I try to do COM without touching the registry.
I started with a very simple C++ "client", trying to CoCreateInstance with ramdom arbitrary UUID.
#include <stdio.h>
#include <Windows.h>
int main() {
HRESULT hr = CoInitializeEx(nullptr, COINIT_MULTITHREADED | COINIT_DISABLE_OLE1DDE);
if (FAILED(hr)) {
return 0;
} // endif
const IID SomeClass = { 42, 65535, 42, { 'H', 'e', 'l', 'l', 'o', ' ', 'S', 'O'} };
const IID SomeInterface;
memset((void*)&SomeInterface, (char)rand(), sizeof(SomeInterface));
void * pInterface;
hr = CoCreateInstance(SomeClass, nullptr, CLSCTX_INPROC_SERVER, SomeInterface, &pInterface );
if (FAILED(hr)) {
printf("'CoCreateInstance' failed with error 0x%X", hr);
} // endif
CoUninitialize();
return 0;
}
As you could imagine, the output of the program is:
'CoCreateInstance' failed with error 0x80040154
(0x80040154 being the notorious 'Class Not Found')
I was told that in such a case Windows would search the image directory for one or more "manifest" files.
So far I have failed miserably to create such files, so as a last resort I drew procmon.exe.
I managed to get a CSV text file corresponding to the execution of the above program, using a filter that excludes any event not related to the process name.
Then I used Notepad++, and found some events related to RegOpenKey for my dummy "class", all ending with "NAME NOT FOUND"
I then searched for CreateFile Event with some "manifest" file extension and found none!
Question: why is there no access to some manifest files?
It's normal. I thought that after failing to found the class in the registry, my process will try to read some manifest from disk. Windows indeed try that, as I finally found out with Process Monitor, but not in my process!
The various
CreateFileand friends calls concerning a "manifest" in the image directory take place incsrss.exe...Mystery solved.