I have been trying to erase the Hive registry.
Luckily, I found this forum(http://geekswithblogs.net/BruceEitman/archive/2009/04/28/windows-ce-cleaning-the-registry-hive.aspx) which tells me that it can be done by adding a new functionality in the kernelIoControl. I tried to call it and debugged it within one of the drivers and found that when I called kernelIoControl, It lead me to XXX_KernelIoControl function in C:\WINCE800\private\winceos\coreos\core\thunks\tkfuncs.cpp. At the end of the function, KernelIoControl is being called and I don't have access to the source code anymore (took me to assembly code).
The forum provided an example code for setting the flag to erase the hive registry (see code below).
DWORD *pFlags = (DWORD *)lpInBuf;
BOOL *pClean = (BOOL *)lpOutBuf;
*pfClean = FALSE;
if((*pdwFlags == HIVECLEANFLAG_SYSTEM) || (*pdwFlags == HIVECLEANFLAG_USERS))
{
if(CheckSharedMemoryHiveDeleteFlag())
{
*pClean = TRUE;
}
}
return TRUE;
What I don't understand is I could not find *pclean anywhere(assuming the variable name is correct). Also, Microsoft provides the same information (https://msdn.microsoft.com/pt-br/windows/desktop/ms904450?f=255&MSPPError=-2147217396) which still uses *pclean. So in a nut shell, I have been finding a way to set the flag to erase the hive.
pClean is the output parameter of the IoControl call, it's obtained by casting the pointer to a BOOL in the 2nd row of your code. By setting it to TRUE (and returning TRUE from your IoControl routine) you'll tell the system to discard contents of the hive files.