{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 唯我独甜 的问题《RegistryCallback and RegCreateKeyEx》','https://www.manongdao.com/q-1148831.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I want to monitor a windows machine. I created a windows service, and my purpose is to be notified when a process tries to create a new registry key.
I use RegistryCallback with the following signature
NTSTATUS RegistryCallback(
_In_ PVOID CallbackContext,
_In_opt_ PVOID Argument1,
_In_opt_ PVOID Argument2
)
The RegistryCallback was registered with CmRegisterCallback . The problem is I am notified for every registry key creation , however I want to be notified only for creation of new registry keys , or at least getting the information that this key was already exist, is there any way to do so ?
You can't request specific notifications, you have to receive them all. However,
Argument1tells you what kind of operation is being performed so you can process only the ones you are interested in.Argument2contains a pointer to various structures, depending on the value ofArgument1, that give you more detailed information about the operations. For example, whenArgument1isRegNtPostCreateKeyEx,Argument2points to aREG_POST_OPERATION_INFORMATIONstruct whosePreInformationfield points to aREG_CREATE_KEY_INFORMATIONstruct whoseDispositionfield tells you whether the key already existed or not.