[hbelusca] 73737: [USERENV] - Fix some DPRINTs; - Add parameter validation in CreateUserProfileExW; - Return the directory path of the created profile in CreateUserProfileExW, if the user wants it; ... - Ros-diffs

6 Feb 2017

Author: hbelusca
Date: Mon Feb  6 22:58:20 2017
New Revision: 73737
URL: http://svn.reactos.org/svn/reactos?rev=73737&view=rev
Log:
[USERENV]
- Fix some DPRINTs;
- Add parameter validation in CreateUserProfileExW;
- Return the directory path of the created profile in CreateUserProfileExW, if the user wants it;
- Add value type validation for RegQueryValueExW calls;
- Use ARRAYSIZE where needed;
- Add parameter validation in GetAllUsersProfileDirectoryA, GetDefaultUserProfileDirectoryA;
- Correctly return error code in GetAllUsersProfileDirectoryW, GetDefaultUserProfileDirectoryW, GetProfilesDirectoryW and GetUserProfileDirectoryW. Should fix the userenv_apitest:GetProfileDirs tests.
Modified:
    trunk/reactos/dll/win32/userenv/profile.c
Modified: trunk/reactos/dll/win32/userenv/profile.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/userenv/profile.c...
==============================================================================

--- trunk/reactos/dll/win32/userenv/profile.c	[iso-8859-1] (original)
+++ trunk/reactos/dll/win32/userenv/profile.c	[iso-8859-1] Mon Feb  6 22:58:20 2017
@@ -266,7 +266,7 @@
     WCHAR szUserProfileName[MAX_PATH];
     WCHAR szBuffer[MAX_PATH];
     LPWSTR SidString;
-    DWORD dwLength;
+    DWORD dwType, dwLength;
     DWORD dwDisposition;
     UINT i;
     HKEY hKey;
@@ -276,9 +276,16 @@
     DPRINT("CreateUserProfileExW(%p %S %S %p %lu %d)\n",
            pSid, lpUserName, lpUserHive, lpProfileDir, dwDirSize, bWin9xUpg);
+    /* Parameters validation */
+    if (!pSid || !lpUserName)
+    {
+        SetLastError(ERROR_INVALID_PARAMETER);
+        return FALSE;
+    }
+
     /*
      * TODO:
-     *  - Add support for lpUserHive, lpProfileDir.
+     *  - Add support for lpUserHive.
      *  - bWin9xUpg is obsolete. Don't waste your time implementing this.
      */
@@ -299,10 +306,10 @@
     Error = RegQueryValueExW(hKey,
                              L"ProfilesDirectory",
                              NULL,
-                             NULL,
+                             &dwType,
                              (LPBYTE)szRawProfilesPath,
                              &dwLength);
-    if (Error != ERROR_SUCCESS)
+    if ((Error != ERROR_SUCCESS) || (dwType != REG_SZ && dwType != REG_EXPAND_SZ))
     {
         DPRINT1("Error: %lu\n", Error);
         RegCloseKey(hKey);
@@ -320,7 +327,8 @@
         return FALSE;
     }
-    /* create the profiles directory if it does not yet exist */
+    /* Create the profiles directory if it does not exist yet */
+    // FIXME: Security!
     if (!CreateDirectoryW(szProfilesPath, NULL))
     {
         if (GetLastError() != ERROR_ALREADY_EXISTS)
@@ -335,10 +343,10 @@
     Error = RegQueryValueExW(hKey,
                              L"DefaultUserProfile",
                              NULL,
-                             NULL,
+                             &dwType,
                              (LPBYTE)szBuffer,
                              &dwLength);
-    if (Error != ERROR_SUCCESS)
+    if ((Error != ERROR_SUCCESS) || (dwType != REG_SZ && dwType != REG_EXPAND_SZ))
     {
         DPRINT1("Error: %lu\n", Error);
         RegCloseKey(hKey);
@@ -346,19 +354,17 @@
         return FALSE;
     }
-    RegCloseKey (hKey);
-
-    wcscpy(szUserProfileName, lpUserName);
-
-    wcscpy(szUserProfilePath, szProfilesPath);
-    wcscat(szUserProfilePath, L"\");
-    wcscat(szUserProfilePath, szUserProfileName);
-
-    wcscpy(szDefaultUserPath, szProfilesPath);
-    wcscat(szDefaultUserPath, L"\");
-    wcscat(szDefaultUserPath, szBuffer);
+    RegCloseKey(hKey);
+
+    StringCbCopyW(szUserProfileName, sizeof(szUserProfileName), lpUserName);
/* Create user profile directory */
+
+    StringCbCopyW(szUserProfilePath, sizeof(szUserProfilePath), szProfilesPath);
+    StringCbCatW(szUserProfilePath, sizeof(szUserProfilePath), L"\");
+    StringCbCatW(szUserProfilePath, sizeof(szUserProfilePath), szUserProfileName);
+
+    // FIXME: Security!
     if (!CreateDirectoryW(szUserProfilePath, NULL))
     {
         if (GetLastError() != ERROR_ALREADY_EXISTS)
@@ -371,10 +377,11 @@
         {
             swprintf(szUserProfileName, L"%s.%03u", lpUserName, i);
-            wcscpy(szUserProfilePath, szProfilesPath);
-            wcscat(szUserProfilePath, L"\");
-            wcscat(szUserProfilePath, szUserProfileName);
-
+            StringCbCopyW(szUserProfilePath, sizeof(szUserProfilePath), szProfilesPath);
+            StringCbCatW(szUserProfilePath, sizeof(szUserProfilePath), L"\");
+            StringCbCatW(szUserProfilePath, sizeof(szUserProfilePath), szUserProfileName);
+
+            // FIXME: Security!
             if (CreateDirectoryW(szUserProfilePath, NULL))
                 break;
@@ -387,6 +394,12 @@
     }
/* Copy default user directory */
+
+    StringCbCopyW(szDefaultUserPath, sizeof(szDefaultUserPath), szProfilesPath);
+    StringCbCatW(szDefaultUserPath, sizeof(szDefaultUserPath), L"\");
+    StringCbCatW(szDefaultUserPath, sizeof(szDefaultUserPath), szBuffer);
+
+    // FIXME: Security!
     if (!CopyDirectory(szUserProfilePath, szDefaultUserPath))
     {
         DPRINT1("Error: %lu\n", GetLastError());
@@ -401,9 +414,9 @@
         return FALSE;
     }
-    wcscpy(szBuffer,
-           L"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\");
-    wcscat(szBuffer, SidString);
+    StringCbCopyW(szBuffer, sizeof(szBuffer),
+                  L"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\");
+    StringCbCatW(szBuffer, sizeof(szBuffer), SidString);
/* Create user profile key */
     Error = RegCreateKeyExW(HKEY_LOCAL_MACHINE,
@@ -423,9 +436,9 @@
     }
/* Create non-expanded user profile path */
-    wcscpy(szBuffer, szRawProfilesPath);
-    wcscat(szBuffer, L"\");
-    wcscat(szBuffer, szUserProfileName);
+    StringCbCopyW(szBuffer, sizeof(szBuffer), szRawProfilesPath);
+    StringCbCatW(szBuffer, sizeof(szBuffer), L"\");
+    StringCbCatW(szBuffer, sizeof(szBuffer), szUserProfileName);
/* Set 'ProfileImagePath' value (non-expanded) */
     Error = RegSetValueExW(hKey,
@@ -459,9 +472,11 @@
RegCloseKey(hKey);
-    /* Create user hive name */
-    wcscpy(szBuffer, szUserProfilePath);
-    wcscat(szBuffer, L"\ntuser.dat");
+    /* Create user hive file */
+
+    /* Use the default hive file name */
+    StringCbCopyW(szBuffer, sizeof(szBuffer), szUserProfilePath);
+    StringCbCatW(szBuffer, sizeof(szBuffer), L"\ntuser.dat");
/* Acquire restore privilege */
     if (!AcquireRemoveRestorePrivilege(TRUE))
@@ -472,7 +487,7 @@
         goto done;
     }
-    /* Create new user hive */
+    /* Load the user hive */
     Error = RegLoadKeyW(HKEY_USERS,
                         SidString,
                         szBuffer);
@@ -497,6 +512,13 @@
     RegUnLoadKeyW(HKEY_USERS, SidString);
     AcquireRemoveRestorePrivilege(FALSE);
+    /*
+     * If the caller wants to retrieve the user profile path,
+     * give it now. 'dwDirSize' is the number of characters.
+     */
+    if (lpProfileDir && dwDirSize)
+        StringCchCopyW(lpProfileDir, dwDirSize, szUserProfilePath);
+
 done:
     LocalFree((HLOCAL)SidString);
     SetLastError((DWORD)Error);
@@ -516,6 +538,12 @@
     LPWSTR lpBuffer;
     BOOL bResult;
+    if (!lpcchSize)
+    {
+        SetLastError(ERROR_INVALID_PARAMETER);
+        return FALSE;
+    }
+
     lpBuffer = GlobalAlloc(GMEM_FIXED,
                            *lpcchSize * sizeof(WCHAR));
     if (lpBuffer == NULL)
@@ -523,273 +551,7 @@
bResult = GetAllUsersProfileDirectoryW(lpBuffer,
                                            lpcchSize);
-    if (bResult)
-    {
-        WideCharToMultiByte(CP_ACP,
-                            0,
-                            lpBuffer,
-                            -1,
-                            lpProfileDir,
-                            *lpcchSize,
-                            NULL,
-                            NULL);
-    }
-
-    GlobalFree(lpBuffer);
-
-    return bResult;
-}
-
-
-BOOL
-WINAPI
-GetAllUsersProfileDirectoryW(
-    _Out_opt_ LPWSTR lpProfileDir,
-    _Inout_ LPDWORD lpcchSize)
-{
-    WCHAR szProfilePath[MAX_PATH];
-    WCHAR szBuffer[MAX_PATH];
-    DWORD dwLength;
-    HKEY hKey;
-    LONG Error;
-
-    if (!lpcchSize)
-    {
-        SetLastError(ERROR_INVALID_PARAMETER);
-        return FALSE;
-    }
-
-    Error = RegOpenKeyExW(HKEY_LOCAL_MACHINE,
-                          L"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList",
-                          0,
-                          KEY_QUERY_VALUE,
-                          &hKey);
-    if (Error != ERROR_SUCCESS)
-    {
-        DPRINT1("Error: %lu\n", Error);
-        SetLastError((DWORD)Error);
-        return FALSE;
-    }
-
-    /* Get profiles path */
-    dwLength = sizeof(szBuffer);
-    Error = RegQueryValueExW(hKey,
-                             L"ProfilesDirectory",
-                             NULL,
-                             NULL,
-                             (LPBYTE)szBuffer,
-                             &dwLength);
-    if (Error != ERROR_SUCCESS)
-    {
-        DPRINT1("Error: %lu\n", Error);
-        RegCloseKey(hKey);
-        SetLastError((DWORD)Error);
-        return FALSE;
-    }
-
-    /* Expand it */
-    if (!ExpandEnvironmentStringsW(szBuffer,
-                                   szProfilePath,
-                                   MAX_PATH))
-    {
-        DPRINT1("Error: %lu\n", GetLastError());
-        RegCloseKey (hKey);
-        return FALSE;
-    }
-
-    /* Get 'AllUsersProfile' name */
-    dwLength = sizeof(szBuffer);
-    Error = RegQueryValueExW(hKey,
-                             L"AllUsersProfile",
-                             NULL,
-                             NULL,
-                             (LPBYTE)szBuffer,
-                             &dwLength);
-    if (Error != ERROR_SUCCESS)
-    {
-        DPRINT1("Error: %lu\n", Error);
-        RegCloseKey(hKey);
-        SetLastError((DWORD)Error);
-        return FALSE;
-    }
-
-    RegCloseKey (hKey);
-
-    wcscat(szProfilePath, L"\");
-    wcscat(szProfilePath, szBuffer);
-
-    dwLength = wcslen(szProfilePath) + 1;
-    if (lpProfileDir != NULL)
-    {
-        if (*lpcchSize < dwLength)
-        {
-            *lpcchSize = dwLength;
-            SetLastError(ERROR_INSUFFICIENT_BUFFER);
-            return FALSE;
-        }
-
-            wcscpy(lpProfileDir, szProfilePath);
-        }
-
-    *lpcchSize = dwLength;
-
-    return TRUE;
-}
-
-
-BOOL
-WINAPI
-GetDefaultUserProfileDirectoryA(
-    _Out_opt_ LPSTR lpProfileDir,
-    _Inout_ LPDWORD lpcchSize)
-{
-    LPWSTR lpBuffer;
-    BOOL bResult;
-
-    lpBuffer = GlobalAlloc(GMEM_FIXED,
-                           *lpcchSize * sizeof(WCHAR));
-    if (lpBuffer == NULL)
-        return FALSE;
-
-    bResult = GetDefaultUserProfileDirectoryW(lpBuffer,
-                                              lpcchSize);
-    if (bResult)
-    {
-        WideCharToMultiByte(CP_ACP,
-                            0,
-                            lpBuffer,
-                            -1,
-                            lpProfileDir,
-                            *lpcchSize,
-                            NULL,
-                            NULL);
-    }
-
-    GlobalFree(lpBuffer);
-
-    return bResult;
-}
-
-
-BOOL
-WINAPI
-GetDefaultUserProfileDirectoryW(
-    _Out_opt_ LPWSTR lpProfileDir,
-    _Inout_ LPDWORD lpcchSize)
-{
-    WCHAR szProfilePath[MAX_PATH];
-    WCHAR szBuffer[MAX_PATH];
-    DWORD dwLength;
-    HKEY hKey;
-    LONG Error;
-
-    if (!lpcchSize)
-    {
-        SetLastError(ERROR_INVALID_PARAMETER);
-        return FALSE;
-    }
-
-    Error = RegOpenKeyExW(HKEY_LOCAL_MACHINE,
-                          L"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList",
-                          0,
-                          KEY_QUERY_VALUE,
-                          &hKey);
-    if (Error != ERROR_SUCCESS)
-    {
-        DPRINT1("Error: %lu\n", Error);
-        SetLastError((DWORD)Error);
-        return FALSE;
-    }
-
-    /* Get profiles path */
-    dwLength = sizeof(szBuffer);
-    Error = RegQueryValueExW(hKey,
-                             L"ProfilesDirectory",
-                             NULL,
-                             NULL,
-                             (LPBYTE)szBuffer,
-                             &dwLength);
-    if (Error != ERROR_SUCCESS)
-    {
-        DPRINT1("Error: %lu\n", Error);
-        RegCloseKey(hKey);
-        SetLastError((DWORD)Error);
-        return FALSE;
-    }
-
-    /* Expand it */
-    if (!ExpandEnvironmentStringsW(szBuffer,
-                                   szProfilePath,
-                                   MAX_PATH))
-    {
-        DPRINT1("Error: %lu\n", GetLastError());
-        RegCloseKey(hKey);
-        return FALSE;
-    }
-
-    /* Get 'DefaultUserProfile' name */
-    dwLength = sizeof(szBuffer);
-    Error = RegQueryValueExW(hKey,
-                             L"DefaultUserProfile",
-                             NULL,
-                             NULL,
-                             (LPBYTE)szBuffer,
-                             &dwLength);
-    if (Error != ERROR_SUCCESS)
-    {
-        DPRINT1("Error: %lu\n", Error);
-        RegCloseKey(hKey);
-        SetLastError((DWORD)Error);
-        return FALSE;
-    }
-
-    RegCloseKey(hKey);
-
-    wcscat(szProfilePath, L"\");
-    wcscat(szProfilePath, szBuffer);
-
-    dwLength = wcslen(szProfilePath) + 1;
-    if (lpProfileDir != NULL)
-    {
-        if (*lpcchSize < dwLength)
-        {
-            *lpcchSize = dwLength;
-            SetLastError(ERROR_INSUFFICIENT_BUFFER);
-            return FALSE;
-        }
-
-            wcscpy(lpProfileDir, szProfilePath);
-        }
-
-    *lpcchSize = dwLength;
-
-    return TRUE;
-}
-
-
-BOOL
-WINAPI
-GetProfilesDirectoryA(
-    _Out_ LPSTR lpProfileDir, // _Out_opt_
-    _Inout_ LPDWORD lpcchSize)
-{
-    LPWSTR lpBuffer;
-    BOOL bResult;
-
-    if (!lpProfileDir || !lpcchSize)
-    {
-        SetLastError(ERROR_INVALID_PARAMETER);
-        return FALSE;
-    }
-
-    lpBuffer = GlobalAlloc(GMEM_FIXED,
-                           *lpcchSize * sizeof(WCHAR));
-    if (lpBuffer == NULL)
-        return FALSE;
-
-    bResult = GetProfilesDirectoryW(lpBuffer,
-                                    lpcchSize);
-    if (bResult)
+    if (bResult && lpProfileDir)
     {
         bResult = WideCharToMultiByte(CP_ACP,
                                       0,
@@ -809,16 +571,15 @@
BOOL
 WINAPI
-GetProfilesDirectoryW(
-    _Out_ LPWSTR lpProfilesDir, // _Out_opt_
+GetAllUsersProfileDirectoryW(
+    _Out_opt_ LPWSTR lpProfileDir,
     _Inout_ LPDWORD lpcchSize)
 {
-    WCHAR szProfilesPath[MAX_PATH];
+    WCHAR szProfilePath[MAX_PATH];
     WCHAR szBuffer[MAX_PATH];
-    DWORD dwLength;
+    DWORD dwType, dwLength;
     HKEY hKey;
     LONG Error;
-    BOOL bRet = FALSE;
if (!lpcchSize)
     {
@@ -843,10 +604,276 @@
     Error = RegQueryValueExW(hKey,
                              L"ProfilesDirectory",
                              NULL,
-                             NULL,
+                             &dwType,
                              (LPBYTE)szBuffer,
                              &dwLength);
+    if ((Error != ERROR_SUCCESS) || (dwType != REG_SZ && dwType != REG_EXPAND_SZ))
+    {
+        DPRINT1("Error: %lu\n", Error);
+        RegCloseKey(hKey);
+        SetLastError((DWORD)Error);
+        return FALSE;
+    }
+
+    /* Expand it */
+    if (!ExpandEnvironmentStringsW(szBuffer,
+                                   szProfilePath,
+                                   ARRAYSIZE(szProfilePath)))
+    {
+        DPRINT1("Error: %lu\n", GetLastError());
+        RegCloseKey(hKey);
+        return FALSE;
+    }
+
+    /* Get 'AllUsersProfile' name */
+    dwLength = sizeof(szBuffer);
+    Error = RegQueryValueExW(hKey,
+                             L"AllUsersProfile",
+                             NULL,
+                             &dwType,
+                             (LPBYTE)szBuffer,
+                             &dwLength);
+    if ((Error != ERROR_SUCCESS) || (dwType != REG_SZ && dwType != REG_EXPAND_SZ))
+    {
+        DPRINT1("Error: %lu\n", Error);
+        RegCloseKey(hKey);
+        SetLastError((DWORD)Error);
+        return FALSE;
+    }
+
+    RegCloseKey(hKey);
+
+    StringCbCatW(szProfilePath, sizeof(szProfilePath), L"\");
+    StringCbCatW(szProfilePath, sizeof(szProfilePath), szBuffer);
+
+    dwLength = wcslen(szProfilePath) + 1;
+    if (lpProfileDir && (*lpcchSize >= dwLength))
+    {
+        StringCchCopyW(lpProfileDir, *lpcchSize, szProfilePath);
+        *lpcchSize = dwLength;
+        return TRUE;
+    }
+    else // if (!lpProfileDir || (*lpcchSize < dwLength))
+    {
+        *lpcchSize = dwLength;
+        SetLastError(ERROR_INSUFFICIENT_BUFFER);
+        return FALSE;
+    }
+}
+
+
+BOOL
+WINAPI
+GetDefaultUserProfileDirectoryA(
+    _Out_opt_ LPSTR lpProfileDir,
+    _Inout_ LPDWORD lpcchSize)
+{
+    LPWSTR lpBuffer;
+    BOOL bResult;
+
+    if (!lpcchSize)
+    {
+        SetLastError(ERROR_INVALID_PARAMETER);
+        return FALSE;
+    }
+
+    lpBuffer = GlobalAlloc(GMEM_FIXED,
+                           *lpcchSize * sizeof(WCHAR));
+    if (lpBuffer == NULL)
+        return FALSE;
+
+    bResult = GetDefaultUserProfileDirectoryW(lpBuffer,
+                                              lpcchSize);
+    if (bResult && lpProfileDir)
+    {
+        bResult = WideCharToMultiByte(CP_ACP,
+                                      0,
+                                      lpBuffer,
+                                      -1,
+                                      lpProfileDir,
+                                      *lpcchSize,
+                                      NULL,
+                                      NULL);
+    }
+
+    GlobalFree(lpBuffer);
+
+    return bResult;
+}
+
+
+BOOL
+WINAPI
+GetDefaultUserProfileDirectoryW(
+    _Out_opt_ LPWSTR lpProfileDir,
+    _Inout_ LPDWORD lpcchSize)
+{
+    WCHAR szProfilePath[MAX_PATH];
+    WCHAR szBuffer[MAX_PATH];
+    DWORD dwType, dwLength;
+    HKEY hKey;
+    LONG Error;
+
+    if (!lpcchSize)
+    {
+        SetLastError(ERROR_INVALID_PARAMETER);
+        return FALSE;
+    }
+
+    Error = RegOpenKeyExW(HKEY_LOCAL_MACHINE,
+                          L"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList",
+                          0,
+                          KEY_QUERY_VALUE,
+                          &hKey);
     if (Error != ERROR_SUCCESS)
+    {
+        DPRINT1("Error: %lu\n", Error);
+        SetLastError((DWORD)Error);
+        return FALSE;
+    }
+
+    /* Get profiles path */
+    dwLength = sizeof(szBuffer);
+    Error = RegQueryValueExW(hKey,
+                             L"ProfilesDirectory",
+                             NULL,
+                             &dwType,
+                             (LPBYTE)szBuffer,
+                             &dwLength);
+    if ((Error != ERROR_SUCCESS) || (dwType != REG_SZ && dwType != REG_EXPAND_SZ))
+    {
+        DPRINT1("Error: %lu\n", Error);
+        RegCloseKey(hKey);
+        SetLastError((DWORD)Error);
+        return FALSE;
+    }
+
+    /* Expand it */
+    if (!ExpandEnvironmentStringsW(szBuffer,
+                                   szProfilePath,
+                                   ARRAYSIZE(szProfilePath)))
+    {
+        DPRINT1("Error: %lu\n", GetLastError());
+        RegCloseKey(hKey);
+        return FALSE;
+    }
+
+    /* Get 'DefaultUserProfile' name */
+    dwLength = sizeof(szBuffer);
+    Error = RegQueryValueExW(hKey,
+                             L"DefaultUserProfile",
+                             NULL,
+                             &dwType,
+                             (LPBYTE)szBuffer,
+                             &dwLength);
+    if ((Error != ERROR_SUCCESS) || (dwType != REG_SZ && dwType != REG_EXPAND_SZ))
+    {
+        DPRINT1("Error: %lu\n", Error);
+        RegCloseKey(hKey);
+        SetLastError((DWORD)Error);
+        return FALSE;
+    }
+
+    RegCloseKey(hKey);
+
+    StringCbCatW(szProfilePath, sizeof(szProfilePath), L"\");
+    StringCbCatW(szProfilePath, sizeof(szProfilePath), szBuffer);
+
+    dwLength = wcslen(szProfilePath) + 1;
+    if (lpProfileDir && (*lpcchSize >= dwLength))
+    {
+        StringCchCopyW(lpProfileDir, *lpcchSize, szProfilePath);
+        *lpcchSize = dwLength;
+        return TRUE;
+    }
+    else // if (!lpProfileDir || (*lpcchSize < dwLength))
+    {
+        *lpcchSize = dwLength;
+        SetLastError(ERROR_INSUFFICIENT_BUFFER);
+        return FALSE;
+    }
+}
+
+
+BOOL
+WINAPI
+GetProfilesDirectoryA(
+    _Out_ LPSTR lpProfileDir, // _Out_opt_
+    _Inout_ LPDWORD lpcchSize)
+{
+    LPWSTR lpBuffer;
+    BOOL bResult;
+
+    if (!lpcchSize)
+    {
+        SetLastError(ERROR_INVALID_PARAMETER);
+        return FALSE;
+    }
+
+    lpBuffer = GlobalAlloc(GMEM_FIXED,
+                           *lpcchSize * sizeof(WCHAR));
+    if (lpBuffer == NULL)
+        return FALSE;
+
+    bResult = GetProfilesDirectoryW(lpBuffer,
+                                    lpcchSize);
+    if (bResult && lpProfileDir)
+    {
+        bResult = WideCharToMultiByte(CP_ACP,
+                                      0,
+                                      lpBuffer,
+                                      -1,
+                                      lpProfileDir,
+                                      *lpcchSize,
+                                      NULL,
+                                      NULL);
+    }
+
+    GlobalFree(lpBuffer);
+
+    return bResult;
+}
+
+
+BOOL
+WINAPI
+GetProfilesDirectoryW(
+    _Out_ LPWSTR lpProfilesDir, // _Out_opt_
+    _Inout_ LPDWORD lpcchSize)
+{
+    WCHAR szProfilesPath[MAX_PATH];
+    WCHAR szBuffer[MAX_PATH];
+    DWORD dwType, dwLength;
+    HKEY hKey;
+    LONG Error;
+
+    if (!lpcchSize)
+    {
+        SetLastError(ERROR_INVALID_PARAMETER);
+        return FALSE;
+    }
+
+    Error = RegOpenKeyExW(HKEY_LOCAL_MACHINE,
+                          L"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList",
+                          0,
+                          KEY_QUERY_VALUE,
+                          &hKey);
+    if (Error != ERROR_SUCCESS)
+    {
+        DPRINT1("Error: %lu\n", Error);
+        SetLastError((DWORD)Error);
+        return FALSE;
+    }
+
+    /* Get profiles path */
+    dwLength = sizeof(szBuffer);
+    Error = RegQueryValueExW(hKey,
+                             L"ProfilesDirectory",
+                             NULL,
+                             &dwType,
+                             (LPBYTE)szBuffer,
+                             &dwLength);
+    if ((Error != ERROR_SUCCESS) || (dwType != REG_SZ && dwType != REG_EXPAND_SZ))
     {
         DPRINT1("Error: %lu\n", Error);
         RegCloseKey(hKey);
@@ -866,26 +893,18 @@
     }
dwLength = wcslen(szProfilesPath) + 1;
-    if (lpProfilesDir != NULL)
-    {
-        if (*lpcchSize < dwLength)
-        {
-            SetLastError(ERROR_INSUFFICIENT_BUFFER);
-        }
-        else
-        {
-            wcscpy(lpProfilesDir, szProfilesPath);
-            bRet = TRUE;
-        }
-    }
-    else
-    {
+    if (lpProfilesDir && (*lpcchSize >= dwLength))
+    {
+        StringCchCopyW(lpProfilesDir, *lpcchSize, szProfilesPath);
+        *lpcchSize = dwLength;
+        return TRUE;
+    }
+    else // if (!lpProfilesDir || (*lpcchSize < dwLength))
+    {
+        *lpcchSize = dwLength;
         SetLastError(ERROR_INSUFFICIENT_BUFFER);
-    }
-
-    *lpcchSize = dwLength;
-
-    return bRet;
+        return FALSE;
+    }
 }
@@ -899,9 +918,9 @@
     LPWSTR lpBuffer;
     BOOL bResult;
-    if (!lpProfileDir || !lpcchSize)
-    {
-        SetLastError( ERROR_INVALID_PARAMETER );
+    if (!lpcchSize)
+    {
+        SetLastError(ERROR_INVALID_PARAMETER);
         return FALSE;
     }
@@ -913,16 +932,16 @@
     bResult = GetUserProfileDirectoryW(hToken,
                                        lpBuffer,
                                        lpcchSize);
-    if (bResult)
-    {
-        WideCharToMultiByte(CP_ACP,
-                            0,
-                            lpBuffer,
-                            -1,
-                            lpProfileDir,
-                            *lpcchSize,
-                            NULL,
-                            NULL);
+    if (bResult && lpProfileDir)
+    {
+        bResult = WideCharToMultiByte(CP_ACP,
+                                      0,
+                                      lpBuffer,
+                                      -1,
+                                      lpProfileDir,
+                                      *lpcchSize,
+                                      NULL,
+                                      NULL);
     }
GlobalFree(lpBuffer);
@@ -942,7 +961,7 @@
     WCHAR szKeyName[MAX_PATH];
     WCHAR szRawImagePath[MAX_PATH];
     WCHAR szImagePath[MAX_PATH];
-    DWORD dwLength;
+    DWORD dwType, dwLength;
     HKEY hKey;
     LONG Error;
@@ -958,19 +977,18 @@
         return FALSE;
     }
-    if (!GetUserSidStringFromToken(hToken,
-                                   &SidString))
-    {
-        DPRINT1("GetUserSidFromToken() failed\n");
+    /* Get the user SID string */
+    if (!GetUserSidStringFromToken(hToken, &SidString))
+    {
+        DPRINT1("GetUserSidStringFromToken() failed\n");
         return FALSE;
     }
DPRINT("SidString: '%wZ'\n", &SidString);
-    wcscpy(szKeyName,
-           L"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\");
-    wcscat(szKeyName,
-           SidString.Buffer);
+    StringCbCopyW(szKeyName, sizeof(szKeyName),
+                  L"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\");
+    StringCbCatW(szKeyName, sizeof(szKeyName), SidString.Buffer);
RtlFreeUnicodeString(&SidString);
@@ -992,10 +1010,10 @@
     Error = RegQueryValueExW(hKey,
                              L"ProfileImagePath",
                              NULL,
-                             NULL,
+                             &dwType,
                              (LPBYTE)szRawImagePath,
                              &dwLength);
-    if (Error != ERROR_SUCCESS)
+    if ((Error != ERROR_SUCCESS) || (dwType != REG_SZ && dwType != REG_EXPAND_SZ))
     {
         DPRINT1("Error: %lu\n", Error);
         RegCloseKey(hKey);
@@ -1018,18 +1036,19 @@
DPRINT("ImagePath: '%S'\n", szImagePath);
-    dwLength = wcslen (szImagePath) + 1;
-    if (*lpcchSize < dwLength)
+    dwLength = wcslen(szImagePath) + 1;
+    if (lpProfileDir && (*lpcchSize >= dwLength))
+    {
+        StringCchCopyW(lpProfileDir, *lpcchSize, szImagePath);
+        *lpcchSize = dwLength;
+        return TRUE;
+    }
+    else // if (!lpProfileDir || (*lpcchSize < dwLength))
     {
         *lpcchSize = dwLength;
         SetLastError(ERROR_INSUFFICIENT_BUFFER);
         return FALSE;
     }
-
-    *lpcchSize = dwLength;
-    wcscpy(lpProfileDir, szImagePath);
-
-    return TRUE;
 }
@@ -1042,10 +1061,10 @@
DPRINT("CheckForLoadedProfile() called\n");
-    if (!GetUserSidStringFromToken(hToken,
-                                   &SidString))
-    {
-        DPRINT1("GetUserSidFromToken() failed\n");
+    /* Get the user SID string */
+    if (!GetUserSidStringFromToken(hToken, &SidString))
+    {
+        DPRINT1("GetUserSidStringFromToken() failed\n");
         return FALSE;
     }
@@ -1217,7 +1236,8 @@
if (lpProfileInfo->lpProfilePath)
     {
-        wcscpy(szUserHivePath, lpProfileInfo->lpProfilePath);
+        /* Use the caller's specified roaming user profile path */
+        StringCbCopyW(szUserHivePath, sizeof(szUserHivePath), lpProfileInfo->lpProfilePath);
     }
     else
     {
@@ -1230,9 +1250,9 @@
     }
/* Create user hive name */
-    wcscat(szUserHivePath, L"\");
-    wcscat(szUserHivePath, lpProfileInfo->lpUserName);
-    wcscat(szUserHivePath, L"\ntuser.dat");
+    StringCbCatW(szUserHivePath, sizeof(szUserHivePath), L"\");
+    StringCbCatW(szUserHivePath, sizeof(szUserHivePath), lpProfileInfo->lpUserName);
+    StringCbCatW(szUserHivePath, sizeof(szUserHivePath), L"\ntuser.dat");
     DPRINT("szUserHivePath: %S\n", szUserHivePath);
/* Create user profile directory if needed */
@@ -1311,11 +1331,11 @@
         }
     }
-    /* Get user SID string */
+    /* Get the user SID string */
     ret = GetUserSidStringFromToken(hToken, &SidString);
     if (!ret)
     {
-        DPRINT1("GetUserSidFromToken() failed\n");
+        DPRINT1("GetUserSidStringFromToken() failed\n");
         goto cleanup;
     }
     ret = FALSE;
@@ -1390,10 +1410,10 @@
RegCloseKey(hProfile);
-    if (!GetUserSidStringFromToken(hToken,
-                                   &SidString))
-    {
-        DPRINT1("GetUserSidFromToken() failed\n");
+    /* Get the user SID string */
+    if (!GetUserSidStringFromToken(hToken, &SidString))
+    {
+        DPRINT1("GetUserSidStringFromToken() failed\n");
         return FALSE;
     }

    