Skip to main content
Dr.Semu monitors registry operations to track registry key and value manipulations. All registry operations are redirected to a virtual registry to ensure safe analysis.

Key Operations

NtOpenKey

Opens an existing registry key.
KeyHandle
PHANDLE
Receives a handle to the registry key
DesiredAccess
ACCESS_MASK
Access rights for the key
ObjectAttributes
POBJECT_ATTRIBUTES
Attributes identifying the key
Logged Information:
  • Key path
  • Key handle (after successful operation)
  • Operation success status

NtOpenKeyEx

Extended version of NtOpenKey with additional options.
KeyHandle
PHANDLE
Receives a handle to the registry key
DesiredAccess
ACCESS_MASK
Access rights for the key
ObjectAttributes
POBJECT_ATTRIBUTES
Attributes identifying the key
OpenOptions
ULONG
Options for opening the key
Logged Information:
  • Key path
  • Key handle (after successful operation)
  • Operation success status

NtCreateKey

Creates a new registry key or opens an existing one.
KeyHandle
PHANDLE
Receives a handle to the registry key
DesiredAccess
ACCESS_MASK
Access rights for the key
ObjectAttributes
POBJECT_ATTRIBUTES
Attributes of the key to create
CreateOptions
ULONG
Options for creating the key
Disposition
PULONG
Receives whether a new key was created or existing one opened
Logged Information:
  • Key path
  • Key handle (after successful operation)
  • Operation success status

NtDeleteKey

Deletes a registry key.
KeyHandle
HANDLE
Handle to the key to delete

Value Operations

NtSetValueKey

Sets the data for a value entry in a registry key.
KeyHandle
HANDLE
Handle to the registry key
ValueName
PUNICODE_STRING
Name of the value to set
Type
ULONG
Type of data (REG_SZ, REG_DWORD, etc.)
Data
PVOID
Pointer to the data to set
DataSize
ULONG
Size of the data in bytes

NtQueryValueKey

Retrieves data for a value entry in a registry key.
KeyHandle
HANDLE
Handle to the registry key
ValueName
PUNICODE_STRING
Name of the value to query
KeyValueInformationClass
KEY_VALUE_INFORMATION_CLASS
Type of information to retrieve

NtDeleteValueKey

Deletes a value entry from a registry key.
KeyHandle
HANDLE
Handle to the registry key
ValueName
PUNICODE_STRING
Name of the value to delete

Enumeration Operations

NtEnumerateKey

Enumerates subkeys of a registry key.
KeyHandle
HANDLE
Handle to the registry key
Index
ULONG
Zero-based index of the subkey
KeyInformationClass
KEY_INFORMATION_CLASS
Type of information to return
Logged Information:
  • Key path
  • Operation success status

NtEnumerateValueKey

Enumerates value entries in a registry key.
KeyHandle
HANDLE
Handle to the registry key
Index
ULONG
Zero-based index of the value
KeyValueInformationClass
KEY_VALUE_INFORMATION_CLASS
Type of information to return

NtQueryKey

Retrieves information about a registry key.
KeyHandle
HANDLE
Handle to the registry key
KeyInformationClass
KEY_INFORMATION_CLASS
Type of information to retrieve
Logged Information:
  • Key path
  • Operation success status

Advanced Key Operations

NtQueryMultipleValueKey

Retrieves data for multiple value entries in a single call.
KeyHandle
HANDLE
Handle to the registry key
ValueEntries
PKEY_VALUE_ENTRY
Array of value entries to query
EntryCount
ULONG
Number of entries in the array

NtNotifyChangeKey

Monitors a registry key for changes.
KeyHandle
HANDLE
Handle to the registry key to monitor
Event
HANDLE
Event to signal when changes occur
CompletionFilter
ULONG
Types of changes to monitor
WatchTree
BOOLEAN
Whether to monitor the entire subtree

NtNotifyChangeMultipleKeys

Monitors multiple registry keys for changes.
MasterKeyHandle
HANDLE
Handle to the master key
SubordinateObjects
OBJECT_ATTRIBUTES[]
Array of subordinate keys to monitor
CompletionFilter
ULONG
Types of changes to monitor
Behavior: Returns STATUS_PENDING to avoid blocking analysis.

Transacted Registry Operations

NtCreateKeyTransacted

Creates a registry key as part of a transaction.
KeyHandle
PHANDLE
Receives a handle to the registry key
DesiredAccess
ACCESS_MASK
Access rights for the key
ObjectAttributes
POBJECT_ATTRIBUTES
Attributes of the key to create
TransactionHandle
HANDLE
Handle to the transaction

NtOpenKeyTransacted

Opens a registry key as part of a transaction.
KeyHandle
PHANDLE
Receives a handle to the registry key
DesiredAccess
ACCESS_MASK
Access rights for the key
ObjectAttributes
POBJECT_ATTRIBUTES
Attributes identifying the key
TransactionHandle
HANDLE
Handle to the transaction

NtOpenKeyTransactedEx

Extended version of NtOpenKeyTransacted.
KeyHandle
PHANDLE
Receives a handle to the registry key
DesiredAccess
ACCESS_MASK
Access rights for the key
ObjectAttributes
POBJECT_ATTRIBUTES
Attributes identifying the key
OpenOptions
ULONG
Options for opening the key
TransactionHandle
HANDLE
Handle to the transaction

Administrative Operations

NtFlushKey

Flushes registry changes to disk.
KeyHandle
HANDLE
Handle to the registry key to flush

NtCompactKeys

Compacts one or more registry keys.
Count
ULONG
Number of keys in the array
KeyArray
HANDLE[]
Array of key handles to compact
Access Control: Denied with STATUS_PRIVILEGE_NOT_HELD.

NtCompressKey

Compresses a registry key.
Key
HANDLE
Handle to the key to compress
Access Control: Denied with STATUS_PRIVILEGE_NOT_HELD.

NtFreezeRegistry

Freezes the registry to prevent modifications.
TimeOutInSeconds
ULONG
Timeout duration in seconds
Behavior: Returns STATUS_SUCCESS without actually freezing the registry.

NtInitializeRegistry

Initializes the registry.
BootCondition
USHORT
Boot condition flags
Access Control: Denied with STATUS_ACCESS_DENIED.

Key Loading and Saving

NtLoadKey

Loads a registry hive from a file.
TargetKey
POBJECT_ATTRIBUTES
Target location in the registry
SourceFile
POBJECT_ATTRIBUTES
Path to the hive file
Access Control: Denied with STATUS_PRIVILEGE_NOT_HELD (requires SE_RESTORE_NAME and SE_BACKUP_NAME privileges).

NtLoadKey2

Extended version of NtLoadKey with flags.
TargetKey
POBJECT_ATTRIBUTES
Target location in the registry
SourceFile
POBJECT_ATTRIBUTES
Path to the hive file
Flags
ULONG
Load flags
Access Control: Denied with STATUS_PRIVILEGE_NOT_HELD.

NtLoadKeyEx

Fully extended version of NtLoadKey.
TargetKey
POBJECT_ATTRIBUTES
Target location in the registry
SourceFile
POBJECT_ATTRIBUTES
Path to the hive file
Flags
ULONG
Load flags
DesiredAccess
ACCESS_MASK
Desired access to the loaded hive
Access Control: Denied with STATUS_PRIVILEGE_NOT_HELD.

NtSaveKey

Saves a registry key to a file.
KeyHandle
HANDLE
Handle to the key to save
FileHandle
HANDLE
Handle to the destination file
Access Control: Denied with STATUS_PRIVILEGE_NOT_HELD (requires SE_BACKUP_NAME privilege).

NtSaveKeyEx

Extended version of NtSaveKey with format option.
KeyHandle
HANDLE
Handle to the key to save
FileHandle
HANDLE
Handle to the destination file
Format
ULONG
Save format
Access Control: Denied with STATUS_PRIVILEGE_NOT_HELD.

NtLockRegistryKey

Locks a registry key to prevent deletion.
KeyHandle
HANDLE
Handle to the key to lock
Access Control: Denied with STATUS_PRIVILEGE_NOT_HELD.

NtQueryOpenSubKeys

Queries the number of open subkeys.
TargetKey
POBJECT_ATTRIBUTES
Target key to query
HandleCount
PULONG
Receives the count of open handles

NtQueryOpenSubKeysEx

Extended version of NtQueryOpenSubKeys.
TargetKey
POBJECT_ATTRIBUTES
Target key to query
BufferLength
ULONG
Length of the output buffer
Buffer
PVOID
Buffer to receive information
RequiredSize
PULONG
Receives the required buffer size

Build docs developers (and LLMs) love

Get started for freeTalk to us