1

I need to track registry changes. I need detailed information, so RegNotifyChangeKeyValue is not enough. So, the only way I found in Google is to use this horrible Event Tracing.

After configuring all stuff and actual getting the data, I have Registry_TypeGroup1 class from EVENT_TRACE:

[EventType{...}]class Registry_TypeGroup1 : Registry
{
  sint64 InitialTime;
  uint32 Status;
  uint32 Index;
  uint32 KeyHandle;
  string KeyName;
};

According to the documentation, KeyName is just the Name of the registry key and not the full key path for the given event. But the problem is that I need the full path for the key!

If I convert KeyHandle from uint32 to HKEY and use NtQueryKey (like this) - the function will fail with an unknown status.

So, is there a way to retrieve the full Registry key path from the EVENT_TRACE instance of EVENT_TRACE_FLAG_REGISTRY?

(I am asking because I read somewhere that ProcMon uses Event Tracing and it shows the full Registry path for events... Or does it hook system calls to Reg* functions?)

Community
  • 1
  • 1
grisha
  • 1,247
  • 1
  • 14
  • 20
  • [Filtering Registry Calls](https://msdn.microsoft.com/en-us/library/windows/hardware/ff545879.aspx). – IInspectable Mar 30 '15 at 11:27
  • Thanks. I refused it, first time I found, because it requires kernel-mode driver and i have no idea how to write driver. I thought it would be easier to understand Event Tracing rather then how to write simple driver... – grisha Mar 30 '15 at 11:48
  • That's what ProcMon uses, starting with Windows Vista (source: [Sysinternals forum](http://forum.sysinternals.com/monitor-registry-activities-in-detail_topic27467.html)). Versions targeting previous OS releases use system call hooking. – IInspectable Mar 30 '15 at 12:20
  • @Remy Lebeau, Thanks for the correction orthography – grisha Mar 30 '15 at 19:00

1 Answers1

0

According to this thread, you can use KCBRundownEnd which can be seen in MSDN to collect all the registries. There are whole basename and KeyHandle in the log of KCBRundownEnd event, and you can match the KeyHandle to get the corresponding basenames.

zeze
  • 31
  • 2