Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
173 views
in Technique[技术] by (71.8m points)

windows - RegistryCallback and RegCreateKeyEx

I want to monitor a windows machine. I created a windows service, and my purpose is to be notified when a process tries to create a new registry key.

I use RegistryCallback with the following signature

NTSTATUS RegistryCallback(
  _In_      PVOID CallbackContext,
  _In_opt_  PVOID Argument1,
  _In_opt_  PVOID Argument2
)

The RegistryCallback was registered with CmRegisterCallback . The problem is I am notified for every registry key creation , however I want to be notified only for creation of new registry keys , or at least getting the information that this key was already exist, is there any way to do so ?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

You can't request specific notifications, you have to receive them all. However, Argument1 tells you what kind of operation is being performed so you can process only the ones you are interested in. Argument2 contains a pointer to various structures, depending on the value of Argument1, that give you more detailed information about the operations. For example, when Argument1 is RegNtPostCreateKeyEx, Argument2 points to a REG_POST_OPERATION_INFORMATION struct whose PreInformation field points to a REG_CREATE_KEY_INFORMATION struct whose Disposition field tells you whether the key already existed or not.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...