using ZwQueryLicenseValue in windows 8 drivers

Function ZwQueryLicenseValue gets the data for a particular license value. As you can see the first argument is PUNICODE_STRING for some license feature name. Let's see which names are checked in windows 8 kernel mode

kernel

• Kernel-ProductInfo - in function RtlGetProductInfo
• Kernel-ProductInfoLegacyMapping - in function RtlGetProductInfo
• Kernel-VirtualDynamicPartitioningSupported
• Kernel-VmPhysicalMemoryAddAllowed
• Kernel-RegisteredProcessors
• Kernel-CsChecksDisabled
• Kernel-PersistDefectiveMemoryList
• Kernel-ExpirationDate
• Kernel-MemoryMirroringSupported
• WSLicensingService-LOBSideloadingActivated

Also function RtlpGetWindowsPolicy checks following names:

• WindowsExcludedProcs
• Kernel-MUI-Number-Allowed
• Kernel-MUI-Language-Allowed
• Kernel-MUI-Language-Disallowed
• Kernel-MUI-Language-SKU

hal.dll

• Kernel-RegisteredProcessors

win32k.sys

• Microsoft-Windows-Core-THQAEnabled
• Microsoft-Windows-Core-AllowMultiMon

appid.sys

• appid-EnableV2

bridge.sys
This driver has very awesome message:

Without specific written consent from Microsoft, it is illegal to reverse engineer, debug or change this binary

 So I just skip this driver :-)

csc.sys

• Microsoft-Windows-OfflineFiles-Core-FeatureEnabled
• Microsoft-Windows-OfflineFiles-Core-BranchCachingEnabled

dxgkrnl.sys

• Microsoft-Windows-Core-AllowMultiMon

fvevol.sys

• SecureStartupFeature-Enabled-Basic
• SecureStartupFeature-Enabled-Driver
• SecureStartupFeature-Enabled-Premium
• SecureStartupFeature-Enabled-PreInstall

srvnet.sys
This driver contains exported function SrvLibQueryLicensingDWord which used by:

1. srv.sys - for SMBServer-AllowRemoteLegacyShadowCopyAccess
2. srv2.sys - for SMBServer-AllowRemoteShadowCopyAccess and SMBServer-AllowHashPublication

tcpip.sys

• TCPIP-SecondaryAppMetaDataSocketOption

volmgrx.sys

• volmgrx-SupportDynamic
• volmgrx-SupportMirror
• volmgrx-SupportRaid5

I think this list is not complete - it only has the names collected on my machine with w8 rtm