AfterQueryValue Event

Fires after a registry value's information is retrieved.

Syntax

ANSI (Cross Platform)
virtual int FireAfterQueryValue(CBRegistryAfterQueryValueEventParams *e);
typedef struct {
void *KeyContext;
int Status;
const char *ValueName;
int ValidFields;
int ValueType;
int64 *pIntegerValue;
char *StringValue; int lenStringValue;
void *BinaryValue;
int MaxBinaryValueSize;
int BinaryValueSize;
int Processed;
int StopFiltering;
int ResultCode; int reserved; } CBRegistryAfterQueryValueEventParams; Unicode (Windows) virtual INT FireAfterQueryValue(CBRegistryAfterQueryValueEventParams *e);
typedef struct {
LPVOID KeyContext;
INT Status;
LPCWSTR ValueName;
INT ValidFields;
INT ValueType;
LONG64 *pIntegerValue;
LPWSTR StringValue; INT lenStringValue;
LPVOID BinaryValue;
INT MaxBinaryValueSize;
INT BinaryValueSize;
BOOL Processed;
BOOL StopFiltering;
INT ResultCode; INT reserved; } CBRegistryAfterQueryValueEventParams;
#define EID_CBREGISTRY_AFTERQUERYVALUE 9

virtual INT CBFSFILTER_CALL FireAfterQueryValue(LPVOID &lpKeyContext, INT &iStatus, LPWSTR &lpszValueName, INT &iValidFields, INT &iValueType, LONG64 &lIntegerValue, LPWSTR &lpStringValue, INT &lenStringValue, LPVOID &lpBinaryValue, INT &iMaxBinaryValueSize, INT &iBinaryValueSize, BOOL &bProcessed, BOOL &bStopFiltering, INT &iResultCode);

Remarks

This event fires after a registry value's information is retrieved.

Applications only need to handle this event if they've added a standard filter rule that includes the REG_CE_AFTER_QUERY_VALUE flag.

The KeyContext parameter is a placeholder for application-defined data associated with the registry key. Please refer to the Contexts topic for more information. Note that this event does not expose the registry key's name for performance reasons; applications that need it should store it in KeyContext during the BeforeCreateKey/BeforeOpenKey event so that it can be retrieved when this event fires.

The Status parameter contains a Win32 error code that indicates the outcome of the operation; 0 indicates success. This value is returned to the request originator if no other status is returned from this event. Applications may change this parameter's value if they want a different Win32 error code to be returned.

The ValueName parameter reflects the name of the registry value.

The ValidFields parameter indicates which pieces of information about the registry value were retrieved. The value of this parameter is a combination of one or more of the following:

REG_VALUEFIELD_TYPE1A registry value's type.

REG_VALUEFIELD_NAME2A registry value's name.

REG_VALUEFIELD_DATA4A registry value's data.

The ValueType parameter specifies the registry value's type, and determines which of the other parameters holds the registry value's data (please refer to their descriptions for more information). Possible values are:

REG_VALUETYPE_SZ1A unicode string.

REG_VALUETYPE_EXPAND_SZ2A unicode string that contains environmental variable references.

REG_VALUETYPE_BINARY3Binary data.

REG_VALUETYPE_DWORD4A 32-bit number.

REG_VALUETYPE_MULTI_SZ7Multiple unicode strings.

REG_VALUETYPE_QWORD11A 64-bit number.

The IntegerValue parameter specifies the registry value's data if ValueType is REG_VALUETYPE_DWORD or REG_VALUETYPE_QWORD.

The StringValue parameter specifies the registry value's data if ValueType is REG_VALUETYPE_SZ, REG_VALUETYPE_EXPAND_SZ, or REG_VALUETYPE_MULTI_SZ. Note that data should be copied to StringValue; set lenStringValue to the length of the copied string (measured in char/wchar_t, not including terminating nulls).

For REG_VALUETYPE_MULTI_SZ, the data is formatted as multiple individual ETB-terminated strings concatenated together into a single null-terminated string (where ETB is the End-of-Transmission-Block character; 23/0x17). For example, the strings This is, a multistring, value. would be encoded as This is[ETB]a multistring[ETB]value.[ETB][NUL].

Note that, as Microsoft's Registry Value Types article describes, the native multistring data format uses null-terminators for the individual strings (e.g., This is[NUL]a multistring[NUL]value.[NUL][NUL]); CBRegistry converts the individual null terminators to/from ETB characters internally for applications' convenience.

The BinaryValue parameter points to a memory buffer that holds the registry value's data if ValueType is REG_VALUETYPE_BINARY. The MaxBinaryValueSize and BinaryValueSize parameter specify the capacity of the BinaryValue buffer and the length of the data it contains (respectively), in bytes.

Always check MaxBinaryValueSize before copying any data into the BinaryValue buffer. If the buffer is large enough to hold all of the data, copy the data into it, and then update BinaryValueSize accordingly. If the buffer is not large enough, do not copy any data into it; instead, set BinaryValueSize to the required buffer size (i.e., the size of the data), and return the ERROR_MORE_DATA (234) error code via ResultCode.

The Processed parameter indicates whether the response values have been modified. Applications must set this parameter to true if they alter any of the parameters related to the response values. Note that this parameter's value is ignored if an error is returned via ResultCode.

The StopFiltering parameter specifies whether the class's system driver should ignore all further operations for the registry key; it is false by default. Applications may set this parameter to true to prevent any further events from firing for the registry key.

The ResultCode parameter will always be 0 when the event is fired. If the event cannot be handled in a "successful" manner for some reason (e.g., a resource isn't available, security checks failed, etc.), set it to a non-zero value to report an appropriate error. Please refer to the Error Reporting and Handling topic for more information.

This event is fired synchronously; please refer to the Event Types topic for more information.

Copyright (c) 2022 Callback Technologies, Inc. - All rights reserved.
CBFS Filter 2020 C++ Edition - Version 20.0 [Build 8317]