ruby_smb 1.0.5 → 2.0.3

data/spec/lib/ruby_smb/dcerpc/winreg/query_value_request_spec.rb

@@ -0,0 +1,88 @@
+RSpec.describe RubySMB::Dcerpc::Winreg::RpcHkey do
+  it 'is NdrContextHandle subclass' do
+    expect(described_class).to be < RubySMB::Dcerpc::Ndr::NdrContextHandle
+  end
+end
+
+RSpec.describe RubySMB::Dcerpc::Winreg::QueryValueRequest do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :hkey }
+  it { is_expected.to respond_to :lp_value_name }
+  it { is_expected.to respond_to :pad1 }
+  it { is_expected.to respond_to :lp_type }
+  it { is_expected.to respond_to :lp_data }
+  it { is_expected.to respond_to :pad2 }
+  it { is_expected.to respond_to :lpcb_data }
+  it { is_expected.to respond_to :lpcb_len }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+
+  describe '#hkey' do
+    it 'is a RpcHkey structure' do
+      expect(packet.hkey).to be_a RubySMB::Dcerpc::Winreg::RpcHkey
+    end
+  end
+
+  describe '#lp_value_name' do
+    it 'is a RrpUnicodeString structure' do
+      expect(packet.lp_value_name).to be_a RubySMB::Dcerpc::RrpUnicodeString
+    end
+  end
+
+  describe '#pad1' do
+    it 'is a string' do
+      expect(packet.pad1).to be_a BinData::String
+    end
+
+    it 'should keep #lp_type 4-byte aligned' do
+      packet.lp_value_name = 'test'
+      expect(packet.lp_type.abs_offset % 4).to eq 0
+    end
+  end
+
+  describe '#lp_type' do
+    it 'is a NdrLpDword structure' do
+      expect(packet.lp_type).to be_a RubySMB::Dcerpc::Ndr::NdrLpDword
+    end
+  end
+
+  describe '#lp_data' do
+    it 'is a NdrLpByteArray structure' do
+      expect(packet.lp_data).to be_a RubySMB::Dcerpc::Ndr::NdrLpByteArray
+    end
+  end
+
+  describe '#lpcb_data' do
+    it 'is a NdrLpDword structure' do
+      expect(packet.lpcb_data).to be_a RubySMB::Dcerpc::Ndr::NdrLpDword
+    end
+  end
+
+  describe '#pad2' do
+    it 'is a string' do
+      expect(packet.pad2).to be_a BinData::String
+    end
+
+    it 'should keep #lpcb_data 4-byte aligned' do
+      packet.lp_data = [1, 2]
+      expect(packet.lpcb_data.abs_offset % 4).to eq 0
+    end
+  end
+
+  describe '#lpcb_len' do
+    it 'is a NdrLpDword structure' do
+      expect(packet.lpcb_len).to be_a RubySMB::Dcerpc::Ndr::NdrLpDword
+    end
+  end
+
+  describe '#initialize_instance' do
+    it 'sets #opnum to REG_QUERY_VALUE constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Winreg::REG_QUERY_VALUE)
+    end
+  end
+end
+

data/spec/lib/ruby_smb/dcerpc/winreg/query_value_response_spec.rb

@@ -0,0 +1,138 @@
+RSpec.describe RubySMB::Dcerpc::Winreg::QueryValueResponse do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :lp_type }
+  it { is_expected.to respond_to :lp_data }
+  it { is_expected.to respond_to :pad }
+  it { is_expected.to respond_to :lpcb_data }
+  it { is_expected.to respond_to :lpcb_len }
+  it { is_expected.to respond_to :error_status }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+
+  describe '#lp_type' do
+    it 'is a NdrLpDword structure' do
+      expect(packet.lp_type).to be_a RubySMB::Dcerpc::Ndr::NdrLpDword
+    end
+  end
+
+  describe '#lp_data' do
+    it 'is a NdrLpByteArray structure' do
+      expect(packet.lp_data).to be_a RubySMB::Dcerpc::Ndr::NdrLpByteArray
+    end
+  end
+
+  describe '#pad' do
+    it 'is a string' do
+      expect(packet.pad).to be_a BinData::String
+    end
+
+    it 'should keep #lpcb_data 4-byte aligned' do
+      packet.lp_data = 'spec_test'.bytes
+      expect(packet.lpcb_data.abs_offset % 4).to eq 0
+    end
+  end
+
+  describe '#lpcb_data' do
+    it 'is a NdrLpDword structure' do
+      expect(packet.lpcb_data).to be_a RubySMB::Dcerpc::Ndr::NdrLpDword
+    end
+  end
+
+  describe '#lpcb_len' do
+    it 'is a NdrLpDword structure' do
+      expect(packet.lpcb_len).to be_a RubySMB::Dcerpc::Ndr::NdrLpDword
+    end
+  end
+
+  describe '#error_status' do
+    it 'is a 32-bit unsigned integer' do
+      expect(packet.error_status).to be_a BinData::Uint32le
+    end
+  end
+
+  describe '#initialize_instance' do
+    it 'sets #opnum to REG_QUERY_VALUE constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Winreg::REG_QUERY_VALUE)
+    end
+  end
+
+  describe '#data' do
+    context 'when #lp_type is 1 (unicode null-terminated string)' do
+      it 'returns the expected value' do
+        str = 'spec test string'.encode('utf-16le')
+        packet.lp_type = 1
+        packet.lp_data = str.bytes
+        expect(packet.data).to eq(str)
+      end
+    end
+
+    context 'when #lp_type is 2 (unicode null-terminated string with unexpanded references to environment variables)' do
+      it 'returns the expected value' do
+        str = '/%PATH%/foo'.encode('utf-16le')
+        packet.lp_type = 2
+        packet.lp_data = str.bytes
+        expect(packet.data).to eq(str)
+      end
+    end
+
+    context 'when #lp_type is 3 (binary data)' do
+      it 'returns the expected value' do
+        bytes = [0xFF, 0xEE, 0xDD, 0xCC].pack('C*')
+        packet.lp_type = 3
+        packet.lp_data = bytes.bytes
+        expect(packet.data).to eq(bytes)
+      end
+    end
+
+    context 'when #lp_type is 4 (a 32-bit number in little-endian format)' do
+      it 'returns the expected value' do
+        number = 12345
+        packet.lp_type = 4
+        packet.lp_data = [number].pack('V').bytes
+        expect(packet.data).to eq(number)
+      end
+    end
+
+    context 'when #lp_type is 5 (a 32-bit number in big-endian format)' do
+      it 'returns the expected value' do
+        number = 12345
+        packet.lp_type = 5
+        packet.lp_data = [number].pack('N').bytes
+        expect(packet.data).to eq(number)
+      end
+    end
+
+    context 'when #lp_type is 7 (a sequence of unicode null-terminated strings, terminated by an empty string)' do
+      it 'returns the expected value' do
+        str_array = ['String1', 'String2', 'String3', 'LastString'].map {|v| v.encode('utf-16le')}
+        null_byte = "\0".encode('utf-16le')
+        str = (str_array + [null_byte]).join(null_byte)
+        packet.lp_type = 7
+        packet.lp_data = str.bytes
+        expect(packet.data).to eq(str_array)
+      end
+    end
+
+    context 'when #lp_type is 11 (a 64-bit number in little-endian format)' do
+      it 'returns the expected value' do
+        number = 0x1234567812345678
+        packet.lp_type = 11
+        packet.lp_data = [number].pack('Q<').bytes
+        expect(packet.data).to eq(number)
+      end
+    end
+
+    context 'when #lp_type is an unknown value' do
+      it 'returns an empty string' do
+        str = 'test'
+        packet.lp_type = 6
+        packet.lp_data = str.bytes
+        expect(packet.data).to eq('')
+      end
+    end
+  end
+end

data/spec/lib/ruby_smb/dcerpc/winreg/regsam_spec.rb

@@ -0,0 +1,32 @@
+RSpec.describe RubySMB::Dcerpc::Winreg::Regsam do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :reserved }
+  it { is_expected.to respond_to :key_create_link }
+  it { is_expected.to respond_to :key_notify }
+  it { is_expected.to respond_to :key_enumerate_sub_keys }
+  it { is_expected.to respond_to :key_create_sub_key }
+  it { is_expected.to respond_to :key_set_value }
+  it { is_expected.to respond_to :key_query_value }
+  it { is_expected.to respond_to :reserved2 }
+  it { is_expected.to respond_to :key_wow64_32key }
+  it { is_expected.to respond_to :key_wow64_64key }
+  it { is_expected.to respond_to :reserved3 }
+  it { is_expected.to respond_to :synchronize }
+  it { is_expected.to respond_to :write_owner }
+  it { is_expected.to respond_to :write_dac }
+  it { is_expected.to respond_to :read_control }
+  it { is_expected.to respond_to :delete_access }
+  it { is_expected.to respond_to :generic_read }
+  it { is_expected.to respond_to :generic_write }
+  it { is_expected.to respond_to :generic_execute }
+  it { is_expected.to respond_to :generic_all }
+  it { is_expected.to respond_to :reserved4 }
+  it { is_expected.to respond_to :maximum }
+  it { is_expected.to respond_to :system_security }
+
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+end

data/spec/lib/ruby_smb/dcerpc/winreg/save_key_request_spec.rb

@@ -0,0 +1,57 @@
+RSpec.describe RubySMB::Dcerpc::Winreg::RpcHkey do
+  subject(:packet) { described_class.new }
+
+  it 'is NdrContextHandle subclass' do
+    expect(described_class).to be < RubySMB::Dcerpc::Ndr::NdrContextHandle
+  end
+end
+
+RSpec.describe RubySMB::Dcerpc::Winreg::SaveKeyRequest do
+  subject(:packet) { described_class.new }
+
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+
+  it { is_expected.to respond_to :hkey }
+  it { is_expected.to respond_to :lp_file }
+  it { is_expected.to respond_to :pad }
+  it { is_expected.to respond_to :lp_security_attributes }
+
+  describe '#hkey' do
+    it 'is a RpcHkey structure' do
+      expect(packet.hkey).to be_a RubySMB::Dcerpc::Winreg::RpcHkey
+    end
+  end
+
+  describe '#lp_file' do
+    it 'is a RrpUnicodeString structure' do
+      expect(packet.lp_file).to be_a RubySMB::Dcerpc::RrpUnicodeString
+    end
+  end
+
+  describe '#pad' do
+    it 'is a string' do
+      expect(packet.pad).to be_a BinData::String
+    end
+
+    it 'should keep #lp_security_attributes 4-byte aligned' do
+      packet.lp_file = "test"
+      expect(packet.lp_security_attributes.abs_offset % 4).to eq 0
+    end
+  end
+
+  describe '#lp_security_attributes' do
+    it 'is a PrpcSecurityAttributes structure' do
+      expect(packet.lp_security_attributes).to be_a RubySMB::Dcerpc::PrpcSecurityAttributes
+    end
+  end
+
+  describe '#initialize_instance' do
+    it 'sets #opnum to REG_SAVE_KEY constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Winreg::REG_SAVE_KEY)
+    end
+  end
+end
+

data/spec/lib/ruby_smb/dcerpc/winreg/save_key_response_spec.rb

@@ -0,0 +1,22 @@
+RSpec.describe RubySMB::Dcerpc::Winreg::SaveKeyResponse do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :error_status }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+
+  describe '#error_status' do
+    it 'is a 32-bit unsigned integer' do
+      expect(packet.error_status).to be_a BinData::Uint32le
+    end
+  end
+
+  describe '#initialize_instance' do
+    it 'sets #opnum to REG_CREATE_KEY constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Winreg::REG_CREATE_KEY)
+    end
+  end
+end
+

data/spec/lib/ruby_smb/dcerpc/winreg_spec.rb

@@ -0,0 +1,884 @@
+RSpec.describe RubySMB::Dcerpc::Winreg do
+  let(:winreg) do
+    RubySMB::SMB1::Pipe.new(
+      tree: double('Tree'),
+      response: RubySMB::SMB1::Packet::NtCreateAndxResponse.new,
+      name: 'winreg'
+    )
+  end
+
+  describe '#open_root_key' do
+    let(:root_key_request_packet)  { double('Root Key Request Packet') }
+    let(:response)                 { double('Response') }
+    let(:root_key_response_packet) { double('Root Key Response Packet') }
+    let(:ph_key)                   { double('PHKEY') }
+    before :example do
+      allow(described_class::OpenRootKeyRequest).to receive(:new).and_return(root_key_request_packet)
+      allow(winreg).to receive(:dcerpc_request).and_return(response)
+      allow(described_class::OpenRootKeyResponse).to receive(:read).and_return(root_key_response_packet)
+      allow(root_key_response_packet).to receive_messages(
+        :error_status => WindowsError::Win32::ERROR_SUCCESS,
+        :ph_key       => ph_key
+      )
+    end
+
+    context 'when the root key is unknown' do
+      it 'raises an ArgumentError exception' do
+        expect { winreg.open_root_key('UNKNOWN') }.to raise_error(ArgumentError)
+      end
+    end
+
+    it 'create the expected OpenRootKeyRequest packet' do
+      winreg.open_root_key('HKLM')
+      expect(described_class::OpenRootKeyRequest).to have_received(:new).with(opnum: described_class::OPEN_HKLM)
+    end
+
+    it 'sends the expected dcerpc request' do
+      winreg.open_root_key('HKLM')
+      expect(winreg).to have_received(:dcerpc_request).with(root_key_request_packet)
+    end
+
+    it 'creates a OpenRootKeyResponse structure from the expected dcerpc response' do
+      winreg.open_root_key('HKLM')
+      expect(described_class::OpenRootKeyResponse).to have_received(:read).with(response)
+    end
+
+    context 'when an IOError occurs while parsing the response' do
+      it 'raises a RubySMB::Dcerpc::Error::InvalidPacket' do
+        allow(described_class::OpenRootKeyResponse).to receive(:read).and_raise(IOError)
+        expect { winreg.open_root_key('HKLM') }.to raise_error(RubySMB::Dcerpc::Error::InvalidPacket)
+      end
+    end
+
+    context 'when the response error status is not WindowsError::Win32::ERROR_SUCCESS' do
+      it 'raises a RubySMB::Dcerpc::Error::WinregError' do
+        allow(root_key_response_packet).to receive(:error_status).and_return(WindowsError::Win32::ERROR_INVALID_DATA)
+        expect { winreg.open_root_key('HKLM') }.to raise_error(RubySMB::Dcerpc::Error::WinregError)
+      end
+    end
+
+    it 'returns the expected handler' do
+      expect(winreg.open_root_key('HKLM')).to eq(ph_key)
+    end
+  end
+
+  describe '#open_key' do
+    let(:handle)                 { double('Handle') }
+    let(:sub_key)                { double('Sub-key') }
+    let(:openkey_request_packet) { double('OpenKey Request Packet') }
+    let(:regsam)                 { double('Regsam') }
+    let(:response)               { double('Response') }
+    let(:open_key_response)      { double('OpenKey Response') }
+    let(:phk_result)             { double('Phk Result') }
+    before :example do
+      allow(described_class::OpenKeyRequest).to receive(:new).and_return(openkey_request_packet)
+      allow(openkey_request_packet).to receive(:sam_desired).and_return(regsam)
+      allow(regsam).to receive_messages(
+        :read_control=           => nil,
+        :key_query_value=        => nil,
+        :key_enumerate_sub_keys= => nil,
+        :key_notify=             => nil,
+      )
+      allow(winreg).to receive(:dcerpc_request).and_return(response)
+      allow(described_class::OpenKeyResponse).to receive(:read).and_return(open_key_response)
+      allow(open_key_response).to receive_messages(
+        :error_status => WindowsError::Win32::ERROR_SUCCESS,
+        :phk_result   => phk_result
+      )
+    end
+
+    it 'create the expected OpenKeyRequest packet' do
+      winreg.open_key(handle, sub_key)
+      expect(described_class::OpenKeyRequest).to have_received(:new).with(hkey: handle, lp_sub_key: sub_key)
+    end
+
+    it 'sets the expected user rights on the request packet' do
+      winreg.open_key(handle, sub_key)
+      expect(regsam).to have_received(:read_control=).with(1)
+      expect(regsam).to have_received(:key_query_value=).with(1)
+      expect(regsam).to have_received(:key_enumerate_sub_keys=).with(1)
+      expect(regsam).to have_received(:key_notify=).with(1)
+    end
+
+    it 'sends the expected dcerpc request' do
+      winreg.open_key(handle, sub_key)
+      expect(winreg).to have_received(:dcerpc_request).with(openkey_request_packet)
+    end
+
+    it 'creates a OpenKeyResponse structure from the expected dcerpc response' do
+      winreg.open_key(handle, sub_key)
+      expect(described_class::OpenKeyResponse).to have_received(:read).with(response)
+    end
+
+    context 'when an IOError occurs while parsing the response' do
+      it 'raises a RubySMB::Dcerpc::Error::InvalidPacket' do
+        allow(described_class::OpenKeyResponse).to receive(:read).and_raise(IOError)
+        expect { winreg.open_key(handle, sub_key) }.to raise_error(RubySMB::Dcerpc::Error::InvalidPacket)
+      end
+    end
+
+    context 'when the response error status is not WindowsError::Win32::ERROR_SUCCESS' do
+      it 'raises a RubySMB::Dcerpc::Error::WinregError' do
+        allow(open_key_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_INVALID_DATA)
+        expect { winreg.open_key(handle, sub_key) }.to raise_error(RubySMB::Dcerpc::Error::WinregError)
+      end
+    end
+
+    it 'returns the expected handler' do
+      expect(winreg.open_key(handle, sub_key)).to eq(phk_result)
+    end
+  end
+
+  describe '#query_value' do
+    let(:handle)                      { double('Handle') }
+    let(:value_name)                  { double('Value Name') }
+    let(:query_value_request_packet) { double('Query Value Request Packet #1') }
+    let(:lp_data1)                    { double('LpData #1') }
+    let(:lp_data2)                    { double('LpData #2') }
+    let(:response1)                   { double('Response #1') }
+    let(:response2)                   { double('Response #2') }
+    let(:query_value_response1)       { double('Query Value Response #1') }
+    let(:query_value_response2)       { double('Query Value Response #2') }
+    let(:data)                        { double('Data') }
+    let(:lpcb_data)                   { double('LpcbData') }
+    let(:lpcb_data_referent)          { double('LpcbData Referent') }
+    let(:lp_data2_referent)           { double('LpData Referent') }
+    before :example do
+      allow(described_class::QueryValueRequest).to receive(:new).and_return(query_value_request_packet)
+      allow(query_value_request_packet).to receive_messages(
+        :lp_type=   => nil,
+        :lpcb_data= => nil,
+        :lpcb_len=  => nil,
+        :lp_data=   => nil,
+        :lp_data    => lp_data2,
+      )
+      allow(lp_data2).to receive(:referent).and_return(lp_data2_referent)
+      allow(lp_data2_referent).to receive(:max_count=)
+      first_request = true
+      allow(winreg).to receive(:dcerpc_request) do |arg|
+        if first_request
+          first_request = false
+          response1
+        else
+          response2
+        end
+      end
+      allow(described_class::QueryValueResponse).to receive(:read).with(response1).and_return(query_value_response1)
+      allow(described_class::QueryValueResponse).to receive(:read).with(response2).and_return(query_value_response2)
+      allow(query_value_response1).to receive(:error_status).and_return(WindowsError::Win32::ERROR_SUCCESS)
+      allow(query_value_response2).to receive_messages(
+        :error_status => WindowsError::Win32::ERROR_SUCCESS,
+        :data         => data
+      )
+      allow(query_value_response1).to receive(:lpcb_data).and_return(lpcb_data)
+      allow(lpcb_data).to receive(:referent).and_return(lpcb_data_referent)
+    end
+
+    it 'create the expected QueryValueRequest packets' do
+      winreg.query_value(handle, value_name)
+      expect(described_class::QueryValueRequest).to have_received(:new).with(hkey: handle, lp_value_name: value_name)
+    end
+
+    it 'sets the expected fields on the request packet' do
+      winreg.query_value(handle, value_name)
+      expect(query_value_request_packet).to have_received(:lp_type=).with(0)
+      expect(query_value_request_packet).to have_received(:lpcb_data=).with(0)
+      expect(query_value_request_packet).to have_received(:lpcb_len=).with(0)
+      expect(query_value_request_packet).to have_received(:lpcb_data=).with(lpcb_data)
+      expect(query_value_request_packet).to have_received(:lp_data=).with([])
+      expect(lp_data2_referent).to have_received(:max_count=).with(lpcb_data_referent)
+    end
+
+    it 'sends the expected dcerpc requests' do
+      winreg.query_value(handle, value_name)
+      expect(winreg).to have_received(:dcerpc_request).with(query_value_request_packet).twice
+    end
+
+    context 'when receiving the first response' do
+      it 'creates a QueryValueResponse structure from the expected dcerpc response' do
+        winreg.query_value(handle, value_name)
+        expect(described_class::QueryValueResponse).to have_received(:read).with(response1)
+      end
+
+      context 'when an IOError occurs while parsing the response' do
+        it 'raises a RubySMB::Dcerpc::Error::InvalidPacket' do
+          allow(described_class::QueryValueResponse).to receive(:read).with(response1).and_raise(IOError)
+          expect { winreg.query_value(handle, value_name) }.to raise_error(RubySMB::Dcerpc::Error::InvalidPacket)
+        end
+      end
+
+      context 'when the first response error status is not WindowsError::Win32::ERROR_SUCCESS' do
+        it 'raises a RubySMB::Dcerpc::Error::WinregError' do
+          allow(query_value_response1).to receive(:error_status).and_return(WindowsError::Win32::ERROR_INVALID_DATA)
+          expect { winreg.query_value(handle, value_name) }.to raise_error(RubySMB::Dcerpc::Error::WinregError)
+        end
+      end
+    end
+
+    context 'when receiving the second response' do
+      it 'creates a QueryValueResponse structure from the expected dcerpc response' do
+        winreg.query_value(handle, value_name)
+        expect(described_class::QueryValueResponse).to have_received(:read).with(response2)
+      end
+
+      context 'when an IOError occurs while parsing the response' do
+        it 'raises a RubySMB::Dcerpc::Error::InvalidPacket' do
+          allow(described_class::QueryValueResponse).to receive(:read).with(response2).and_raise(IOError)
+          expect { winreg.query_value(handle, value_name) }.to raise_error(RubySMB::Dcerpc::Error::InvalidPacket)
+        end
+      end
+
+      context 'when the first response error status is not WindowsError::Win32::ERROR_SUCCESS' do
+        it 'raises a RubySMB::Dcerpc::Error::WinregError' do
+          allow(query_value_response2).to receive(:error_status).and_return(WindowsError::Win32::ERROR_INVALID_DATA)
+          expect { winreg.query_value(handle, value_name) }.to raise_error(RubySMB::Dcerpc::Error::WinregError)
+        end
+      end
+    end
+
+    it 'returns the expected response data' do
+      expect(winreg.query_value(handle, value_name)).to eq(data)
+    end
+  end
+
+  describe '#close_key' do
+    let(:handle)                   { double('Handle') }
+    let(:close_key_request_packet) { double('CloseKey Request Packet') }
+    let(:response)                 { double('Response') }
+    let(:close_key_response)       { double('CloseKey Response') }
+    before :example do
+      allow(described_class::CloseKeyRequest).to receive(:new).and_return(close_key_request_packet)
+      allow(winreg).to receive(:dcerpc_request).and_return(response)
+      allow(described_class::CloseKeyResponse).to receive(:read).and_return(close_key_response)
+      allow(close_key_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_SUCCESS)
+    end
+
+    it 'create the expected CloseKeyRequest packet' do
+      winreg.close_key(handle)
+      expect(described_class::CloseKeyRequest).to have_received(:new).with(hkey: handle)
+    end
+
+    it 'sends the expected dcerpc request' do
+      winreg.close_key(handle)
+      expect(winreg).to have_received(:dcerpc_request).with(close_key_request_packet)
+    end
+
+    it 'creates a CloseKeyResponse structure from the expected dcerpc response' do
+      winreg.close_key(handle)
+      expect(described_class::CloseKeyResponse).to have_received(:read).with(response)
+    end
+
+    context 'when an IOError occurs while parsing the response' do
+      it 'raises a RubySMB::Dcerpc::Error::InvalidPacket' do
+        allow(described_class::CloseKeyResponse).to receive(:read).and_raise(IOError)
+        expect { winreg.close_key(handle) }.to raise_error(RubySMB::Dcerpc::Error::InvalidPacket)
+      end
+    end
+
+    context 'when the response error status is not WindowsError::Win32::ERROR_SUCCESS' do
+      it 'raises a RubySMB::Dcerpc::Error::WinregError' do
+        allow(close_key_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_INVALID_DATA)
+        expect { winreg.close_key(handle) }.to raise_error(RubySMB::Dcerpc::Error::WinregError)
+      end
+    end
+
+    it 'returns the expected error status' do
+      expect(winreg.close_key(handle)).to eq(WindowsError::Win32::ERROR_SUCCESS)
+    end
+  end
+
+  describe '#query_info_key' do
+    let(:handle)                        { double('Handle') }
+    let(:query_info_key_request_packet) { double('CloseKey Request Packet') }
+    let(:response)                      { double('Response') }
+    let(:query_info_key_response)       { double('CloseKey Response') }
+    let(:lp_class)                      { double('LpClass') }
+    let(:lp_class_referent)             { double('LpClass referent') }
+    let(:lp_class_buf_ref)              { double('LpClass buffer referent') }
+    before :example do
+      allow(described_class::QueryInfoKeyRequest).to receive(:new).and_return(query_info_key_request_packet)
+      allow(query_info_key_request_packet).to receive_messages(
+        :lp_class= => nil,
+        :lp_class  => lp_class,
+      )
+      allow(lp_class).to receive(:referent).and_return(lp_class_referent)
+      allow(lp_class_referent).to receive(:actual_count=)
+      allow(lp_class).to receive(:maximum_length=)
+      allow(lp_class).to receive_message_chain(:buffer, :referent => lp_class_buf_ref)
+      allow(lp_class_buf_ref).to receive(:max_count=)
+      allow(winreg).to receive(:dcerpc_request).and_return(response)
+      allow(described_class::QueryInfoKeyResponse).to receive(:read).and_return(query_info_key_response)
+      allow(query_info_key_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_SUCCESS)
+    end
+
+    it 'create the expected QueryInfoKeyRequest packet' do
+      winreg.query_info_key(handle)
+      expect(described_class::QueryInfoKeyRequest).to have_received(:new).with(hkey: handle)
+    end
+
+    it 'sends the expected dcerpc request' do
+      winreg.query_info_key(handle)
+      expect(winreg).to have_received(:dcerpc_request).with(query_info_key_request_packet)
+    end
+
+    it 'sets the expected fields on the request packet' do
+      winreg.query_info_key(handle)
+      expect(query_info_key_request_packet).to have_received(:lp_class=).with('')
+      expect(lp_class_referent).to have_received(:actual_count=).with(0)
+      expect(lp_class).to have_received(:maximum_length=).with(1024)
+      expect(lp_class_buf_ref).to have_received(:max_count=).with(1024 / 2)
+    end
+
+    it 'creates a QueryInfoKeyResponse structure from the expected dcerpc response' do
+      winreg.query_info_key(handle)
+      expect(described_class::QueryInfoKeyResponse).to have_received(:read).with(response)
+    end
+
+    context 'when an IOError occurs while parsing the response' do
+      it 'raises a RubySMB::Dcerpc::Error::InvalidPacket' do
+        allow(described_class::QueryInfoKeyResponse).to receive(:read).and_raise(IOError)
+        expect { winreg.query_info_key(handle) }.to raise_error(RubySMB::Dcerpc::Error::InvalidPacket)
+      end
+    end
+
+    context 'when the response error status is not WindowsError::Win32::ERROR_SUCCESS' do
+      it 'raises a RubySMB::Dcerpc::Error::WinregError' do
+        allow(query_info_key_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_INVALID_DATA)
+        expect { winreg.query_info_key(handle) }.to raise_error(RubySMB::Dcerpc::Error::WinregError)
+      end
+    end
+
+    it 'returns the expected response' do
+      expect(winreg.query_info_key(handle)).to eq(query_info_key_response)
+    end
+  end
+
+  describe '#enum_key' do
+    let(:handle)                   { double('Handle') }
+    let(:index)                    { double('Index') }
+    let(:enum_key_request_packet)  { double('enum_key Request Packet') }
+    let(:lp_name)                  { double('Lp Name') }
+    let(:buffer)                   { double('Buffer') }
+    let(:lp_name_buffer_referent)  { double('Lp Name buffer referent') }
+    let(:response)                 { double('Response') }
+    let(:enum_key_response)        { double('enum_key Response') }
+    let(:result_str)               { double('Result String') }
+    let(:lp_class)                 { double('Lp Class') }
+    let(:lp_class_buffer_referent) { double('Lp Class buffer referent') }
+    before :example do
+      allow(described_class::EnumKeyRequest).to receive(:new).and_return(enum_key_request_packet)
+      allow(enum_key_request_packet).to receive_messages(
+        :lpft_last_write_time= => nil,
+        :lp_class=             => nil,
+        :lp_name               => lp_name,
+        :lp_class              => lp_class
+      )
+      allow(lp_class).to receive(:referent).and_return(lp_class_buffer_referent)
+      allow(lp_class_buffer_referent).to receive(:buffer=)
+      allow(lp_name).to receive(:buffer).and_return(buffer)
+      allow(lp_name).to receive(:buffer=)
+      allow(buffer).to receive(:referent).and_return(lp_name_buffer_referent)
+      allow(lp_name_buffer_referent).to receive(:max_count=)
+      allow(winreg).to receive(:dcerpc_request).and_return(response)
+      allow(described_class::EnumKeyResponse).to receive(:read).and_return(enum_key_response)
+      allow(enum_key_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_SUCCESS)
+      allow(enum_key_response).to receive_message_chain(:lp_name, :to_s => result_str)
+    end
+
+    it 'create the expected EnumKeyRequest packet' do
+      winreg.enum_key(handle, index)
+      expect(described_class::EnumKeyRequest).to have_received(:new).with(hkey: handle, dw_index: index)
+    end
+
+    it 'sets the expected parameters on the request packet' do
+      winreg.enum_key(handle, index)
+      expect(enum_key_request_packet).to have_received(:lpft_last_write_time=).with(0)
+      expect(enum_key_request_packet).to have_received(:lp_class=).with('')
+      expect(lp_class_buffer_referent).to have_received(:buffer=).with(:null)
+      expect(lp_name).to have_received(:buffer=).with('')
+      expect(lp_name_buffer_referent).to have_received(:max_count=).with(256)
+    end
+
+    it 'sends the expected dcerpc request' do
+      winreg.enum_key(handle, index)
+      expect(winreg).to have_received(:dcerpc_request).with(enum_key_request_packet)
+    end
+
+    it 'creates a EnumKeyResponse structure from the expected dcerpc response' do
+      winreg.enum_key(handle, index)
+      expect(described_class::EnumKeyResponse).to have_received(:read).with(response)
+    end
+
+    context 'when an IOError occurs while parsing the response' do
+      it 'raises a RubySMB::Dcerpc::Error::InvalidPacket' do
+        allow(described_class::EnumKeyResponse).to receive(:read).and_raise(IOError)
+        expect { winreg.enum_key(handle, index) }.to raise_error(RubySMB::Dcerpc::Error::InvalidPacket)
+      end
+    end
+
+    context 'when the response error status is not WindowsError::Win32::ERROR_SUCCESS' do
+      it 'raises a RubySMB::Dcerpc::Error::WinregError' do
+        allow(enum_key_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_INVALID_DATA)
+        expect { winreg.enum_key(handle, index) }.to raise_error(RubySMB::Dcerpc::Error::WinregError)
+      end
+    end
+
+    it 'returns the expected key name' do
+      expect(winreg.enum_key(handle, index)).to eq(result_str)
+    end
+  end
+
+  describe '#enum_value' do
+    let(:handle)                    { double('Handle') }
+    let(:index)                     { double('Index') }
+    let(:enum_value_request_packet) { double('EnumValue Request Packet') }
+    let(:lp_value_name)             { double('Lp Value Name') }
+    let(:buffer)                    { double('Buffer') }
+    let(:referent)                  { double('Referent') }
+    let(:response)                  { double('Response') }
+    let(:enum_value_response)       { double('EnumValue Response') }
+    let(:result_str)                { double('Result String') }
+    before :example do
+      allow(described_class::EnumValueRequest).to receive(:new).and_return(enum_value_request_packet)
+      allow(enum_value_request_packet).to receive(:lp_value_name).and_return(lp_value_name)
+      allow(lp_value_name).to receive(:buffer).and_return(buffer)
+      allow(lp_value_name).to receive(:buffer=)
+      allow(buffer).to receive(:referent).and_return(referent)
+      allow(referent).to receive(:max_count=)
+      allow(winreg).to receive(:dcerpc_request).and_return(response)
+      allow(described_class::EnumValueResponse).to receive(:read).and_return(enum_value_response)
+      allow(enum_value_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_SUCCESS)
+      allow(enum_value_response).to receive_message_chain(:lp_value_name, :to_s => result_str)
+    end
+
+    it 'create the expected EnumValueRequest packet' do
+      winreg.enum_value(handle, index)
+      expect(described_class::EnumValueRequest).to have_received(:new).with(hkey: handle, dw_index: index)
+    end
+
+    it 'sets the expected buffer on the request packet' do
+      winreg.enum_value(handle, index)
+      expect(referent).to have_received(:max_count=).with(256)
+      expect(lp_value_name).to have_received(:buffer=).with('')
+    end
+
+    it 'sends the expected dcerpc request' do
+      winreg.enum_value(handle, index)
+      expect(winreg).to have_received(:dcerpc_request).with(enum_value_request_packet)
+    end
+
+    it 'creates a EnumValueResponse structure from the expected dcerpc response' do
+      winreg.enum_value(handle, index)
+      expect(described_class::EnumValueResponse).to have_received(:read).with(response)
+    end
+
+    context 'when an IOError occurs while parsing the response' do
+      it 'raises a RubySMB::Dcerpc::Error::InvalidPacket' do
+        allow(described_class::EnumValueResponse).to receive(:read).and_raise(IOError)
+        expect { winreg.enum_value(handle, index) }.to raise_error(RubySMB::Dcerpc::Error::InvalidPacket)
+      end
+    end
+
+    context 'when the response error status is not WindowsError::Win32::ERROR_SUCCESS' do
+      it 'raises a RubySMB::Dcerpc::Error::WinregError' do
+        allow(enum_value_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_INVALID_DATA)
+        expect { winreg.enum_value(handle, index) }.to raise_error(RubySMB::Dcerpc::Error::WinregError)
+      end
+    end
+
+    it 'returns the expected key name' do
+      expect(winreg.enum_value(handle, index)).to eq(result_str)
+    end
+  end
+
+  describe '#has_registry_key?' do
+    let(:root_key)        { 'HKLM' }
+    let(:sub_key)         { 'my\\sub\\key\\path' }
+    let(:key)             { "#{root_key}\\#{sub_key}" }
+    let(:root_key_handle) { double('Root Key Handle') }
+    let(:subkey_handle)   { double('Subkey Handle') }
+    before :example do
+      allow(winreg).to receive_messages(
+        :bind          => nil,
+        :open_root_key => root_key_handle,
+        :open_key      => subkey_handle,
+        :close_key     => nil
+      )
+    end
+
+    it 'binds a DCERPC connection to the expected remote endpoint' do
+      winreg.has_registry_key?(key)
+      expect(winreg).to have_received(:bind).with(endpoint: RubySMB::Dcerpc::Winreg)
+    end
+
+    it 'does not bind a DCERPC connection if #bind argument is false' do
+      winreg.has_registry_key?(key, bind: false)
+      expect(winreg).to_not have_received(:bind)
+    end
+
+    it 'opens the expected root key' do
+      winreg.has_registry_key?(key)
+      expect(winreg).to have_received(:open_root_key).with(root_key)
+    end
+
+    it 'opens the expected registry key' do
+      winreg.has_registry_key?(key)
+      expect(winreg).to have_received(:open_key).with(root_key_handle, sub_key)
+    end
+
+    context 'when a WinregError occurs while opening the root key' do
+      it 'returns false' do
+        allow(winreg).to receive(:open_root_key).and_raise(RubySMB::Dcerpc::Error::WinregError)
+        expect(winreg.has_registry_key?(key)).to be false
+      end
+    end
+
+    context 'when a WinregError occurs while opening the registry key' do
+      it 'returns false' do
+        allow(winreg).to receive(:open_key).and_raise(RubySMB::Dcerpc::Error::WinregError)
+        expect(winreg.has_registry_key?(key)).to be false
+      end
+    end
+
+    it 'closes the key' do
+      winreg.has_registry_key?(key)
+      expect(winreg).to have_received(:close_key).with(subkey_handle)
+      expect(winreg).to have_received(:close_key).with(root_key_handle)
+    end
+
+    it 'returns true when no error occurs' do
+      expect(winreg.has_registry_key?(key)).to be true
+    end
+  end
+
+  describe '#read_registry_key_value' do
+    let(:root_key)        { 'HKLM' }
+    let(:sub_key)         { 'my\\sub\\key\\path' }
+    let(:key)             { "#{root_key}\\#{sub_key}" }
+    let(:value_name)      { 'registry_value_name' }
+    let(:root_key_handle) { double('Root Key Handle') }
+    let(:subkey_handle)   { double('Subkey Handle') }
+    let(:value)           { double('Value') }
+    before :example do
+      allow(winreg).to receive_messages(
+        :bind          => nil,
+        :open_root_key => root_key_handle,
+        :open_key      => subkey_handle,
+        :query_value   => value,
+        :close_key     => nil
+      )
+    end
+
+    it 'binds a DCERPC connection to the expected remote endpoint' do
+      winreg.read_registry_key_value(key, value_name)
+      expect(winreg).to have_received(:bind).with(endpoint: RubySMB::Dcerpc::Winreg)
+    end
+
+    it 'does not bind a DCERPC connection if #bind argument is false' do
+      winreg.read_registry_key_value(key, value_name, bind: false)
+      expect(winreg).to_not have_received(:bind)
+    end
+
+    it 'opens the expected root key' do
+      winreg.read_registry_key_value(key, value_name)
+      expect(winreg).to have_received(:open_root_key).with(root_key)
+    end
+
+    it 'opens the expected registry key' do
+      winreg.read_registry_key_value(key, value_name)
+      expect(winreg).to have_received(:open_key).with(root_key_handle, sub_key)
+    end
+
+    it 'queries the expected registry key value' do
+      winreg.read_registry_key_value(key, value_name)
+      expect(winreg).to have_received(:query_value).with(subkey_handle, value_name)
+    end
+
+    it 'closes the key' do
+      winreg.read_registry_key_value(key, value_name)
+      expect(winreg).to have_received(:close_key).with(subkey_handle)
+      expect(winreg).to have_received(:close_key).with(root_key_handle)
+    end
+
+    it 'returns expect registry key value' do
+      expect(winreg.read_registry_key_value(key, value_name)).to eq(value)
+    end
+  end
+
+  describe '#enum_registry_key' do
+    let(:root_key)                  { 'HKLM' }
+    let(:sub_key)                   { 'my\\sub\\key\\path' }
+    let(:key)                       { "#{root_key}\\#{sub_key}" }
+    let(:value_name)                { 'registry_value_name' }
+    let(:root_key_handle)           { double('Root Key Handle') }
+    let(:subkey_handle)             { double('Subkey Handle') }
+    let(:query_info_key_response)   { double('Query Info Key Response') }
+    let(:subkey_nb)                 { 2 }
+    before :example do
+      allow(winreg).to receive_messages(
+        :bind           => nil,
+        :open_root_key  => root_key_handle,
+        :open_key       => subkey_handle,
+        :query_info_key => query_info_key_response,
+        :enum_key       => nil,
+        :close_key      => nil
+      )
+      allow(query_info_key_response).to receive(:lpc_sub_keys).and_return(subkey_nb)
+    end
+
+    it 'binds a DCERPC connection to the expected remote endpoint' do
+      winreg.enum_registry_key(key)
+      expect(winreg).to have_received(:bind).with(endpoint: RubySMB::Dcerpc::Winreg)
+    end
+
+    it 'does not bind a DCERPC connection if #bind argument is false' do
+      winreg.enum_registry_key(key, bind: false)
+      expect(winreg).to_not have_received(:bind)
+    end
+
+    it 'opens the expected root key' do
+      winreg.enum_registry_key(key)
+      expect(winreg).to have_received(:open_root_key).with(root_key)
+    end
+
+    context 'when the registry key only contains the root key' do
+      it 'queries information for the root key' do
+        winreg.enum_registry_key(root_key)
+        expect(winreg).to have_received(:query_info_key).with(root_key_handle)
+      end
+    end
+
+    it 'opens the expected registry key' do
+      winreg.enum_registry_key(key)
+      expect(winreg).to have_received(:open_key).with(root_key_handle, sub_key)
+    end
+
+    it 'queries information for the expected registry key' do
+      winreg.enum_registry_key(key)
+      expect(winreg).to have_received(:query_info_key).with(subkey_handle)
+    end
+
+    it 'calls #enum_key the expected number of times' do
+      winreg.enum_registry_key(key)
+      expect(winreg).to have_received(:enum_key).with(subkey_handle, instance_of(Fixnum)).twice
+    end
+
+    it 'closes the key' do
+      winreg.enum_registry_key(key)
+      expect(winreg).to have_received(:close_key).with(subkey_handle)
+      expect(winreg).to have_received(:close_key).with(root_key_handle)
+    end
+
+    it 'returns the expected array of enumerated keys' do
+      key1 = 'key1'
+      key2 = 'key2'
+      allow(winreg).to receive(:enum_key).with(subkey_handle, 0).and_return(key1)
+      allow(winreg).to receive(:enum_key).with(subkey_handle, 1).and_return(key2)
+      expect(winreg.enum_registry_key(key)).to eq([key1, key2])
+    end
+  end
+
+  describe '#enum_registry_values' do
+    let(:root_key)                  { 'HKLM' }
+    let(:sub_key)                   { 'my\\sub\\key\\path' }
+    let(:key)                       { "#{root_key}\\#{sub_key}" }
+    let(:value_name)                { 'registry_value_name' }
+    let(:root_key_handle)           { double('Root Key Handle') }
+    let(:subkey_handle)             { double('Subkey Handle') }
+    let(:query_info_key_response)   { double('Query Info Key Response') }
+    let(:subkey_nb)                 { 2 }
+    before :example do
+      allow(winreg).to receive_messages(
+        :bind           => nil,
+        :open_root_key  => root_key_handle,
+        :open_key       => subkey_handle,
+        :query_info_key => query_info_key_response,
+        :enum_value     => nil,
+        :close_key      => nil
+      )
+      allow(query_info_key_response).to receive(:lpc_values).and_return(subkey_nb)
+    end
+
+    it 'binds a DCERPC connection to the expected remote endpoint' do
+      winreg.enum_registry_values(key)
+      expect(winreg).to have_received(:bind).with(endpoint: RubySMB::Dcerpc::Winreg)
+    end
+
+    it 'does not bind a DCERPC connection if #bind argument is false' do
+      winreg.enum_registry_values(key, bind: false)
+      expect(winreg).to_not have_received(:bind)
+    end
+
+    it 'opens the expected root key' do
+      winreg.enum_registry_values(key)
+      expect(winreg).to have_received(:open_root_key).with(root_key)
+    end
+
+    context 'when the registry key only contains the root key' do
+      it 'queries information for the root key' do
+        winreg.enum_registry_values(root_key)
+        expect(winreg).to have_received(:query_info_key).with(root_key_handle)
+      end
+    end
+
+    it 'opens the expected registry key' do
+      winreg.enum_registry_values(key)
+      expect(winreg).to have_received(:open_key).with(root_key_handle, sub_key)
+    end
+
+    it 'queries information for the expected registry key' do
+      winreg.enum_registry_values(key)
+      expect(winreg).to have_received(:query_info_key).with(subkey_handle)
+    end
+
+    it 'calls #enum_key the expected number of times' do
+      winreg.enum_registry_values(key)
+      expect(winreg).to have_received(:enum_value).with(subkey_handle, instance_of(Fixnum)).twice
+    end
+
+    it 'closes the key' do
+      winreg.enum_registry_values(key)
+      expect(winreg).to have_received(:close_key).with(subkey_handle)
+      expect(winreg).to have_received(:close_key).with(root_key_handle)
+    end
+
+    it 'returns the expected array of enumerated keys' do
+      value1 = 'value1'
+      value2 = 'value2'
+      allow(winreg).to receive(:enum_value).with(subkey_handle, 0).and_return(value1)
+      allow(winreg).to receive(:enum_value).with(subkey_handle, 1).and_return(value2)
+      expect(winreg.enum_registry_values(key)).to eq([value1, value2])
+    end
+  end
+
+  describe '#create_key' do
+    let(:handle)              { double('Handle') }
+    let(:sub_key)             { double('Sub key') }
+    let(:create_key_request)  { double('CreateKey Request') }
+    let(:response)            { double('Response') }
+    let(:create_key_response) { double('CreateKey Response') }
+    let(:hkey)                { double('hkey') }
+    before :example do
+      allow(described_class::CreateKeyRequest).to receive(:new).and_return(create_key_request)
+      allow(winreg).to receive(:dcerpc_request).and_return(response)
+      allow(described_class::CreateKeyResponse).to receive(:read).and_return(create_key_response)
+      allow(create_key_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_SUCCESS)
+      allow(create_key_response).to receive(:hkey).and_return(hkey)
+    end
+
+    it 'create the expected CreateKeyRequest packet with the default options' do
+      opts = {
+        hkey:                   handle,
+        lp_sub_key:             sub_key,
+        lp_class:               :null,
+        dw_options:             RubySMB::Dcerpc::Winreg::CreateKeyRequest::REG_KEY_TYPE_VOLATILE,
+        sam_desired:            RubySMB::Dcerpc::Winreg::Regsam.new(maximum: 1),
+        lp_security_attributes: RubySMB::Dcerpc::RpcSecurityAttributes.new,
+        lpdw_disposition:       RubySMB::Dcerpc::Winreg::CreateKeyRequest::REG_CREATED_NEW_KEY
+      }
+      winreg.create_key(handle, sub_key)
+      expect(described_class::CreateKeyRequest).to have_received(:new).with(opts)
+    end
+
+    it 'create the expected CreateKeyRequest packet with custom options' do
+      opts = {
+        hkey:                  handle,
+        lp_sub_key:            sub_key,
+        lp_class:              'MyClass',
+        dw_options:             RubySMB::Dcerpc::Winreg::CreateKeyRequest::REG_KEY_TYPE_SYMLINK,
+        sam_desired:            RubySMB::Dcerpc::Winreg::Regsam.new(key_set_value: 1),
+        lp_security_attributes: RubySMB::Dcerpc::RpcSecurityAttributes.new(n_length: 3),
+        lpdw_disposition:       RubySMB::Dcerpc::Winreg::CreateKeyRequest::REG_OPENED_EXISTING_KEY
+      }
+      winreg.create_key(handle, sub_key, opts)
+      expect(described_class::CreateKeyRequest).to have_received(:new).with(opts)
+    end
+
+    it 'sends the expected dcerpc request' do
+      winreg.create_key(handle, sub_key)
+      expect(winreg).to have_received(:dcerpc_request).with(create_key_request)
+    end
+
+    it 'creates a CreateKeyResponse structure from the expected dcerpc response' do
+      winreg.create_key(handle, sub_key)
+      expect(described_class::CreateKeyResponse).to have_received(:read).with(response)
+    end
+
+    context 'when an IOError occurs while parsing the response' do
+      it 'raises a RubySMB::Dcerpc::Error::InvalidPacket' do
+        allow(described_class::CreateKeyResponse).to receive(:read).and_raise(IOError)
+        expect { winreg.create_key(handle, sub_key) }.to raise_error(RubySMB::Dcerpc::Error::InvalidPacket)
+      end
+    end
+
+    context 'when the response error status is not WindowsError::Win32::ERROR_SUCCESS' do
+      it 'raises a RubySMB::Dcerpc::Error::WinregError' do
+        allow(create_key_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_INVALID_DATA)
+        expect { winreg.create_key(handle, sub_key) }.to raise_error(RubySMB::Dcerpc::Error::WinregError)
+      end
+    end
+
+    it 'returns the expected key name' do
+      expect(winreg.create_key(handle, sub_key)).to eq(hkey)
+    end
+  end
+
+  describe '#save_key' do
+    let(:handle)              { double('Handle') }
+    let(:filename)            { double('Filename') }
+    let(:save_key_request)    { double('CreateKey Request') }
+    let(:response)            { double('Response') }
+    let(:save_key_response)   { double('CreateKey Response') }
+    let(:hkey)                { double('hkey') }
+    before :example do
+      allow(described_class::SaveKeyRequest).to receive(:new).and_return(save_key_request)
+      allow(winreg).to receive(:dcerpc_request).and_return(response)
+      allow(described_class::SaveKeyResponse).to receive(:read).and_return(save_key_response)
+      allow(save_key_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_SUCCESS)
+    end
+
+    it 'create the expected SaveKeyRequest packet with the default options' do
+      opts = {
+        hkey:                   handle,
+        lp_file:                filename,
+        lp_security_attributes: :null,
+      }
+      winreg.save_key(handle, filename)
+      expect(described_class::SaveKeyRequest).to have_received(:new).with(opts)
+    end
+
+    it 'create the expected SaveKeyRequest packet with custom options' do
+      opts = {
+        hkey:                   handle,
+        lp_file:                filename,
+        lp_security_attributes: RubySMB::Dcerpc::RpcSecurityAttributes.new,
+      }
+      winreg.save_key(handle, filename, opts)
+      expect(described_class::SaveKeyRequest).to have_received(:new).with(opts)
+    end
+
+    it 'sends the expected dcerpc request' do
+      winreg.save_key(handle, filename)
+      expect(winreg).to have_received(:dcerpc_request).with(save_key_request)
+    end
+
+    it 'creates a SaveKeyResponse structure from the expected dcerpc response' do
+      winreg.save_key(handle, filename)
+      expect(described_class::SaveKeyResponse).to have_received(:read).with(response)
+    end
+
+    context 'when an IOError occurs while parsing the response' do
+      it 'raises a RubySMB::Dcerpc::Error::InvalidPacket' do
+        allow(described_class::SaveKeyResponse).to receive(:read).and_raise(IOError)
+        expect { winreg.save_key(handle, filename) }.to raise_error(RubySMB::Dcerpc::Error::InvalidPacket)
+      end
+    end
+
+    context 'when the response error status is not WindowsError::Win32::ERROR_SUCCESS' do
+      it 'raises a RubySMB::Dcerpc::Error::WinregError' do
+        allow(save_key_response).to receive(:error_status).and_return(WindowsError::Win32::ERROR_INVALID_DATA)
+        expect { winreg.save_key(handle, filename) }.to raise_error(RubySMB::Dcerpc::Error::WinregError)
+      end
+    end
+  end
+end