apphelp.c File Reference

#include <ntoskrnl.h>
#include <debug.h>
#include <pshpack1.h>
#include <poppack.h>

Include dependency graph for apphelp.c:

Go to the source code of this file.

Classes
struct	SHIM_PERSISTENT_CACHE_HEADER_52
struct	SHIM_PERSISTENT_CACHE_ENTRY_52
struct	SHIM_CACHE_ENTRY

Macros
#define	NDEBUG
#define	EMPTY_SHIM_ENTRY   { { 0 }, { { 0 } }, 0 }
#define	MAX_SHIM_ENTRIES   0x200
#define	INVALID_HANDLE_VALUE   (HANDLE)(-1)
#define	CACHE_MAGIC_NT_52   0xbadc0ffe
#define	CACHE_HEADER_SIZE_NT_52   0x8
#define	NT52_PERSISTENT_ENTRY_SIZE32   0x18
#define	NT52_PERSISTENT_ENTRY_SIZE64   0x20
#define	SHIM_CACHE_MAGIC   CACHE_MAGIC_NT_52
#define	SHIM_CACHE_HEADER_SIZE   CACHE_HEADER_SIZE_NT_52
#define	SHIM_PERSISTENT_CACHE_ENTRY_SIZE   NT52_PERSISTENT_ENTRY_SIZE32
#define	SHIM_PERSISTENT_CACHE_HEADER   SHIM_PERSISTENT_CACHE_HEADER_52
#define	PSHIM_PERSISTENT_CACHE_HEADER   PSHIM_PERSISTENT_CACHE_HEADER_52
#define	SHIM_PERSISTENT_CACHE_ENTRY   SHIM_PERSISTENT_CACHE_ENTRY_52
#define	PSHIM_PERSISTENT_CACHE_ENTRY   PSHIM_PERSISTENT_CACHE_ENTRY_52

Typedefs
typedef struct SHIM_PERSISTENT_CACHE_HEADER_52	SHIM_PERSISTENT_CACHE_HEADER_52
typedef struct SHIM_PERSISTENT_CACHE_HEADER_52 *	PSHIM_PERSISTENT_CACHE_HEADER_52
typedef struct SHIM_PERSISTENT_CACHE_ENTRY_52	SHIM_PERSISTENT_CACHE_ENTRY_52
typedef struct SHIM_PERSISTENT_CACHE_ENTRY_52 *	PSHIM_PERSISTENT_CACHE_ENTRY_52
typedef struct SHIM_CACHE_ENTRY	SHIM_CACHE_ENTRY
typedef struct SHIM_CACHE_ENTRY *	PSHIM_CACHE_ENTRY

Functions
	C_ASSERT (sizeof(SHIM_PERSISTENT_CACHE_ENTRY)==SHIM_PERSISTENT_CACHE_ENTRY_SIZE)
	C_ASSERT (sizeof(SHIM_PERSISTENT_CACHE_HEADER)==SHIM_CACHE_HEADER_SIZE)
PVOID	ApphelpAlloc (_In_ ULONG ByteSize)
VOID	ApphelpFree (_In_ PVOID Data)
VOID	ApphelpCacheAcquireLock (VOID)
BOOLEAN	ApphelpCacheTryAcquireLock (VOID)
VOID	ApphelpCacheReleaseLock (VOID)
VOID	ApphelpDuplicateUnicodeString (_Out_ PUNICODE_STRING Destination, _In_ PCUNICODE_STRING Source)
VOID	ApphelpFreeUnicodeString (_Inout_ PUNICODE_STRING String)
NTSTATUS	ApphelpCacheQueryInfo (_In_ HANDLE ImageHandle, _Out_ PSHIM_CACHE_ENTRY Entry)
RTL_GENERIC_COMPARE_RESULTS NTAPI	ApphelpShimCacheCompareRoutine (_In_ struct _RTL_AVL_TABLE *Table, _In_ PVOID FirstStruct, _In_ PVOID SecondStruct)
PVOID NTAPI	ApphelpShimCacheAllocateRoutine (_In_ struct _RTL_AVL_TABLE *Table, _In_ CLONG ByteSize)
VOID NTAPI	ApphelpShimCacheFreeRoutine (_In_ struct _RTL_AVL_TABLE *Table, _In_ PVOID Buffer)
NTSTATUS	ApphelpCacheParse (_In_reads_(DataLength) PUCHAR Data, _In_ ULONG DataLength)
BOOLEAN	ApphelpCacheRead (VOID)
BOOLEAN	ApphelpCacheWrite (VOID)
NTSTATUS NTAPI	ApphelpCacheInitialize (VOID)
VOID NTAPI	ApphelpCacheShutdown (VOID)
NTSTATUS	ApphelpValidateData (_In_opt_ PAPPHELP_CACHE_SERVICE_LOOKUP ServiceData, _Out_ PUNICODE_STRING ImageName, _Out_ PHANDLE ImageHandle)
NTSTATUS	ApphelpCacheRemoveEntryNolock (_In_ PSHIM_CACHE_ENTRY Entry)
NTSTATUS	ApphelpCacheLookupEntry (_In_ PUNICODE_STRING ImageName, _In_ HANDLE ImageHandle)
NTSTATUS	ApphelpCacheRemoveEntry (_In_ PUNICODE_STRING ImageName)
NTSTATUS	ApphelpCacheAccessCheck (VOID)
NTSTATUS	ApphelpCacheUpdateEntry (_In_ PUNICODE_STRING ImageName, _In_ HANDLE ImageHandle)
NTSTATUS	ApphelpCacheFlush (VOID)
NTSTATUS	ApphelpCacheDump (VOID)
NTSTATUS NTAPI	NtApphelpCacheControl (_In_ APPHELPCACHESERVICECLASS Service, _In_opt_ PAPPHELP_CACHE_SERVICE_LOOKUP ServiceData)

Variables
static BOOLEAN	ApphelpCacheEnabled = FALSE
static ERESOURCE	ApphelpCacheLock
static RTL_AVL_TABLE	ApphelpShimCache
static LIST_ENTRY	ApphelpShimCacheAge
ULONG	InitSafeBootMode
static UNICODE_STRING	AppCompatCacheKey = RTL_CONSTANT_STRING(L"\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache")
static OBJECT_ATTRIBUTES	AppCompatKeyAttributes = RTL_CONSTANT_OBJECT_ATTRIBUTES(&AppCompatCacheKey, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE)
static UNICODE_STRING	AppCompatCacheValue = RTL_CONSTANT_STRING(L"AppCompatCache")

Macro Definition Documentation

CACHE_HEADER_SIZE_NT_52

#define CACHE_HEADER_SIZE_NT_52   0x8

Definition at line 66 of file apphelp.c.

CACHE_MAGIC_NT_52

#define CACHE_MAGIC_NT_52   0xbadc0ffe

Definition at line 65 of file apphelp.c.

EMPTY_SHIM_ENTRY

#define EMPTY_SHIM_ENTRY   { { 0 }, { { 0 } }, 0 }

Definition at line 40 of file apphelp.c.

INVALID_HANDLE_VALUE

#define INVALID_HANDLE_VALUE   (HANDLE)(-1)

Definition at line 44 of file apphelp.c.

MAX_SHIM_ENTRIES

#define MAX_SHIM_ENTRIES   0x200

Definition at line 41 of file apphelp.c.

NDEBUG

#define NDEBUG

Definition at line 24 of file apphelp.c.

NT52_PERSISTENT_ENTRY_SIZE32

#define NT52_PERSISTENT_ENTRY_SIZE32   0x18

Definition at line 67 of file apphelp.c.

NT52_PERSISTENT_ENTRY_SIZE64

#define NT52_PERSISTENT_ENTRY_SIZE64   0x20

Definition at line 68 of file apphelp.c.

PSHIM_PERSISTENT_CACHE_ENTRY

#define PSHIM_PERSISTENT_CACHE_ENTRY   PSHIM_PERSISTENT_CACHE_ENTRY_52

Definition at line 85 of file apphelp.c.

PSHIM_PERSISTENT_CACHE_HEADER

#define PSHIM_PERSISTENT_CACHE_HEADER   PSHIM_PERSISTENT_CACHE_HEADER_52

Definition at line 83 of file apphelp.c.

SHIM_CACHE_HEADER_SIZE

#define SHIM_CACHE_HEADER_SIZE   CACHE_HEADER_SIZE_NT_52

Definition at line 76 of file apphelp.c.

SHIM_CACHE_MAGIC

#define SHIM_CACHE_MAGIC   CACHE_MAGIC_NT_52

Definition at line 75 of file apphelp.c.

SHIM_PERSISTENT_CACHE_ENTRY

#define SHIM_PERSISTENT_CACHE_ENTRY   SHIM_PERSISTENT_CACHE_ENTRY_52

Definition at line 84 of file apphelp.c.

SHIM_PERSISTENT_CACHE_ENTRY_SIZE

#define SHIM_PERSISTENT_CACHE_ENTRY_SIZE   NT52_PERSISTENT_ENTRY_SIZE32

Definition at line 80 of file apphelp.c.

SHIM_PERSISTENT_CACHE_HEADER

#define SHIM_PERSISTENT_CACHE_HEADER   SHIM_PERSISTENT_CACHE_HEADER_52

Definition at line 82 of file apphelp.c.

Typedef Documentation

PSHIM_CACHE_ENTRY

typedef struct SHIM_CACHE_ENTRY * PSHIM_CACHE_ENTRY

PSHIM_PERSISTENT_CACHE_ENTRY_52

typedef struct SHIM_PERSISTENT_CACHE_ENTRY_52 * PSHIM_PERSISTENT_CACHE_ENTRY_52

PSHIM_PERSISTENT_CACHE_HEADER_52

typedef struct SHIM_PERSISTENT_CACHE_HEADER_52 * PSHIM_PERSISTENT_CACHE_HEADER_52

SHIM_CACHE_ENTRY

typedef struct SHIM_CACHE_ENTRY SHIM_CACHE_ENTRY

SHIM_PERSISTENT_CACHE_ENTRY_52

typedef struct SHIM_PERSISTENT_CACHE_ENTRY_52 SHIM_PERSISTENT_CACHE_ENTRY_52

SHIM_PERSISTENT_CACHE_HEADER_52

typedef struct SHIM_PERSISTENT_CACHE_HEADER_52 SHIM_PERSISTENT_CACHE_HEADER_52

Function Documentation

ApphelpAlloc()

PVOID ApphelpAlloc

(

_In_ ULONG

ByteSize

)

Definition at line 101 of file apphelp.c.

{
    return ExAllocatePoolWithTag(PagedPool, ByteSize, TAG_SHIM);
}

Referenced by ApphelpCacheRead(), ApphelpCacheWrite(), ApphelpDuplicateUnicodeString(), and ApphelpShimCacheAllocateRoutine().

ApphelpCacheAccessCheck()

NTSTATUS ApphelpCacheAccessCheck

(

VOID

)

Definition at line 602 of file apphelp.c.

{
    if (ExGetPreviousMode() != KernelMode)
    {
        if (!SeSinglePrivilegeCheck(SeTcbPrivilege, UserMode))
        {
            DPRINT1("SHIMS: ApphelpCacheAccessCheck failed\n");
            return STATUS_ACCESS_DENIED;
        }
    }
    return STATUS_SUCCESS;
}

Referenced by NtApphelpCacheControl().

ApphelpCacheAcquireLock()

VOID ApphelpCacheAcquireLock

(

VOID

)

Definition at line 115 of file apphelp.c.

{
    KeEnterCriticalRegion();
    ExAcquireResourceExclusiveLite(&ApphelpCacheLock, TRUE);
}

Referenced by ApphelpCacheDump(), ApphelpCacheFlush(), ApphelpCacheRemoveEntry(), ApphelpCacheUpdateEntry(), and ApphelpCacheWrite().

ApphelpCacheDump()

NTSTATUS ApphelpCacheDump

(

VOID

)

Definition at line 703 of file apphelp.c.

{
    PLIST_ENTRY ListEntry;
    PSHIM_CACHE_ENTRY Entry;
 
    DPRINT1("SHIMS: NtApphelpCacheControl( Dumping entries, newest to oldest )\n");
    ApphelpCacheAcquireLock();
    ListEntry = ApphelpShimCacheAge.Flink;
    while (ListEntry != &ApphelpShimCacheAge)
    {
        Entry = CONTAINING_RECORD(ListEntry, SHIM_CACHE_ENTRY, List);
        DPRINT1("Entry: %wZ\n", &Entry->Persistent.ImageName);
        DPRINT1("DateTime: 0x%I64x\n", Entry->Persistent.DateTime.QuadPart);
        DPRINT1("FileSize: 0x%I64x\n", Entry->Persistent.FileSize.QuadPart);
        DPRINT1("Flags: 0x%x\n", Entry->CompatFlags);
        ListEntry = ListEntry->Flink;
    }
    ApphelpCacheReleaseLock();
    return STATUS_SUCCESS;
}

Referenced by NtApphelpCacheControl().

ApphelpCacheFlush()

NTSTATUS ApphelpCacheFlush

(

VOID

)

Definition at line 688 of file apphelp.c.

{
    PVOID p;
 
    DPRINT1("SHIMS: ApphelpCacheFlush\n");
    ApphelpCacheAcquireLock();
    while ((p = RtlEnumerateGenericTableAvl(&ApphelpShimCache, TRUE)))
    {
        ApphelpCacheRemoveEntryNolock((PSHIM_CACHE_ENTRY)p);
    }
    ApphelpCacheReleaseLock();
    return STATUS_SUCCESS;
}

Referenced by NtApphelpCacheControl().

ApphelpCacheInitialize()

NTSTATUS NTAPI ApphelpCacheInitialize

(

VOID

)

Definition at line 439 of file apphelp.c.

{
    DPRINT("SHIMS: ApphelpCacheInitialize\n");
    /* If we are booting in safemode we do not want to use the apphelp cache */
    if (InitSafeBootMode)
    {
        DPRINT1("SHIMS: Safe mode detected, disabling cache.\n");
        ApphelpCacheEnabled = FALSE;
    }
    else
    {
        ExInitializeResourceLite(&ApphelpCacheLock);
        RtlInitializeGenericTableAvl(&ApphelpShimCache,
                                     ApphelpShimCacheCompareRoutine,
                                     ApphelpShimCacheAllocateRoutine,
                                     ApphelpShimCacheFreeRoutine,
                                     NULL);
        InitializeListHead(&ApphelpShimCacheAge);
        ApphelpCacheEnabled = ApphelpCacheRead();
    }
    DPRINT("SHIMS: ApphelpCacheInitialize: %d\n", ApphelpCacheEnabled);
    return STATUS_SUCCESS;
}

Referenced by IoInitSystem().

ApphelpCacheLookupEntry()

NTSTATUS ApphelpCacheLookupEntry	(	_In_ PUNICODE_STRING	ImageName,
		_In_ HANDLE	ImageHandle
	)

Definition at line 531 of file apphelp.c.

{
    NTSTATUS Status = STATUS_NOT_FOUND;
    SHIM_CACHE_ENTRY Lookup = EMPTY_SHIM_ENTRY;
    PSHIM_CACHE_ENTRY Entry;
 
    if (!ApphelpCacheTryAcquireLock())
    {
        return Status;
    }
 
    Lookup.Persistent.ImageName = *ImageName;
    Entry = RtlLookupElementGenericTableAvl(&ApphelpShimCache, &Lookup);
    if (Entry == NULL)
    {
        DPRINT("SHIMS: ApphelpCacheLookupEntry: could not find %wZ\n", ImageName);
        goto Cleanup;
    }
 
    DPRINT("SHIMS: ApphelpCacheLookupEntry: found %wZ\n", ImageName);
    if (ImageHandle == INVALID_HANDLE_VALUE)
    {
        DPRINT("SHIMS: ApphelpCacheLookupEntry: ok\n");
        /* just return if we know it, do not query file info */
        Status = STATUS_SUCCESS;
    }
    else
    {
        Status = ApphelpCacheQueryInfo(ImageHandle, &Lookup);
        if (NT_SUCCESS(Status) &&
            Lookup.Persistent.DateTime.QuadPart == Entry->Persistent.DateTime.QuadPart &&
            Lookup.Persistent.FileSize.QuadPart == Entry->Persistent.FileSize.QuadPart)
        {
            DPRINT("SHIMS: ApphelpCacheLookupEntry: found & validated\n");
            Status = STATUS_SUCCESS;
            /* move it to the front to keep it alive */
            RemoveEntryList(&Entry->List);
            InsertHeadList(&ApphelpShimCacheAge, &Entry->List);
        }
        else
        {
            DPRINT1("SHIMS: ApphelpCacheLookupEntry: file info mismatch (%lx)\n", Status);
            Status = STATUS_NOT_FOUND;
            /* Could not read file info, or it did not match, drop it from the cache */
            ApphelpCacheRemoveEntryNolock(Entry);
        }
    }
 
Cleanup:
    ApphelpCacheReleaseLock();
    return Status;
}

Referenced by NtApphelpCacheControl().

ApphelpCacheParse()

NTSTATUS ApphelpCacheParse	(	_In_reads_(DataLength) PUCHAR	Data,
		_In_ ULONG	DataLength
	)

Definition at line 251 of file apphelp.c.

{
    PSHIM_PERSISTENT_CACHE_HEADER Header = (PSHIM_PERSISTENT_CACHE_HEADER)Data;
    ULONG Cur;
    ULONG NumEntries;
    UNICODE_STRING String;
    SHIM_CACHE_ENTRY Entry = EMPTY_SHIM_ENTRY;
    PSHIM_CACHE_ENTRY Result;
    PSHIM_PERSISTENT_CACHE_ENTRY Persistent;
 
    if (DataLength < CACHE_HEADER_SIZE_NT_52)
    {
        DPRINT1("SHIMS: ApphelpCacheParse not enough data for a minimal header (0x%x)\n", DataLength);
        return STATUS_INVALID_PARAMETER;
    }
 
    if (Header->Magic != SHIM_CACHE_MAGIC)
    {
        DPRINT1("SHIMS: ApphelpCacheParse found invalid magic (0x%x)\n", Header->Magic);
        return STATUS_INVALID_PARAMETER;
    }
 
    NumEntries = Header->NumEntries;
    DPRINT("SHIMS: ApphelpCacheParse walking %d entries\n", NumEntries);
    for (Cur = 0; Cur < NumEntries; ++Cur)
    {
        Persistent = (PSHIM_PERSISTENT_CACHE_ENTRY)(Data + SHIM_CACHE_HEADER_SIZE +
                                                    (Cur * SHIM_PERSISTENT_CACHE_ENTRY_SIZE));
        /* The entry in the Persistent storage is not really a UNICODE_STRING,
            so we have to convert the offset into a real pointer before using it. */
        String.Length = Persistent->ImageName.Length;
        String.MaximumLength = Persistent->ImageName.MaximumLength;
        String.Buffer = (PWCHAR)((ULONG_PTR)Persistent->ImageName.Buffer + Data);
 
        /* Now we copy all data to a local buffer, that can be safely duplicated by RtlInsert */
        Entry.Persistent = *Persistent;
        ApphelpDuplicateUnicodeString(&Entry.Persistent.ImageName, &String);
        Result = RtlInsertElementGenericTableAvl(&ApphelpShimCache,
                                                 &Entry,
                                                 sizeof(Entry),
                                                 NULL);
        if (!Result)
        {
            DPRINT1("SHIMS: ApphelpCacheParse insert failed\n");
            ApphelpFreeUnicodeString(&Entry.Persistent.ImageName);
            return STATUS_INVALID_PARAMETER;
        }
        InsertTailList(&ApphelpShimCacheAge, &Result->List);
    }
    return STATUS_SUCCESS;
}

Referenced by ApphelpCacheRead().

ApphelpCacheQueryInfo()

NTSTATUS ApphelpCacheQueryInfo	(	_In_ HANDLE	ImageHandle,
		_Out_ PSHIM_CACHE_ENTRY	Entry
	)

Definition at line 175 of file apphelp.c.

{
    IO_STATUS_BLOCK IoStatusBlock;
    FILE_BASIC_INFORMATION FileBasic;
    FILE_STANDARD_INFORMATION FileStandard;
    NTSTATUS Status;
 
    Status = ZwQueryInformationFile(ImageHandle,
                                    &IoStatusBlock,
                                    &FileBasic,
                                    sizeof(FileBasic),
                                    FileBasicInformation);
    if (!NT_SUCCESS(Status))
    {
        return Status;
    }
 
    Status = ZwQueryInformationFile(ImageHandle,
                                    &IoStatusBlock,
                                    &FileStandard,
                                    sizeof(FileStandard),
                                    FileStandardInformation);
    if (NT_SUCCESS(Status))
    {
        Entry->Persistent.DateTime = FileBasic.LastWriteTime;
        Entry->Persistent.FileSize = FileStandard.EndOfFile;
    }
    return Status;
}

Referenced by ApphelpCacheLookupEntry(), and ApphelpCacheUpdateEntry().

ApphelpCacheRead()

BOOLEAN ApphelpCacheRead

(

VOID

)

Definition at line 306 of file apphelp.c.

{
    HANDLE KeyHandle;
    NTSTATUS Status;
    KEY_VALUE_PARTIAL_INFORMATION KeyValueObject;
    PKEY_VALUE_PARTIAL_INFORMATION KeyValueInformation = &KeyValueObject;
    ULONG KeyInfoSize, ResultSize;
 
    Status = ZwOpenKey(&KeyHandle, KEY_QUERY_VALUE, &AppCompatKeyAttributes);
    if (!NT_SUCCESS(Status))
    {
        DPRINT1("SHIMS: ApphelpCacheRead could not even open Session Manager\\AppCompatCache (0x%x)\n", Status);
        return FALSE;
    }
 
    Status = ZwQueryValueKey(KeyHandle,
                             &AppCompatCacheValue,
                             KeyValuePartialInformation,
                             KeyValueInformation,
                             sizeof(KeyValueObject),
                             &ResultSize);
    if (Status == STATUS_BUFFER_OVERFLOW)
    {
        KeyInfoSize = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + KeyValueInformation->DataLength;
        KeyValueInformation = ApphelpAlloc(KeyInfoSize);
        if (KeyValueInformation != NULL)
        {
            Status = ZwQueryValueKey(KeyHandle,
                                     &AppCompatCacheValue,
                                     KeyValuePartialInformation,
                                     KeyValueInformation,
                                     KeyInfoSize,
                                     &ResultSize);
        }
    }
 
    if (NT_SUCCESS(Status) && KeyValueInformation->Type == REG_BINARY)
    {
        Status = ApphelpCacheParse(KeyValueInformation->Data,
                                   KeyValueInformation->DataLength);
    }
    else
    {
        DPRINT1("SHIMS: ApphelpCacheRead not loaded from registry (0x%x)\n", Status);
    }
 
    if (KeyValueInformation != &KeyValueObject && KeyValueInformation != NULL)
    {
        ApphelpFree(KeyValueInformation);
    }
 
    ZwClose(KeyHandle);
    return NT_SUCCESS(Status);
}

Referenced by ApphelpCacheInitialize(), and NtApphelpCacheControl().

ApphelpCacheReleaseLock()

VOID ApphelpCacheReleaseLock

(

VOID

)

Definition at line 134 of file apphelp.c.

{
    ExReleaseResourceLite(&ApphelpCacheLock);
    KeLeaveCriticalRegion();
}

Referenced by ApphelpCacheDump(), ApphelpCacheFlush(), ApphelpCacheLookupEntry(), ApphelpCacheRemoveEntry(), ApphelpCacheUpdateEntry(), and ApphelpCacheWrite().

ApphelpCacheRemoveEntry()

NTSTATUS ApphelpCacheRemoveEntry

(

_In_ PUNICODE_STRING

ImageName

)

Definition at line 587 of file apphelp.c.

{
    PSHIM_CACHE_ENTRY Entry;
    NTSTATUS Status;
 
    ApphelpCacheAcquireLock();
    Entry = RtlLookupElementGenericTableAvl(&ApphelpShimCache, ImageName);
    Status = ApphelpCacheRemoveEntryNolock(Entry);
    ApphelpCacheReleaseLock();
    return Status;
}

Referenced by NtApphelpCacheControl().

ApphelpCacheRemoveEntryNolock()

NTSTATUS ApphelpCacheRemoveEntryNolock

(

_In_ PSHIM_CACHE_ENTRY

Entry

)

Definition at line 514 of file apphelp.c.

{
    if (Entry)
    {
        PWSTR Buffer = Entry->Persistent.ImageName.Buffer;
        RemoveEntryList(&Entry->List);
        if (RtlDeleteElementGenericTableAvl(&ApphelpShimCache, Entry))
        {
            ApphelpFree(Buffer);
        }
        return STATUS_SUCCESS;
    }
    return STATUS_NOT_FOUND;
}

Referenced by ApphelpCacheFlush(), ApphelpCacheLookupEntry(), ApphelpCacheRemoveEntry(), and ApphelpCacheUpdateEntry().

ApphelpCacheShutdown()

VOID NTAPI ApphelpCacheShutdown

(

VOID

)

Definition at line 465 of file apphelp.c.

{
    if (ApphelpCacheEnabled)
    {
        ApphelpCacheWrite();
    }
}

Referenced by PopGracefulShutdown().

ApphelpCacheTryAcquireLock()

BOOLEAN ApphelpCacheTryAcquireLock

(

VOID

)

Definition at line 122 of file apphelp.c.

{
    KeEnterCriticalRegion();
    if (!ExTryToAcquireResourceExclusiveLite(&ApphelpCacheLock))
    {
        KeLeaveCriticalRegion();
        return FALSE;
    }
    return TRUE;
}

Referenced by ApphelpCacheLookupEntry().

ApphelpCacheUpdateEntry()

NTSTATUS ApphelpCacheUpdateEntry	(	_In_ PUNICODE_STRING	ImageName,
		_In_ HANDLE	ImageHandle
	)

Definition at line 616 of file apphelp.c.

{
    NTSTATUS Status = STATUS_SUCCESS;
    SHIM_CACHE_ENTRY Entry = EMPTY_SHIM_ENTRY;
    PSHIM_CACHE_ENTRY Lookup;
    PVOID NodeOrParent;
    TABLE_SEARCH_RESULT SearchResult;
 
    ApphelpCacheAcquireLock();
 
    /* If we got a file handle, query it for info */
    if (ImageHandle != INVALID_HANDLE_VALUE)
    {
        Status = ApphelpCacheQueryInfo(ImageHandle, &Entry);
        if (!NT_SUCCESS(Status))
        {
            goto Cleanup;
        }
    }
 
    /* Use ImageName for the lookup, don't actually duplicate it */
    Entry.Persistent.ImageName = *ImageName;
    Lookup = RtlLookupElementGenericTableFullAvl(&ApphelpShimCache,
                                                 &Entry,
                                                 &NodeOrParent, &SearchResult);
    if (Lookup)
    {
        DPRINT("SHIMS: ApphelpCacheUpdateEntry: Entry already exists, reusing it\n");
        /* Unlink the found item, so we can put it back at the front,
            and copy the earlier obtained file info*/
        RemoveEntryList(&Lookup->List);
        Lookup->Persistent.DateTime = Entry.Persistent.DateTime;
        Lookup->Persistent.FileSize = Entry.Persistent.FileSize;
    }
    else
    {
        DPRINT("SHIMS: ApphelpCacheUpdateEntry: Inserting new Entry\n");
        /* Insert a new entry, with its own copy of the ImageName */
        ApphelpDuplicateUnicodeString(&Entry.Persistent.ImageName, ImageName);
        Lookup = RtlInsertElementGenericTableFullAvl(&ApphelpShimCache,
                                                     &Entry,
                                                     sizeof(Entry),
                                                     0,
                                                     NodeOrParent,
                                                     SearchResult);
        if (!Lookup)
        {
            ApphelpFreeUnicodeString(&Entry.Persistent.ImageName);
            Status = STATUS_NO_MEMORY;
        }
    }
    if (Lookup)
    {
        /* Either we re-used an existing item, or we inserted a new one, keep it alive */
        InsertHeadList(&ApphelpShimCacheAge, &Lookup->List);
        if (RtlNumberGenericTableElementsAvl(&ApphelpShimCache) > MAX_SHIM_ENTRIES)
        {
            PSHIM_CACHE_ENTRY Remove;
            DPRINT1("SHIMS: ApphelpCacheUpdateEntry: Cache growing too big, dropping oldest item\n");
            Remove = CONTAINING_RECORD(ApphelpShimCacheAge.Blink, SHIM_CACHE_ENTRY, List);
            Status = ApphelpCacheRemoveEntryNolock(Remove);
        }
    }
 
Cleanup:
    ApphelpCacheReleaseLock();
    return Status;
}

Referenced by NtApphelpCacheControl().

ApphelpCacheWrite()

BOOLEAN ApphelpCacheWrite

(

VOID

)

Definition at line 362 of file apphelp.c.

{
    ULONG Length = SHIM_CACHE_HEADER_SIZE;
    ULONG NumEntries = 0;
    PLIST_ENTRY ListEntry;
    PUCHAR Buffer, BufferNamePos;
    PSHIM_PERSISTENT_CACHE_HEADER Header;
    PSHIM_PERSISTENT_CACHE_ENTRY WriteEntry;
    HANDLE KeyHandle;
    NTSTATUS Status;
 
    /* First we have to calculate the required size. */
    ApphelpCacheAcquireLock();
    ListEntry = ApphelpShimCacheAge.Flink;
    while (ListEntry != &ApphelpShimCacheAge)
    {
        PSHIM_CACHE_ENTRY Entry = CONTAINING_RECORD(ListEntry, SHIM_CACHE_ENTRY, List);
        Length += SHIM_PERSISTENT_CACHE_ENTRY_SIZE;
        Length += Entry->Persistent.ImageName.MaximumLength;
        ++NumEntries;
        ListEntry = ListEntry->Flink;
    }
    DPRINT("SHIMS: ApphelpCacheWrite, %d Entries, total size: %d\n", NumEntries, Length);
    Length = ROUND_UP(Length, sizeof(ULONGLONG));
    DPRINT("SHIMS: ApphelpCacheWrite, Rounded to: %d\n", Length);
 
    /* Now we allocate and prepare some helpers */
    Buffer = ApphelpAlloc(Length);
    BufferNamePos = Buffer + Length;
    Header = (PSHIM_PERSISTENT_CACHE_HEADER)Buffer;
    WriteEntry = (PSHIM_PERSISTENT_CACHE_ENTRY)(Buffer + SHIM_CACHE_HEADER_SIZE);
 
    Header->Magic = SHIM_CACHE_MAGIC;
    Header->NumEntries = NumEntries;
 
    ListEntry = ApphelpShimCacheAge.Flink;
    while (ListEntry != &ApphelpShimCacheAge)
    {
        PSHIM_CACHE_ENTRY Entry = CONTAINING_RECORD(ListEntry, SHIM_CACHE_ENTRY, List);
        USHORT ImageNameLen = Entry->Persistent.ImageName.MaximumLength;
        /* Copy the Persistent structure over */
        *WriteEntry = Entry->Persistent;
        BufferNamePos -= ImageNameLen;
        /* Copy the image name over */
        RtlCopyMemory(BufferNamePos, Entry->Persistent.ImageName.Buffer, ImageNameLen);
        /* Fix the Persistent structure, so that Buffer is once again an offset */
        WriteEntry->ImageName.Buffer = (PWCH)(BufferNamePos - Buffer);
 
        ++WriteEntry;
        ListEntry = ListEntry->Flink;
    }
    ApphelpCacheReleaseLock();
 
    Status = ZwOpenKey(&KeyHandle, KEY_SET_VALUE, &AppCompatKeyAttributes);
    if (NT_SUCCESS(Status))
    {
        Status = ZwSetValueKey(KeyHandle,
                               &AppCompatCacheValue,
                               0,
                               REG_BINARY,
                               Buffer,
                               Length);
        ZwClose(KeyHandle);
    }
    else
    {
        DPRINT1("SHIMS: ApphelpCacheWrite could not even open Session Manager\\AppCompatCache (0x%x)\n", Status);
    }
 
    ApphelpFree(Buffer);
    return NT_SUCCESS(Status);
}

Referenced by ApphelpCacheShutdown(), and NtApphelpCacheControl().

ApphelpDuplicateUnicodeString()

VOID ApphelpDuplicateUnicodeString	(	_Out_ PUNICODE_STRING	Destination,
		_In_ PCUNICODE_STRING	Source
	)

Definition at line 141 of file apphelp.c.

{
    Destination->Length = Source->Length;
    if (Destination->Length)
    {
        Destination->MaximumLength = Destination->Length + sizeof(WCHAR);
        Destination->Buffer = ApphelpAlloc(Destination->MaximumLength);
        RtlCopyMemory(Destination->Buffer, Source->Buffer, Destination->Length);
        Destination->Buffer[Destination->Length / sizeof(WCHAR)] = UNICODE_NULL;
    }
    else
    {
        Destination->MaximumLength = 0;
        Destination->Buffer = NULL;
    }
}

Referenced by ApphelpCacheParse(), ApphelpCacheUpdateEntry(), and ApphelpValidateData().

ApphelpFree()

VOID ApphelpFree

(

_In_ PVOID

Data

)

Definition at line 108 of file apphelp.c.

{
    ExFreePoolWithTag(Data, TAG_SHIM);
}

Referenced by ApphelpCacheRead(), ApphelpCacheRemoveEntryNolock(), ApphelpCacheWrite(), ApphelpFreeUnicodeString(), and ApphelpShimCacheFreeRoutine().

ApphelpFreeUnicodeString()

VOID ApphelpFreeUnicodeString

(

_Inout_ PUNICODE_STRING

String

)

Definition at line 161 of file apphelp.c.

{
    if (String->Buffer)
    {
        ApphelpFree(String->Buffer);
    }
    String->Length = 0;
    String->MaximumLength = 0;
    String->Buffer = NULL;
}

Referenced by ApphelpCacheParse(), ApphelpCacheUpdateEntry(), and NtApphelpCacheControl().

ApphelpShimCacheAllocateRoutine()

PVOID NTAPI ApphelpShimCacheAllocateRoutine	(	_In_ struct _RTL_AVL_TABLE *	Table,
		_In_ CLONG	ByteSize
	)

Definition at line 234 of file apphelp.c.

{
    return ApphelpAlloc(ByteSize);
}

Referenced by ApphelpCacheInitialize().

ApphelpShimCacheCompareRoutine()

RTL_GENERIC_COMPARE_RESULTS NTAPI ApphelpShimCacheCompareRoutine	(	_In_ struct _RTL_AVL_TABLE *	Table,
		_In_ PVOID	FirstStruct,
		_In_ PVOID	SecondStruct
	)

Definition at line 209 of file apphelp.c.

{
    PSHIM_CACHE_ENTRY FirstEntry = FirstStruct;
    PSHIM_CACHE_ENTRY SecondEntry = SecondStruct;
    LONG Result;
 
    Result = RtlCompareUnicodeString(&FirstEntry->Persistent.ImageName,
                                     &SecondEntry->Persistent.ImageName,
                                     TRUE);
    if (Result < 0)
    {
        return GenericLessThan;
    }
    else if (Result == 0)
    {
        return GenericEqual;
    }
    return GenericGreaterThan;
}

Referenced by ApphelpCacheInitialize().

ApphelpShimCacheFreeRoutine()

VOID NTAPI ApphelpShimCacheFreeRoutine	(	_In_ struct _RTL_AVL_TABLE *	Table,
		_In_ PVOID	Buffer
	)

Definition at line 243 of file apphelp.c.

{
    ApphelpFree(Buffer);
}

Referenced by ApphelpCacheInitialize().

ApphelpValidateData()

NTSTATUS ApphelpValidateData	(	_In_opt_ PAPPHELP_CACHE_SERVICE_LOOKUP	ServiceData,
		_Out_ PUNICODE_STRING	ImageName,
		_Out_ PHANDLE	ImageHandle
	)

Definition at line 474 of file apphelp.c.

{
    NTSTATUS Status = STATUS_INVALID_PARAMETER;
 
    if (ServiceData)
    {
        UNICODE_STRING LocalImageName;
        _SEH2_TRY
        {
            ProbeForRead(ServiceData,
                         sizeof(APPHELP_CACHE_SERVICE_LOOKUP),
                         sizeof(ULONG));
            LocalImageName = ServiceData->ImageName;
            *ImageHandle = ServiceData->ImageHandle;
            if (LocalImageName.Length && LocalImageName.Buffer)
            {
                ProbeForRead(LocalImageName.Buffer,
                             LocalImageName.Length * sizeof(WCHAR),
                             1);
                ApphelpDuplicateUnicodeString(ImageName, &LocalImageName);
                Status = STATUS_SUCCESS;
            }
        }
        _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
        {
            _SEH2_YIELD(return _SEH2_GetExceptionCode());
        }
        _SEH2_END;
    }
    if (!NT_SUCCESS(Status))
    {
        DPRINT1("SHIMS: ApphelpValidateData: invalid data passed\n");
    }
    return Status;
}

Referenced by NtApphelpCacheControl().

C_ASSERT() [1/2]

C_ASSERT

(

sizeof(SHIM_PERSISTENT_CACHE_ENTRY)

= =SHIM_PERSISTENT_CACHE_ENTRY_SIZE

)

C_ASSERT() [2/2]

C_ASSERT

(

sizeof(SHIM_PERSISTENT_CACHE_HEADER)

= =SHIM_CACHE_HEADER_SIZE

)

NtApphelpCacheControl()

NTSTATUS NTAPI NtApphelpCacheControl	(	_In_ APPHELPCACHESERVICECLASS	Service,
		_In_opt_ PAPPHELP_CACHE_SERVICE_LOOKUP	ServiceData
	)

Definition at line 728 of file apphelp.c.

{
    NTSTATUS Status = STATUS_INVALID_PARAMETER;
    UNICODE_STRING ImageName = { 0 };
    HANDLE Handle = INVALID_HANDLE_VALUE;
 
    if (!ApphelpCacheEnabled)
    {
        DPRINT1("NtApphelpCacheControl: ApphelpCacheEnabled == 0\n");
        return Status;
    }
    switch (Service)
    {
        case ApphelpCacheServiceLookup:
            DPRINT("SHIMS: NtApphelpCacheControl( ApphelpCacheServiceLookup )\n");
            Status = ApphelpValidateData(ServiceData, &ImageName, &Handle);
            if (NT_SUCCESS(Status))
                Status = ApphelpCacheLookupEntry(&ImageName, Handle);
            break;
        case ApphelpCacheServiceRemove:
            DPRINT("SHIMS: NtApphelpCacheControl( ApphelpCacheServiceRemove )\n");
            Status = ApphelpValidateData(ServiceData, &ImageName, &Handle);
            if (NT_SUCCESS(Status))
                Status = ApphelpCacheRemoveEntry(&ImageName);
            break;
        case ApphelpCacheServiceUpdate:
            DPRINT("SHIMS: NtApphelpCacheControl( ApphelpCacheServiceUpdate )\n");
            Status = ApphelpCacheAccessCheck();
            if (NT_SUCCESS(Status))
            {
                Status = ApphelpValidateData(ServiceData, &ImageName, &Handle);
                if (NT_SUCCESS(Status))
                    Status = ApphelpCacheUpdateEntry(&ImageName, Handle);
            }
            break;
        case ApphelpCacheServiceFlush:
            /* FIXME: Check for admin or system here. */
            Status = ApphelpCacheFlush();
            break;
        case ApphelpCacheServiceDump:
            Status = ApphelpCacheDump();
            break;
        case ApphelpDBGReadRegistry:
            DPRINT1("SHIMS: NtApphelpCacheControl( ApphelpDBGReadRegistry ): flushing cache.\n");
            ApphelpCacheFlush();
            DPRINT1("SHIMS: NtApphelpCacheControl( ApphelpDBGReadRegistry ): reading cache.\n");
            Status = ApphelpCacheRead() ? STATUS_SUCCESS : STATUS_NOT_FOUND;
            break;
        case ApphelpDBGWriteRegistry:
            DPRINT1("SHIMS: NtApphelpCacheControl( ApphelpDBGWriteRegistry ): writing cache.\n");
            Status = ApphelpCacheWrite() ? STATUS_SUCCESS : STATUS_NOT_FOUND;
            break;
        default:
            DPRINT1("SHIMS: NtApphelpCacheControl( Invalid service requested )\n");
            break;
    }
    if (ImageName.Buffer)
    {
        ApphelpFreeUnicodeString(&ImageName);
    }
    return Status;
}

Referenced by BaseDumpAppcompatCache(), BaseFlushAppcompatCache(), BasepShimCacheRemoveEntry(), BasepShimCacheSearch(), and CallApphelp().

Variable Documentation

AppCompatCacheKey

UNICODE_STRING AppCompatCacheKey = RTL_CONSTANT_STRING(L"\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache")

static

Definition at line 36 of file apphelp.c.

AppCompatCacheValue

UNICODE_STRING AppCompatCacheValue = RTL_CONSTANT_STRING(L"AppCompatCache")

static

Definition at line 38 of file apphelp.c.

Referenced by ApphelpCacheRead(), and ApphelpCacheWrite().

AppCompatKeyAttributes

OBJECT_ATTRIBUTES AppCompatKeyAttributes = RTL_CONSTANT_OBJECT_ATTRIBUTES(&AppCompatCacheKey, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE)

static

Definition at line 37 of file apphelp.c.

Referenced by ApphelpCacheRead(), and ApphelpCacheWrite().

ApphelpCacheEnabled

BOOLEAN ApphelpCacheEnabled = FALSE

static

Definition at line 29 of file apphelp.c.

Referenced by ApphelpCacheInitialize(), ApphelpCacheShutdown(), and NtApphelpCacheControl().

ApphelpCacheLock

ERESOURCE ApphelpCacheLock

static

Definition at line 30 of file apphelp.c.

Referenced by ApphelpCacheAcquireLock(), ApphelpCacheInitialize(), ApphelpCacheReleaseLock(), and ApphelpCacheTryAcquireLock().

ApphelpShimCache

RTL_AVL_TABLE ApphelpShimCache

static

Definition at line 31 of file apphelp.c.

Referenced by ApphelpCacheFlush(), ApphelpCacheInitialize(), ApphelpCacheLookupEntry(), ApphelpCacheParse(), ApphelpCacheRemoveEntry(), ApphelpCacheRemoveEntryNolock(), and ApphelpCacheUpdateEntry().

ApphelpShimCacheAge

LIST_ENTRY ApphelpShimCacheAge

static

Definition at line 32 of file apphelp.c.

Referenced by ApphelpCacheDump(), ApphelpCacheInitialize(), ApphelpCacheLookupEntry(), ApphelpCacheParse(), ApphelpCacheUpdateEntry(), and ApphelpCacheWrite().

InitSafeBootMode

ULONG InitSafeBootMode

extern

Definition at line 71 of file init.c.

Referenced by ApphelpCacheInitialize(), and Phase1InitializationDiscard().