Some of you may have ever used RtlQueryRegistryValues, and probably wondered what Microsoft meant by saying:
Starting with Windows 8, if an RtlQueryRegistryValues call accesses an untrusted hive, and the caller sets the RTL_QUERY_REGISTRY_DIRECT flag for this call, the caller must additionally set the RTL_QUERY_REGISTRY_TYPECHECK flag.
A hive is marked as untrusted using the 0×1 flag in CMHIVE.Flags.
read more..........http://www.msuiche.net/2014/06/10/hives-trust-issues/
Starting with Windows 8, if an RtlQueryRegistryValues call accesses an untrusted hive, and the caller sets the RTL_QUERY_REGISTRY_DIRECT flag for this call, the caller must additionally set the RTL_QUERY_REGISTRY_TYPECHECK flag.
A hive is marked as untrusted using the 0×1 flag in CMHIVE.Flags.
read more..........http://www.msuiche.net/2014/06/10/hives-trust-issues/