GetLsaPidFromRegistry
typedef NTSTATUS(NTAPI* NTOPENKEY)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES);
typedef NTSTATUS(NTAPI* NTQUERYVALUEKEY)(HANDLE, PUNICODE_STRING, KEY_VALUE_INFORMATION_CLASS, PVOID, ULONG, PULONG);
typedef NTSTATUS(NTAPI* NTCLOSE)(HANDLE);
DWORD MpfGetLsaPidFromRegistry(VOID)
{
NTOPENKEY NtOpenKey = NULL;
NTQUERYVALUEKEY NtQueryValueKey = NULL;
NTCLOSE NtClose = NULL;
UNICODE_STRING LsaRegistryPath = { 0 };
UNICODE_STRING LsaValue = { 0 };
OBJECT_ATTRIBUTES Attributes = { 0 };
HANDLE hKey = NULL;
NTSTATUS Status = STATUS_SUCCESS;
HMODULE hModule = NULL;
DWORD LsassPid = ERROR_SUCCESS;
UCHAR Buffer[sizeof(KEY_VALUE_INFORMATION_CLASS) * sizeof(DWORD)] = { 0 };
PKEY_VALUE_PARTIAL_INFORMATION ValueObject = (PKEY_VALUE_PARTIAL_INFORMATION)Buffer;
DWORD BufferLength = 0;
PDWORD dwDispose = NULL;
hModule = GetModuleHandleW(L"ntdll.dll");
if (hModule == NULL)
goto EXIT_ROUTINE;
NtOpenKey = (NTOPENKEY)GetProcAddress(hModule, "NtOpenKey");
NtQueryValueKey = (NTQUERYVALUEKEY)GetProcAddress(hModule, "NtQueryValueKey");
NtClose = (NTCLOSE)GetProcAddress(hModule, "NtClose");
if (!NtOpenKey || !NtQueryValueKey || !NtClose)
goto EXIT_ROUTINE;
RtlInitUnicodeString(&LsaRegistryPath, L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Lsa");
RtlInitUnicodeString(&LsaValue, L"LsaPid");
InitializeObjectAttributes(&Attributes, &LsaRegistryPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtOpenKey(&hKey, KEY_QUERY_VALUE, &Attributes);
if (!NT_SUCCESS(Status))
goto EXIT_ROUTINE;
#pragma warning( push )
#pragma warning( disable : 6260)
Status = NtQueryValueKey(hKey, &LsaValue, KeyValuePartialInformation, Buffer, (sizeof(KEY_VALUE_INFORMATION_CLASS) * sizeof(DWORD)), &BufferLength);
if (!NT_SUCCESS(Status))
goto EXIT_ROUTINE;
#pragma warning( pop )
LsassPid = *(PDWORD)&ValueObject->Data[0];
// = *dwDispose;
EXIT_ROUTINE:
if (hKey)
NtClose(hKey);
return LsassPid;
}Last updated