apphelp.c

Go to the documentation of this file.

/*
 * PROJECT:         ReactOS Kernel
 * LICENSE:         BSD - See COPYING.ARM in the top level directory
 * FILE:            ntoskrnl/ps/apphelp.c
 * PURPOSE:         SHIM engine caching.
 *                  This caching speeds up checks for the apphelp compatibility layer.
 * PROGRAMMERS:     Mark Jansen
 */

/*
Useful references:
https://github.com/mandiant/ShimCacheParser/blob/master/ShimCacheParser.py
http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx
http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx
http://www.alex-ionescu.com/?p=43
http://recxltd.blogspot.nl/2012/04/windows-appcompat-research-notes-part-1.html
http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html
https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf
*/

/* INCLUDES ******************************************************************/

#include <ntoskrnl.h>
#define NDEBUG
#include <debug.h>

/* GLOBALS *******************************************************************/

static BOOLEAN ApphelpCacheEnabled = FALSE;
static ERESOURCE ApphelpCacheLock;
static RTL_AVL_TABLE ApphelpShimCache;
static LIST_ENTRY ApphelpShimCacheAge;

extern ULONG InitSafeBootMode;

static UNICODE_STRING AppCompatCacheKey = RTL_CONSTANT_STRING(L"\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache");
static OBJECT_ATTRIBUTES AppCompatKeyAttributes = RTL_CONSTANT_OBJECT_ATTRIBUTES(&AppCompatCacheKey, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE);
static UNICODE_STRING AppCompatCacheValue = RTL_CONSTANT_STRING(L"AppCompatCache");

#define EMPTY_SHIM_ENTRY    { { 0 }, { { 0 } }, 0 }
#define MAX_SHIM_ENTRIES    0x200
#define TAG_SHIM            'MIHS'

#ifndef INVALID_HANDLE_VALUE
#define INVALID_HANDLE_VALUE (HANDLE)(-1)
#endif

#include <pshpack1.h>

typedef struct SHIM_PERSISTENT_CACHE_HEADER_52
{
    ULONG Magic;
    ULONG NumEntries;
} SHIM_PERSISTENT_CACHE_HEADER_52, *PSHIM_PERSISTENT_CACHE_HEADER_52;

/* The data that is present in the registry (Win2k3 version) */
typedef struct SHIM_PERSISTENT_CACHE_ENTRY_52
{
    UNICODE_STRING ImageName;
    LARGE_INTEGER DateTime;
    LARGE_INTEGER FileSize;
} SHIM_PERSISTENT_CACHE_ENTRY_52, *PSHIM_PERSISTENT_CACHE_ENTRY_52;

#include <poppack.h>

#define CACHE_MAGIC_NT_52 0xbadc0ffe
#define CACHE_HEADER_SIZE_NT_52 0x8
#define NT52_PERSISTENT_ENTRY_SIZE32 0x18
#define NT52_PERSISTENT_ENTRY_SIZE64 0x20

//#define CACHE_MAGIC_NT_61 0xbadc0fee
//#define CACHE_HEADER_SIZE_NT_61 0x80
//#define NT61_PERSISTENT_ENTRY_SIZE32 0x20
//#define NT61_PERSISTENT_ENTRY_SIZE64 0x30

#define SHIM_CACHE_MAGIC                    CACHE_MAGIC_NT_52
#define SHIM_CACHE_HEADER_SIZE              CACHE_HEADER_SIZE_NT_52
#ifdef _WIN64
#define SHIM_PERSISTENT_CACHE_ENTRY_SIZE    NT52_PERSISTENT_ENTRY_SIZE64
#else
#define SHIM_PERSISTENT_CACHE_ENTRY_SIZE    NT52_PERSISTENT_ENTRY_SIZE32
#endif
#define SHIM_PERSISTENT_CACHE_HEADER        SHIM_PERSISTENT_CACHE_HEADER_52
#define PSHIM_PERSISTENT_CACHE_HEADER      PSHIM_PERSISTENT_CACHE_HEADER_52
#define SHIM_PERSISTENT_CACHE_ENTRY         SHIM_PERSISTENT_CACHE_ENTRY_52
#define PSHIM_PERSISTENT_CACHE_ENTRY       PSHIM_PERSISTENT_CACHE_ENTRY_52

C_ASSERT(sizeof(SHIM_PERSISTENT_CACHE_ENTRY) == SHIM_PERSISTENT_CACHE_ENTRY_SIZE);
C_ASSERT(sizeof(SHIM_PERSISTENT_CACHE_HEADER) == SHIM_CACHE_HEADER_SIZE);

/* The struct we keep in memory */
typedef struct SHIM_CACHE_ENTRY
{
    LIST_ENTRY List;
    SHIM_PERSISTENT_CACHE_ENTRY Persistent;
    ULONG CompatFlags;
} SHIM_CACHE_ENTRY, *PSHIM_CACHE_ENTRY;

/* PRIVATE FUNCTIONS *********************************************************/

PVOID
ApphelpAlloc(
    _In_ ULONG ByteSize)
{
    return ExAllocatePoolWithTag(PagedPool, ByteSize, TAG_SHIM);
}

VOID
ApphelpFree(
    _In_ PVOID Data)
{
    ExFreePoolWithTag(Data, TAG_SHIM);
}

VOID
ApphelpCacheAcquireLock(VOID)
{
    KeEnterCriticalRegion();
    ExAcquireResourceExclusiveLite(&ApphelpCacheLock, TRUE);
}

BOOLEAN
ApphelpCacheTryAcquireLock(VOID)
{
    KeEnterCriticalRegion();
    if (!ExTryToAcquireResourceExclusiveLite(&ApphelpCacheLock))
    {
        KeLeaveCriticalRegion();
        return FALSE;
    }
    return TRUE;
}

VOID
ApphelpCacheReleaseLock(VOID)
{
    ExReleaseResourceLite(&ApphelpCacheLock);
    KeLeaveCriticalRegion();
}

VOID
ApphelpDuplicateUnicodeString(
    _Out_ PUNICODE_STRING Destination,
    _In_ PCUNICODE_STRING Source)
{
    Destination->Length = Source->Length;
    if (Destination->Length)
    {
        Destination->MaximumLength = Destination->Length + sizeof(WCHAR);
        Destination->Buffer = ApphelpAlloc(Destination->MaximumLength);
        RtlCopyMemory(Destination->Buffer, Source->Buffer, Destination->Length);
        Destination->Buffer[Destination->Length / sizeof(WCHAR)] = UNICODE_NULL;
    }
    else
    {
        Destination->MaximumLength = 0;
        Destination->Buffer = NULL;
    }
}

VOID
ApphelpFreeUnicodeString(
    _Inout_ PUNICODE_STRING String)
{
    if (String->Buffer)
    {
        ApphelpFree(String->Buffer);
    }
    String->Length = 0;
    String->MaximumLength = 0;
    String->Buffer = NULL;
}

/* Query file info from a handle, storing it in Entry */
NTSTATUS
ApphelpCacheQueryInfo(
    _In_ HANDLE ImageHandle,
    _Out_ PSHIM_CACHE_ENTRY Entry)
{
    IO_STATUS_BLOCK IoStatusBlock;
    FILE_BASIC_INFORMATION FileBasic;
    FILE_STANDARD_INFORMATION FileStandard;
    NTSTATUS Status;

    Status = ZwQueryInformationFile(ImageHandle,
                                    &IoStatusBlock,
                                    &FileBasic,
                                    sizeof(FileBasic),
                                    FileBasicInformation);
    if (!NT_SUCCESS(Status))
    {
        return Status;
    }

    Status = ZwQueryInformationFile(ImageHandle,
                                    &IoStatusBlock,
                                    &FileStandard,
                                    sizeof(FileStandard),
                                    FileStandardInformation);
    if (NT_SUCCESS(Status))
    {
        Entry->Persistent.DateTime = FileBasic.LastWriteTime;
        Entry->Persistent.FileSize = FileStandard.EndOfFile;
    }
    return Status;
}

RTL_GENERIC_COMPARE_RESULTS
NTAPI
ApphelpShimCacheCompareRoutine(
    _In_ struct _RTL_AVL_TABLE *Table,
    _In_ PVOID FirstStruct,
    _In_ PVOID SecondStruct)
{
    PSHIM_CACHE_ENTRY FirstEntry = FirstStruct;
    PSHIM_CACHE_ENTRY SecondEntry = SecondStruct;
    LONG Result;

    Result = RtlCompareUnicodeString(&FirstEntry->Persistent.ImageName,
                                     &SecondEntry->Persistent.ImageName,
                                     TRUE);
    if (Result < 0)
    {
        return GenericLessThan;
    }
    else if (Result == 0)
    {
        return GenericEqual;
    }
    return GenericGreaterThan;
}

PVOID
NTAPI
ApphelpShimCacheAllocateRoutine(
    _In_ struct _RTL_AVL_TABLE *Table,
    _In_ CLONG ByteSize)
{
    return ApphelpAlloc(ByteSize);
}

VOID
NTAPI
ApphelpShimCacheFreeRoutine(
    _In_ struct _RTL_AVL_TABLE *Table,
    _In_ PVOID Buffer)
{
    ApphelpFree(Buffer);
}

NTSTATUS
ApphelpCacheParse(
    _In_reads_(DataLength) PUCHAR Data,
    _In_ ULONG DataLength)
{
    PSHIM_PERSISTENT_CACHE_HEADER Header = (PSHIM_PERSISTENT_CACHE_HEADER)Data;
    ULONG Cur;
    ULONG NumEntries;
    UNICODE_STRING String;
    SHIM_CACHE_ENTRY Entry = EMPTY_SHIM_ENTRY;
    PSHIM_CACHE_ENTRY Result;
    PSHIM_PERSISTENT_CACHE_ENTRY Persistent;

    if (DataLength < CACHE_HEADER_SIZE_NT_52)
    {
        DPRINT1("SHIMS: ApphelpCacheParse not enough data for a minimal header (0x%x)\n", DataLength);
        return STATUS_INVALID_PARAMETER;
    }

    if (Header->Magic != SHIM_CACHE_MAGIC)
    {
        DPRINT1("SHIMS: ApphelpCacheParse found invalid magic (0x%x)\n", Header->Magic);
        return STATUS_INVALID_PARAMETER;
    }

    NumEntries = Header->NumEntries;
    DPRINT("SHIMS: ApphelpCacheParse walking %d entries\n", NumEntries);
    for (Cur = 0; Cur < NumEntries; ++Cur)
    {
        Persistent = (PSHIM_PERSISTENT_CACHE_ENTRY)(Data + SHIM_CACHE_HEADER_SIZE +
                                                    (Cur * SHIM_PERSISTENT_CACHE_ENTRY_SIZE));
        /* The entry in the Persistent storage is not really a UNICODE_STRING,
            so we have to convert the offset into a real pointer before using it. */
        String.Length = Persistent->ImageName.Length;
        String.MaximumLength = Persistent->ImageName.MaximumLength;
        String.Buffer = (PWCHAR)((ULONG_PTR)Persistent->ImageName.Buffer + Data);

        /* Now we copy all data to a local buffer, that can be safely duplicated by RtlInsert */
        Entry.Persistent = *Persistent;
        ApphelpDuplicateUnicodeString(&Entry.Persistent.ImageName, &String);
        Result = RtlInsertElementGenericTableAvl(&ApphelpShimCache,
                                                 &Entry,
                                                 sizeof(Entry),
                                                 NULL);
        if (!Result)
        {
            DPRINT1("SHIMS: ApphelpCacheParse insert failed\n");
            ApphelpFreeUnicodeString(&Entry.Persistent.ImageName);
            return STATUS_INVALID_PARAMETER;
        }
        InsertTailList(&ApphelpShimCacheAge, &Result->List);
    }
    return STATUS_SUCCESS;
}

BOOLEAN
ApphelpCacheRead(VOID)
{
    HANDLE KeyHandle;
    NTSTATUS Status;
    KEY_VALUE_PARTIAL_INFORMATION KeyValueObject;
    PKEY_VALUE_PARTIAL_INFORMATION KeyValueInformation = &KeyValueObject;
    ULONG KeyInfoSize, ResultSize;

    Status = ZwOpenKey(&KeyHandle, KEY_QUERY_VALUE, &AppCompatKeyAttributes);
    if (!NT_SUCCESS(Status))
    {
        DPRINT1("SHIMS: ApphelpCacheRead could not even open Session Manager\\AppCompatCache (0x%x)\n", Status);
        return FALSE;
    }

    Status = ZwQueryValueKey(KeyHandle,
                             &AppCompatCacheValue,
                             KeyValuePartialInformation,
                             KeyValueInformation,
                             sizeof(KeyValueObject),
                             &ResultSize);
    if (Status == STATUS_BUFFER_OVERFLOW)
    {
        KeyInfoSize = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + KeyValueInformation->DataLength;
        KeyValueInformation = ApphelpAlloc(KeyInfoSize);
        if (KeyValueInformation != NULL)
        {
            Status = ZwQueryValueKey(KeyHandle,
                                     &AppCompatCacheValue,
                                     KeyValuePartialInformation,
                                     KeyValueInformation,
                                     KeyInfoSize,
                                     &ResultSize);
        }
    }

    if (NT_SUCCESS(Status) && KeyValueInformation->Type == REG_BINARY)
    {
        Status = ApphelpCacheParse(KeyValueInformation->Data,
                                   KeyValueInformation->DataLength);
    }
    else
    {
        DPRINT1("SHIMS: ApphelpCacheRead not loaded from registry (0x%x)\n", Status);
    }

    if (KeyValueInformation != &KeyValueObject && KeyValueInformation != NULL)
    {
        ApphelpFree(KeyValueInformation);
    }

    ZwClose(KeyHandle);
    return NT_SUCCESS(Status);
}

BOOLEAN
ApphelpCacheWrite(VOID)
{
    ULONG Length = SHIM_CACHE_HEADER_SIZE;
    ULONG NumEntries = 0;
    PLIST_ENTRY ListEntry;
    PUCHAR Buffer, BufferNamePos;
    PSHIM_PERSISTENT_CACHE_HEADER Header;
    PSHIM_PERSISTENT_CACHE_ENTRY WriteEntry;
    HANDLE KeyHandle;
    NTSTATUS Status;

    /* First we have to calculate the required size. */
    ApphelpCacheAcquireLock();
    ListEntry = ApphelpShimCacheAge.Flink;
    while (ListEntry != &ApphelpShimCacheAge)
    {
        PSHIM_CACHE_ENTRY Entry = CONTAINING_RECORD(ListEntry, SHIM_CACHE_ENTRY, List);
        Length += SHIM_PERSISTENT_CACHE_ENTRY_SIZE;
        Length += Entry->Persistent.ImageName.MaximumLength;
        ++NumEntries;
        ListEntry = ListEntry->Flink;
    }
    DPRINT("SHIMS: ApphelpCacheWrite, %d Entries, total size: %d\n", NumEntries, Length);
    Length = ROUND_UP(Length, sizeof(ULONGLONG));
    DPRINT("SHIMS: ApphelpCacheWrite, Rounded to: %d\n", Length);

    /* Now we allocate and prepare some helpers */
    Buffer = ApphelpAlloc(Length);
    BufferNamePos = Buffer + Length;
    Header = (PSHIM_PERSISTENT_CACHE_HEADER)Buffer;
    WriteEntry = (PSHIM_PERSISTENT_CACHE_ENTRY)(Buffer + SHIM_CACHE_HEADER_SIZE);

    Header->Magic = SHIM_CACHE_MAGIC;
    Header->NumEntries = NumEntries;

    ListEntry = ApphelpShimCacheAge.Flink;
    while (ListEntry != &ApphelpShimCacheAge)
    {
        PSHIM_CACHE_ENTRY Entry = CONTAINING_RECORD(ListEntry, SHIM_CACHE_ENTRY, List);
        USHORT ImageNameLen = Entry->Persistent.ImageName.MaximumLength;
        /* Copy the Persistent structure over */
        *WriteEntry = Entry->Persistent;
        BufferNamePos -= ImageNameLen;
        /* Copy the image name over */
        RtlCopyMemory(BufferNamePos, Entry->Persistent.ImageName.Buffer, ImageNameLen);
        /* Fix the Persistent structure, so that Buffer is once again an offset */
        WriteEntry->ImageName.Buffer = (PWCH)(BufferNamePos - Buffer);

        ++WriteEntry;
        ListEntry = ListEntry->Flink;
    }
    ApphelpCacheReleaseLock();

    Status = ZwOpenKey(&KeyHandle, KEY_SET_VALUE, &AppCompatKeyAttributes);
    if (NT_SUCCESS(Status))
    {
        Status = ZwSetValueKey(KeyHandle,
                               &AppCompatCacheValue,
                               0,
                               REG_BINARY,
                               Buffer,
                               Length);
        ZwClose(KeyHandle);
    }
    else
    {
        DPRINT1("SHIMS: ApphelpCacheWrite could not even open Session Manager\\AppCompatCache (0x%x)\n", Status);
    }

    ApphelpFree(Buffer);
    return NT_SUCCESS(Status);
}


INIT_FUNCTION
NTSTATUS
NTAPI
ApphelpCacheInitialize(VOID)
{
    DPRINT("SHIMS: ApphelpCacheInitialize\n");
    /* If we are booting in safemode we do not want to use the apphelp cache */
    if (InitSafeBootMode)
    {
        DPRINT1("SHIMS: Safe mode detected, disabling cache.\n");
        ApphelpCacheEnabled = FALSE;
    }
    else
    {
        ExInitializeResourceLite(&ApphelpCacheLock);
        RtlInitializeGenericTableAvl(&ApphelpShimCache,
                                     ApphelpShimCacheCompareRoutine,
                                     ApphelpShimCacheAllocateRoutine,
                                     ApphelpShimCacheFreeRoutine,
                                     NULL);
        InitializeListHead(&ApphelpShimCacheAge);
        ApphelpCacheEnabled = ApphelpCacheRead();
    }
    DPRINT("SHIMS: ApphelpCacheInitialize: %d\n", ApphelpCacheEnabled);
    return STATUS_SUCCESS;
}

VOID
NTAPI
ApphelpCacheShutdown(VOID)
{
    if (ApphelpCacheEnabled)
    {
        ApphelpCacheWrite();
    }
}

NTSTATUS
ApphelpValidateData(
    _In_opt_ PAPPHELP_CACHE_SERVICE_LOOKUP ServiceData,
    _Out_ PUNICODE_STRING ImageName,
    _Out_ PHANDLE ImageHandle)
{
    NTSTATUS Status = STATUS_INVALID_PARAMETER;

    if (ServiceData)
    {
        UNICODE_STRING LocalImageName;
        _SEH2_TRY
        {
            ProbeForRead(ServiceData,
                         sizeof(APPHELP_CACHE_SERVICE_LOOKUP),
                         sizeof(ULONG));
            LocalImageName = ServiceData->ImageName;
            *ImageHandle = ServiceData->ImageHandle;
            if (LocalImageName.Length && LocalImageName.Buffer)
            {
                ProbeForRead(LocalImageName.Buffer,
                             LocalImageName.Length * sizeof(WCHAR),
                             1);
                ApphelpDuplicateUnicodeString(ImageName, &LocalImageName);
                Status = STATUS_SUCCESS;
            }
        }
        _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
        {
            _SEH2_YIELD(return _SEH2_GetExceptionCode());
        }
        _SEH2_END;
    }
    if (!NT_SUCCESS(Status))
    {
        DPRINT1("SHIMS: ApphelpValidateData: invalid data passed\n");
    }
    return Status;
}

NTSTATUS
ApphelpCacheRemoveEntryNolock(
    _In_ PSHIM_CACHE_ENTRY Entry)
{
    if (Entry)
    {
        PWSTR Buffer = Entry->Persistent.ImageName.Buffer;
        RemoveEntryList(&Entry->List);
        if (RtlDeleteElementGenericTableAvl(&ApphelpShimCache, Entry))
        {
            ApphelpFree(Buffer);
        }
        return STATUS_SUCCESS;
    }
    return STATUS_NOT_FOUND;
}

NTSTATUS
ApphelpCacheLookupEntry(
    _In_ PUNICODE_STRING ImageName,
    _In_ HANDLE ImageHandle)
{
    NTSTATUS Status = STATUS_NOT_FOUND;
    SHIM_CACHE_ENTRY Lookup = EMPTY_SHIM_ENTRY;
    PSHIM_CACHE_ENTRY Entry;

    if (!ApphelpCacheTryAcquireLock())
    {
        return Status;
    }

    Lookup.Persistent.ImageName = *ImageName;
    Entry = RtlLookupElementGenericTableAvl(&ApphelpShimCache, &Lookup);
    if (Entry == NULL)
    {
        DPRINT("SHIMS: ApphelpCacheLookupEntry: could not find %wZ\n", ImageName);
        goto Cleanup;
    }

    DPRINT("SHIMS: ApphelpCacheLookupEntry: found %wZ\n", ImageName);
    if (ImageHandle == INVALID_HANDLE_VALUE)
    {
        DPRINT("SHIMS: ApphelpCacheLookupEntry: ok\n");
        /* just return if we know it, do not query file info */
        Status = STATUS_SUCCESS;
    }
    else
    {
        Status = ApphelpCacheQueryInfo(ImageHandle, &Lookup);
        if (NT_SUCCESS(Status) &&
            Lookup.Persistent.DateTime.QuadPart == Entry->Persistent.DateTime.QuadPart &&
            Lookup.Persistent.FileSize.QuadPart == Entry->Persistent.FileSize.QuadPart)
        {
            DPRINT("SHIMS: ApphelpCacheLookupEntry: found & validated\n");
            Status = STATUS_SUCCESS;
            /* move it to the front to keep it alive */
            RemoveEntryList(&Entry->List);
            InsertHeadList(&ApphelpShimCacheAge, &Entry->List);
        }
        else
        {
            DPRINT1("SHIMS: ApphelpCacheLookupEntry: file info mismatch (%lx)\n", Status);
            Status = STATUS_NOT_FOUND;
            /* Could not read file info, or it did not match, drop it from the cache */
            ApphelpCacheRemoveEntryNolock(Entry);
        }
    }

Cleanup:
    ApphelpCacheReleaseLock();
    return Status;
}

NTSTATUS
ApphelpCacheRemoveEntry(
    _In_ PUNICODE_STRING ImageName)
{
    PSHIM_CACHE_ENTRY Entry;
    NTSTATUS Status;

    ApphelpCacheAcquireLock();
    Entry = RtlLookupElementGenericTableAvl(&ApphelpShimCache, ImageName);
    Status = ApphelpCacheRemoveEntryNolock(Entry);
    ApphelpCacheReleaseLock();
    return Status;
}

/* Validate that we are either called from r0, or from a service-like context */
NTSTATUS
ApphelpCacheAccessCheck(VOID)
{
    if (ExGetPreviousMode() != KernelMode)
    {
        if (!SeSinglePrivilegeCheck(SeTcbPrivilege, UserMode))
        {
            DPRINT1("SHIMS: ApphelpCacheAccessCheck failed\n");
            return STATUS_ACCESS_DENIED;
        }
    }
    return STATUS_SUCCESS;
}

NTSTATUS
ApphelpCacheUpdateEntry(
    _In_ PUNICODE_STRING ImageName,
    _In_ HANDLE ImageHandle)
{
    NTSTATUS Status = STATUS_SUCCESS;
    SHIM_CACHE_ENTRY Entry = EMPTY_SHIM_ENTRY;
    PSHIM_CACHE_ENTRY Lookup;
    PVOID NodeOrParent;
    TABLE_SEARCH_RESULT SearchResult;

    ApphelpCacheAcquireLock();

    /* If we got a file handle, query it for info */
    if (ImageHandle != INVALID_HANDLE_VALUE)
    {
        Status = ApphelpCacheQueryInfo(ImageHandle, &Entry);
        if (!NT_SUCCESS(Status))
        {
            goto Cleanup;
        }
    }

    /* Use ImageName for the lookup, don't actually duplicate it */
    Entry.Persistent.ImageName = *ImageName;
    Lookup = RtlLookupElementGenericTableFullAvl(&ApphelpShimCache,
                                                 &Entry,
                                                 &NodeOrParent, &SearchResult);
    if (Lookup)
    {
        DPRINT("SHIMS: ApphelpCacheUpdateEntry: Entry already exists, reusing it\n");
        /* Unlink the found item, so we can put it back at the front,
            and copy the earlier obtained file info*/
        RemoveEntryList(&Lookup->List);
        Lookup->Persistent.DateTime = Entry.Persistent.DateTime;
        Lookup->Persistent.FileSize = Entry.Persistent.FileSize;
    }
    else
    {
        DPRINT("SHIMS: ApphelpCacheUpdateEntry: Inserting new Entry\n");
        /* Insert a new entry, with its own copy of the ImageName */
        ApphelpDuplicateUnicodeString(&Entry.Persistent.ImageName, ImageName);
        Lookup = RtlInsertElementGenericTableFullAvl(&ApphelpShimCache,
                                                     &Entry,
                                                     sizeof(Entry),
                                                     0,
                                                     NodeOrParent,
                                                     SearchResult);
        if (!Lookup)
        {
            ApphelpFreeUnicodeString(&Entry.Persistent.ImageName);
            Status = STATUS_NO_MEMORY;
        }
    }
    if (Lookup)
    {
        /* Either we re-used an existing item, or we inserted a new one, keep it alive */
        InsertHeadList(&ApphelpShimCacheAge, &Lookup->List);
        if (RtlNumberGenericTableElementsAvl(&ApphelpShimCache) > MAX_SHIM_ENTRIES)
        {
            PSHIM_CACHE_ENTRY Remove;
            DPRINT1("SHIMS: ApphelpCacheUpdateEntry: Cache growing too big, dropping oldest item\n");
            Remove = CONTAINING_RECORD(ApphelpShimCacheAge.Blink, SHIM_CACHE_ENTRY, List);
            Status = ApphelpCacheRemoveEntryNolock(Remove);
        }
    }

Cleanup:
    ApphelpCacheReleaseLock();
    return Status;
}

NTSTATUS
ApphelpCacheFlush(VOID)
{
    PVOID p;

    DPRINT1("SHIMS: ApphelpCacheFlush\n");
    ApphelpCacheAcquireLock();
    while ((p = RtlEnumerateGenericTableAvl(&ApphelpShimCache, TRUE)))
    {
        ApphelpCacheRemoveEntryNolock((PSHIM_CACHE_ENTRY)p);
    }
    ApphelpCacheReleaseLock();
    return STATUS_SUCCESS;
}

NTSTATUS
ApphelpCacheDump(VOID)
{
    PLIST_ENTRY ListEntry;
    PSHIM_CACHE_ENTRY Entry;

    DPRINT1("SHIMS: NtApphelpCacheControl( Dumping entries, newest to oldest )\n");
    ApphelpCacheAcquireLock();
    ListEntry = ApphelpShimCacheAge.Flink;
    while (ListEntry != &ApphelpShimCacheAge)
    {
        Entry = CONTAINING_RECORD(ListEntry, SHIM_CACHE_ENTRY, List);
        DPRINT1("Entry: %wZ\n", &Entry->Persistent.ImageName);
        DPRINT1("DateTime: 0x%I64x\n", Entry->Persistent.DateTime.QuadPart);
        DPRINT1("FileSize: 0x%I64x\n", Entry->Persistent.FileSize.QuadPart);
        DPRINT1("Flags: 0x%x\n", Entry->CompatFlags);
        ListEntry = ListEntry->Flink;
    }
    ApphelpCacheReleaseLock();
    return STATUS_SUCCESS;
}

/* PUBLIC FUNCTIONS **********************************************************/

NTSTATUS
NTAPI
NtApphelpCacheControl(
    _In_ APPHELPCACHESERVICECLASS Service,
    _In_opt_ PAPPHELP_CACHE_SERVICE_LOOKUP ServiceData)
{
    NTSTATUS Status = STATUS_INVALID_PARAMETER;
    UNICODE_STRING ImageName = { 0 };
    HANDLE Handle = INVALID_HANDLE_VALUE;

    if (!ApphelpCacheEnabled)
    {
        DPRINT1("NtApphelpCacheControl: ApphelpCacheEnabled == 0\n");
        return Status;
    }
    switch (Service)
    {
        case ApphelpCacheServiceLookup:
            DPRINT("SHIMS: NtApphelpCacheControl( ApphelpCacheServiceLookup )\n");
            Status = ApphelpValidateData(ServiceData, &ImageName, &Handle);
            if (NT_SUCCESS(Status))
                Status = ApphelpCacheLookupEntry(&ImageName, Handle);
            break;
        case ApphelpCacheServiceRemove:
            DPRINT("SHIMS: NtApphelpCacheControl( ApphelpCacheServiceRemove )\n");
            Status = ApphelpValidateData(ServiceData, &ImageName, &Handle);
            if (NT_SUCCESS(Status))
                Status = ApphelpCacheRemoveEntry(&ImageName);
            break;
        case ApphelpCacheServiceUpdate:
            DPRINT("SHIMS: NtApphelpCacheControl( ApphelpCacheServiceUpdate )\n");
            Status = ApphelpCacheAccessCheck();
            if (NT_SUCCESS(Status))
            {
                Status = ApphelpValidateData(ServiceData, &ImageName, &Handle);
                if (NT_SUCCESS(Status))
                    Status = ApphelpCacheUpdateEntry(&ImageName, Handle);
            }
            break;
        case ApphelpCacheServiceFlush:
            /* FIXME: Check for admin or system here. */
            Status = ApphelpCacheFlush();
            break;
        case ApphelpCacheServiceDump:
            Status = ApphelpCacheDump();
            break;
        case ApphelpDBGReadRegistry:
            DPRINT1("SHIMS: NtApphelpCacheControl( ApphelpDBGReadRegistry ): flushing cache.\n");
            ApphelpCacheFlush();
            DPRINT1("SHIMS: NtApphelpCacheControl( ApphelpDBGReadRegistry ): reading cache.\n");
            Status = ApphelpCacheRead() ? STATUS_SUCCESS : STATUS_NOT_FOUND;
            break;
        case ApphelpDBGWriteRegistry:
            DPRINT1("SHIMS: NtApphelpCacheControl( ApphelpDBGWriteRegistry ): writing cache.\n");
            Status = ApphelpCacheWrite() ? STATUS_SUCCESS : STATUS_NOT_FOUND;
            break;
        default:
            DPRINT1("SHIMS: NtApphelpCacheControl( Invalid service requested )\n");
            break;
    }
    if (ImageName.Buffer)
    {
        ApphelpFreeUnicodeString(&ImageName);
    }
    return Status;
}