I was looking at the docs for DuplicateHandle the other day and noticed that DuplicateHandle is able to copy registry key handles (HKEYs). Reading up on this a bit more in the SysInternals book seems to indicate that registry key handles are plain kernel objects, similar to file handles. Yet CloseHandle can't close HKEYs, and RegCloseKey can't close other kinds of kernel objects.
Why the distinction?
It is because only a part of the functionality of the registry is implemented in the kernel. It includes the basic operations (create, delete, read, write, etc.) for working with the local registry keys.
The remaining functions are implemented in the advapi32.dll and work in the user mode:
RegConnectRegistry
HKEY_PERFORMANCE_DATA
The kernel part of the functionality is available through the Native API: NtCreateKey, NtOpenKey, etc. When comparing these functions with the Win32 API it can be seen that the Native API uses the "classical" HANDLE  descriptors instead of HKEY.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With