nt!PiDeviceRegistration函数分析

第一部分：

NTSTATUS
PiDeviceRegistration(
IN PUNICODE_STRING DeviceInstancePath,
IN BOOLEAN Add,
IN PUNICODE_STRING ServiceKeyName OPTIONAL
)

/*++

Routine Description:

If Add is set to TRUE, this Plug and Play Manager API creates (if necessary)
and populates the volatile Enum subkey of a device's service list entry, based
on the device instance path specified. If Add is set to FALSE, the specified
device instance will be removed from the volatile Enum subkey of a device's
service list entry.

如果将Add设置为TRUE，则此即插即用管理器API将创建（如果需要）
并基于以下内容填充设备服务列表条目的易失性Enum子密钥
在指定的设备实例路径上。
如果Add设置为FALSE，则指定
设备实例将从设备的volatile Enum子项中删除
服务列表条目。

For example, if there is a device in the Enum tree as follows:

HKLM\System\Enum\PCI
\foo
\0000
Service = REG_SZ bar
\0001
Service = REG_SZ other

The result of the call, PpDeviceRegistration("PCI\foo\0000", Add = TRUE), would be:

HKLM\CurrentControlSet\Services
\bar
\Enum
Count = REG_DWORD 1
0 = REG_SZ PCI\foo\0000

Arguments:

DeviceInstancePath - Supplies the path in the registry (relative to
HKLM\CCS\System\Enum) of the device to be registered/deregistered.
This path must point to an instance subkey.

Add - Supplies a BOOLEAN value to indicate the operation is for addition or removal.

ServiceKeyName - Optionally, supplies the address of a unicode string to
receive the name of the registry key for this device
instance's service (if one exists). The caller must
release the space once done with it.

win7注册表导出1：

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI_HAL]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI_HAL\PNP0C08]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI_HAL\PNP0C08\0]
"Capabilities"=dword:00000030
"HardwareID"=hex(7):41,00,43,00,50,00,49,00,5f,00,48,00,41,00,4c,00,5c,00,50,\
00,4e,00,50,00,30,00,43,00,30,00,38,00,00,00,2a,00,50,00,4e,00,50,00,30,00,\
43,00,30,00,38,00,00,00,00,00
"ContainerID"="{00000000-0000-0000-ffff-ffffffffffff}"
"Service"="ACPI"
"ClassGUID"="{4d36e97d-e325-11ce-bfc1-08002be10318}"
"ConfigFlags"=dword:00000000
"ParentIdPrefix"="2&daba3ff&2"
"Driver"="{4d36e97d-e325-11ce-bfc1-08002be10318}\\0012"
"Class"="System"
"Mfg"="@acpi.inf,%msft%;Microsoft"
"DeviceDesc"="@acpi.inf,%*pnp0c08.devicedesc%;Microsoft ACPI-Compliant System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI_HAL\PNP0C08\0\Device Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI_HAL\PNP0C08\0\Device Parameters\Interrupt Management]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI_HAL\PNP0C08\0\Device Parameters\Interrupt Management\Affinity Policy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI_HAL\PNP0C08\0\LogConf]

win7注册表导出2：
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ACPI]
"Start"=dword:00000000
"Type"=dword:00000001
"ErrorControl"=dword:00000003
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,41,00,43,00,50,00,49,00,2e,00,73,\
00,79,00,73,00,00,00
"DisplayName"="Microsoft ACPI Driver"
"Group"="Boot Bus Extender"
"DriverPackageId"="acpi.inf_amd64_neutral_2a841284c9de8962"
"Tag"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ACPI\Parameters]
"WHEAOSCImplemented"=hex:00,00,00,00
"AMLIMaxCTObjs"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ACPI\Parameters\WakeUp]
"FixedEventMask"=hex:20,01
"FixedEventStatus"=hex:00,80
"GenericEventMask"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,20,00,00
"GenericEventStatus"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ACPI\Enum]
"0"="ACPI_HAL\\PNP0C08\\0"
"Count"=dword:00000001
"NextInstance"=dword:00000001

第二部分：

1: kd> t
Breakpoint 31 hit
eax=00000001 ebx=80a03578 ecx=00000000 edx=00000000 esi=80b1f260 edi=80a03598
eip=80caf43e esp=f789a110 ebp=f789a12c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!PiDeviceRegistration:
80caf43e 55 push ebp
1: kd> kc
#
00 nt!PiDeviceRegistration
01 nt!PpDeviceRegistration
02 nt!IopInitializeDeviceInstanceKey
03 nt!PipApplyFunctionToSubKeys
04 nt!IopInitializeDeviceKey
05 nt!PipApplyFunctionToSubKeys
06 nt!IopGetRootDevices
07 nt!IopPnPDispatch
08 nt!IofCallDriver
09 nt!IopSynchronousCall
0a nt!IopQueryDeviceRelations
0b nt!PipEnumerateDevice
0c nt!PipProcessDevNodeTree
0d nt!PiProcessReenumeration
0e nt!PipDeviceActionWorker
0f nt!PipRequestDeviceAction
10 nt!IopInitializePlugPlayServices
11 nt!IoInitSystem
12 nt!Phase1Initialization
13 nt!PspSystemThreadStartup
14 nt!KiThreadStartup
1: kd> kv
# ChildEBP RetAddr Args to Child
00 f789a10c 80caf6ea 899c58e4 00000001 899c58ec nt!PiDeviceRegistration (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\devices.c @ 222]
01 f789a12c 80cb0645 899c58e4 00000001 899c58ec nt!PpDeviceRegistration+0xa2 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\devices.c @ 163]
02 f789a174 80c87246 800004c4 00000020 f789a23c nt!IopInitializeDeviceInstanceKey+0x521 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpdd.c @ 1489]
03 f789a1ac 80cb07a0 800004c0 800004c4 000f003f nt!PipApplyFunctionToSubKeys+0xec (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpsubs.c @ 1976]
04 f789a1d8 80c87246 800004c0 f789a1f8 f789a23c nt!IopInitializeDeviceKey+0x48 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpdd.c @ 1008]
05 f789a210 80cb096f 800004b0 800004c0 000f003f nt!PipApplyFunctionToSubKeys+0xec (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpsubs.c @ 1976]
06 f789a26c 80cb0bc8 f789a29c 899c5d08 89994008 nt!IopGetRootDevices+0x157 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpdd.c @ 905]
07 f789a294 80a2675c 00000000 89994008 8999409c nt!IopPnPDispatch+0x92 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpdd.c @ 405]
08 f789a2b0 80c95e00 00000000 899c5bc8 899c5bc8 nt!IofCallDriver+0x62 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 2237]
09 f789a2e0 80a2e3f3 00000000 f789a2fc 899c5ca8 nt!IopSynchronousCall+0x1aa (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpirp.c @ 258]
0a f789a320 80c8d810 00000000 899c5d08 00000001 nt!IopQueryDeviceRelations+0x39 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpirp.c @ 1131]
0b f789a33c 80c94e01 899c5bc8 00000001 899c5bc8 nt!PipEnumerateDevice+0x56 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpenum.c @ 980]
0c f789a588 80c954e7 899c5bc8 00000000 00000000 nt!PipProcessDevNodeTree+0x273 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpenum.c @ 4699]
0d f789a5c0 80a2de90 89996df0 80b1f6f8 00000000 nt!PiProcessReenumeration+0xaf (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpenum.c @ 6115]
0e f789a5e8 80a2e161 00000000 e1278d82 00000000 nt!PipDeviceActionWorker+0x174 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpenum.c @ 801]
0f f789a600 80e68579 899c5d08 00000008 00000000 nt!PipRequestDeviceAction+0x139 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpenum.c @ 598]
10 f789a694 80e6554b 8000048c 80000494 00034000 nt!IopInitializePlugPlayServices+0x619 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\pnpmgr\pnpinit.c @ 762]
11 f789a838 80e632fd 80077000 00000000 899a1020 nt!IoInitSystem+0x68f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\ioinit.c @ 599]
12 f789adac 80d391f0 80077000 00000000 00000000 nt!Phase1Initialization+0x9b3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\init\init.c @ 2221]
13 f789addc 80b00d52 80e6294a 80077000 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 2213]
14 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 [d:\srv03rtm\base\ntos\ke\i386\threadbg.asm @ 81]
1: kd> dv
DeviceInstancePath = 0x899c58e4 "Root\ACPI_HAL\0000"
Add = 0x01 ''
ServiceKeyName = 0x899c58ec ""
KeyValueInformation = 0x80caf43e
DeviceInstanceHandle = 0x00000008
ServiceName = -24204 'ꅴ'
TempKeyHandle = 0x00000000
len = 0x899c58ec
context = struct PROCESS_DRIVER_CONTEXT
1: kd> dx -r1 ((ntkrnlmp!_UNICODE_STRING *)0x899c58ec)
((ntkrnlmp!_UNICODE_STRING *)0x899c58ec) : 0x899c58ec : "" [Type: _UNICODE_STRING *]
[<Raw View>] [Type: _UNICODE_STRING]
1: kd> dx -r1 -nv (*((ntkrnlmp!_UNICODE_STRING *)0x899c58ec))
(*((ntkrnlmp!_UNICODE_STRING *)0x899c58ec)) : "" [Type: _UNICODE_STRING]
[+0x000] Length : 0x0 [Type: unsigned short]
[+0x002] MaximumLength : 0x0 [Type: unsigned short]
[+0x004] Buffer : 0x0 [Type: unsigned short *]