Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Mysterious, Native "A" Registry Key with Path: Registry\A

I recently wrote a native NT registry editor for Windows, and ran it on Windows 7. To my surprise, in addition to the two standard root keys, MACHINE and USER, that are present on Windows XP, there was also a mysterious key named "A", that cannot be opened in any way, whether by permission changes or backup privileges or otherwise:

Snapshot

Does anyone know what this key is for? I don't believe it's for any software, because it was there before I installed anything on the machine, and I believe I saw it on another fresh installation as well. It's rather very suspicious, and I'm curious as to why it's there. (If I'm curious enough, I might end up writing a driver to open it up without a privilege check, to see what happens!)

(I wasn't sure whether to put this on SuperUser or StackOverflow, since I think it could go in either one. I could be wrong, though; sorry if this isn't the appropriate place.)

Edit:

If forgot to say, I don't believe you can even see this key using the Win32 API, like RegOpenKey -- you have to use the native API like NtEnumerateKey instead.

like image 667
user541686 Avatar asked Jan 06 '11 02:01

user541686


2 Answers

Here is the comment from one of our driver writers: "DISCACHE.sys driver seems to be caching system file attributes and using \REGISTRY\A in an undocumented way. This driver is part of the kernel so it can load any hive wherever it wants."

like image 114
Luke Avatar answered Oct 10 '22 02:10

Luke


Interesting...

The key indeed can be opened with a relative path, but not with an absolute path.

And it seems to contain information about all file systems and whatnot. Looks mysterious, indeed...

like image 45
user541686 Avatar answered Oct 10 '22 03:10

user541686