Geoff Chappell, Software Analyst
This function gets the data for a particular license value.
NTSTATUS ZwQueryLicenseValue ( PUNICODE_STRING Name, ULONG *Type, PVOID Buffer, ULONG Length, ULONG *DataLength);
The Name argument provides the address of a UNICODE_STRING structure for the name of the value for which data is wanted.
The optional Type argument provides the address of a variable that is to receive the type of data: REG_SZ (0x01) for a string; REG_BINARY (0x03) for binary data; REG_DWORD (0x04) for a dword.
The optional Buffer and Length arguments provide the address and size (in bytes) of a buffer that is to receive the data for the named value.
The DataLength argument provides the address of a variable that is to receive the size (in bytes) of the data.
The function returns zero for success, else an error code.
The Name and DataLength arguments are required. If either is NULL, the function fails (returning STATUS_INVALID_PARAMETER).
If the license has been tampered with, the function fails (returning STATUS_INTERNAL_ERROR). If the licensing cache is corrupt, the function fails (returning STATUS_DATA_ERROR). If there are no licensing descriptors but the kernel thinks it has the licensing descriptors sorted, the function fails (returning STATUS_OJBECT_NAME_NOT_FOUND).
If the licensing descriptors are not sorted, they have to be.
The ZwQueryLicenseValue function is exported by name from the kernel in version 6.0 and higher. It is also available in user mode, being exported by name both as NtQueryLicenseValue and ZwQueryLicenseValue from NTDLL.DLL in version 6.0 and higher.