Hi,
In order to be able to write or delete some registry keys/values in last minute, I need to detect a shutdown or reboot of Windows.
Keys must not be modified if there is only a logoff!
Currently I'm relying on a very simple method which isn't failsafe at all:
By using xbootmgr I figured out a process which is being terminated on shutdown, but not on logoff.
This svchost.exe process is maintaining a handle to an alpc port with a simple name. If this handle is closed the port object is deleted and cannot be referenced anymore.
Hence, if I first succeed referencing the port object and I later fail, I can infer that the process must have exited in the meantime and Windows is being shutdown (or rebooted).
But on Windows 7 SP1 there doesn't exist this particular port object so the registry is never being modified..
As you can see, this solution is terribly unproper, are there better ways to achieve my goal?
I would mostly appreciate solutions working by only polling or by synchronization.
Is there maybe any shutdown event being signaled which is accessible from kernelmode too?
So my system thread gets unblocked and can then modify the registry?
Maybe i can somehow listen to rpc messages?
Target systems are Windows 7 SP1 x64 and Windows 8.1 x64.
Best Regards
Microwave89
P.S. intercepting IRP_MJ_SHUTDOWN / IRP_MJ_POWER isn't suitable, since if I try to write to registry there is STATUS_TO_LATE issued.
In order to be able to write or delete some registry keys/values in last minute, I need to detect a shutdown or reboot of Windows.
Keys must not be modified if there is only a logoff!
Currently I'm relying on a very simple method which isn't failsafe at all:
By using xbootmgr I figured out a process which is being terminated on shutdown, but not on logoff.
This svchost.exe process is maintaining a handle to an alpc port with a simple name. If this handle is closed the port object is deleted and cannot be referenced anymore.
Hence, if I first succeed referencing the port object and I later fail, I can infer that the process must have exited in the meantime and Windows is being shutdown (or rebooted).
But on Windows 7 SP1 there doesn't exist this particular port object so the registry is never being modified..
As you can see, this solution is terribly unproper, are there better ways to achieve my goal?
I would mostly appreciate solutions working by only polling or by synchronization.
Is there maybe any shutdown event being signaled which is accessible from kernelmode too?
So my system thread gets unblocked and can then modify the registry?
Maybe i can somehow listen to rpc messages?
Target systems are Windows 7 SP1 x64 and Windows 8.1 x64.
Best Regards
Microwave89
P.S. intercepting IRP_MJ_SHUTDOWN / IRP_MJ_POWER isn't suitable, since if I try to write to registry there is STATUS_TO_LATE issued.
