 Windows 10, version 1703 Windows 10, version 1709 Windows 10, version 1803 Windows 10, version 1809 Windows 10, version 1903 Next update to Windows 10
Expected run time (in minutes)	30
Category	Development
Timeout (in minutes)	1800
Requires reboot	false
Requires special configuration	false
Type	automatic

 

Additional documentation

Tests in this feature area might have additional documentation, including prerequisites, setup, and troubleshooting information, that can be found in the following topic(s):

• Filter.Driver additional documentation

Running the test

Before you run the test, complete the test setup as described in the test requirements: File System Testing Prerequisites.

Troubleshooting

For generic troubleshooting of HLK test failures, see Troubleshooting Windows HLK Test Failures.

For troubleshooting information, see Troubleshooting File System Testing.

All test cases return Pass or Fail. To review test details, review the test log from Windows Hardware Lab Kit (Windows HLK) Studio. For test failures, search for the term "+sev" in the log.

More information

This test includes the following test cases:

• Altitude Conflict

• CreateKey Block

• CreateKey Bypass

• CreateKey Override Access Denied

• CreateKey Override Block

• SetKeySecurity Bypass

• Transacted CreateKey Bypass

• Transacted CreateKey Bypass (No Commit)

• Unregister Close Race

• Save Restore Replace

To manually run each test case, use the following procedures.

To manually run the Altitude Conflict test case

1. Register a callback at altitude 1000.

2. Register another callback at the same altitude, and then verify that it fails.

3. CreateKey the Monitor test.

4. Register three of the same callbacks at altitudes 1000, 2000, and 3000. Set all three callbacks to "monitor" mode. This means that the callback will do nothing but return STATUS_SUCCESS.

5. Create a key, and then verify that it succeeds.

6. Unregister the callbacks.

7. Verify that each callback was invoked appropriately based on its altitude.

To manually run the CreateKey Block test case

1. Register three of the same callbacks at altitudes 1000, 2000, and 3000.

2. Set callbacks 1000 and 3000 to "monitor" mode. This means that the callback will do nothing but return STATUS_SUCCESS.

3. Set callback 2000 to "block" mode. This means that the callback will return an error status.

4. Create a key, and then verify that it fails.

5. Unregister the callbacks.

6. Verify that each callback was invoked appropriately based on its altitude.

To manually run the CreateKey Bypass test case

1. Register three of the same callbacks at altitudes 1000, 2000, and 3000.

2. Set callbacks 1000 and 3000 to "monitor" mode. This means that the callback will do nothing but return STATUS_SUCCESS.

3. Set callback 2000 to "bypass" mode. This means that the callback will return an STATUS_CALLBACK_BYPASS and perform the operation on behalf of the registry.

4. Create a key, and then verify that it succeeds.

5. Unregister the callbacks.

6. Verify that each callback was invoked appropriately based on its altitude.

To manually run the CreateKey Override Access Denied test case

1. Create a key K1, and then set its discretionary access control list (DACL) to give read-only access.

2. Create a key under K1. This should fail because of the read-only DACL.

3. Register three of the same callbacks at altitudes 1000, 2000, and 3000. STATUS_CALLBACK_BYPASS.

4. Set callbacks 1000 and 3000 to "monitor" mode. This means that the callback will do nothing but return STATUS_SUCCESS.

5. Set callback 2000 to "access denied bypass" mode. This means that the callback will perform the operation from user mode, not be blocked by the read-only DACL, and return.

6. Create a key under K1, and then verify that it succeeds.

7. Unregister the callbacks.

8. Verify that each callback was invoked appropriately based on its altitude.

To manually run the CreateKey Override Block test case

1. Register four of the same callbacks at altitudes 1000, 2000, 3000, and 4000.

2. Set callbacks 1000 and 4000 to "monitor" mode. This means that the callback will do nothing but return STATUS_SUCCESS.

3. Set callback 2000 to "block" mode. This means that the callback will return STATUS_UNSUCCESSFUL.

4. Set callback 3000 to "override failure" mode. This means that if the callback identifies STATUS_UNSUCCESSFUL in the post-operation callback, it will still perform the operation and return success.

5. Create a key, and then verify that it succeeds.

6. Unregister the callbacks.

7. Verify that each callback was invoked appropriately based on its altitude.

To manually run the SetKeySecurity Bypass test case

1. Register three of the same callbacks at altitudes 1000, 2000, and 3000.

2. Set callbacks 1000 and 3000 to "monitor" mode. This means that the callback will do nothing but return STATUS_SUCCESS.

3. Set callback 2000 to "bypass" mode. This means that the callback will return STATUS_CALLBACK_BYPASS and perform the operation on behalf of the registry.

4. Call RegSetKeySecurity to set the security descriptor of a key, and then verify that it succeeds.

5. Unregister the callbacks.

6. Verify that each callback was invoked appropriately based on its altitude.

To manually run the Transacted CreateKey Bypass test case

1. Create a transaction T1.

2. Create a key in the context of transaction T1.

3. Verify that the key succeeds, and then delete it.

4. Register three of the same callbacks at altitudes 1000, 2000, and 3000.

5. Set callbacks 1000 and 3000 to "monitor" mode. This means that the callback will do nothing but return STATUS_SUCCESS.

6. Set callback 2000 to "bypass" mode. This means that the callback will return STATUS_CALLBACK_BYPASS and perform the operation on behalf of the registry.

7. Create a key in the context of transaction T1, and then verify that it succeeds.

8. Commit the transaction.

9. Unregister the callbacks.

To manually run the Transacted CreateKey Bypass (No Commit) test case

• Complete the same steps as in the Transacted CreateKey Bypass test case, but do not commit the transaction at the end.

To manually run the Unregister Close Race test case

1. Start a thread that opens a test key, and then close the handle in a loop.

2. In the original thread, register and unregister a callback 100 times.

3. Signal the other thread to exit.

To manually run the Save Restore Replace test case

1. Create a key under the software hive.

2. Register a callback at altitude 1000 and set it to "monitor" mode. This means that the callback will do nothing but return STATUS_SUCCESS.

3. Call RegSaveKey on the created key, and then verify that it succeeds.

4. Call RegRestoreKey on the created key by using the hive file that RegSaveKey created, and then verify that it succeeds.

5. Make a copy of the hive file.

6. Load the original hive file under HKEY_LOCAL_MACHINE, and then verify that it succeeds.

7. Call RegReplaceKey by using the copy of the hive file. This should fail with a sharing violation, but it will still trigger the callbacks for this operation.

8. Unregister the callback, and then verify that it was invoked appropriately.

Command syntax

Command option	Description
RegCbTestctrl.exe -regr	Runs the test.

Note

   For command-line help for this test binary, type /h.

 

File list

File	Location
RegCbTestCtrl.exe	[WTT\TestBinRoot]\NTTEST\BASETEST\kernel\cm
RegCbTest.sys	[WTT\TestBinRoot]\NTTEST\BASETEST\kernel\cm
Ntlog.dll

 

Parameters

Parameter name	Parameter description
LLU_LclAdminUser	LLU for Execute
LLU_NetAccessOnly	LLU for copy