From 7dd8a30cf957788db0d80352c9e3bf0f6eae9307 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?George=20Bi=C8=99oc?= Date: Sat, 23 Mar 2024 20:40:56 +0100 Subject: [PATCH] [NTOS:CM] Remove orphaned KCBs of keys during normal hive unload A hive whose KCBs have a reference count of 0, meaning nobody is using these keys anymore, will not get removed from the cache table. As a result during a normal hive unloading operation you will get orphaned KCBs which results in an unload failure. This is wrong, because this is what a normal hive unloading is supposed to do. What it cannot do of course is that it cannot scramble the references of opened keys by the users who use the Registry, as it is the job of force unloading mechanism to do that. Also remove a misleading debug print. Force unloading works as intended by scrambling the references of keys and marking the KCB for deletion, which is what how a force unload works. Namely Windows does exactly that. CORE-10705 --- ntoskrnl/config/cmapi.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ntoskrnl/config/cmapi.c b/ntoskrnl/config/cmapi.c index 944b469fa17..9bc32c8f404 100644 --- a/ntoskrnl/config/cmapi.c +++ b/ntoskrnl/config/cmapi.c @@ -2242,7 +2242,7 @@ CmUnloadKey(IN PCM_KEY_CONTROL_BLOCK Kcb, { if (Flags != REG_FORCE_UNLOAD) { - if (CmpEnumerateOpenSubKeys(Kcb, FALSE, FALSE, FALSE) != 0) + if (CmpEnumerateOpenSubKeys(Kcb, FALSE, TRUE, FALSE) != 0) { /* There are open subkeys but we don't force hive unloading, fail */ Hive->HiveFlags &= ~HIVE_IS_UNLOADING; @@ -2251,7 +2251,6 @@ CmUnloadKey(IN PCM_KEY_CONTROL_BLOCK Kcb, } else { - DPRINT1("CmUnloadKey: Force unloading is HALF-IMPLEMENTED, expect dangling KCBs problems!\n"); if (CmpEnumerateOpenSubKeys(Kcb, TRUE, TRUE, TRUE) != 0) { /* There are open subkeys that we cannot force to unload, fail */