I want to monitor a windows machine. I created a windows service, and my purpose is to be notified when a process tries to create a new registry key.

I use RegistryCallback with the following signature

NTSTATUS RegistryCallback(
  _In_      PVOID CallbackContext,
  _In_opt_  PVOID Argument1,
  _In_opt_  PVOID Argument2
)

The RegistryCallback was registered with CmRegisterCallback . The problem is I am notified for every registry key creation , however I want to be notified only for creation of new registry keys , or at least getting the information that this key was already exist, is there any way to do so ?

You can't request specific notifications, you have to receive them all. However, Argument1 tells you what kind of operation is being performed so you can process only the ones you are interested in. Argument2 contains a pointer to various structures, depending on the value of Argument1, that give you more detailed information about the operations. For example, when Argument1 is RegNtPostCreateKeyEx, Argument2 points to a REG_POST_OPERATION_INFORMATION struct whose PreInformation field points to a REG_CREATE_KEY_INFORMATION struct whose Disposition field tells you whether the key already existed or not.