7

I remember for my final year university project i wrote a C# registry monitor, however, when i compared it with the Microsoft ProcessMonitor application (i cant remember its exact name, but was a company bought by MSoft), i wasnt capturing as many registry calls.

Was this because i was using a C# wrapper and as such, it would only have been catching user-mode registry accesses?

I used this wrapper: http://www.codeproject.com/KB/DLL/EasyHook64.aspx

To catch the kernel mode registry accesses would i have to write in C++?

wj32
  • 8,053
  • 3
  • 28
  • 37
Tom
  • 419
  • 1
  • 5
  • 7
  • 2
    You are thinking of RegMon from sysinternals which has been replaced with Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645 – Randy Levy Jan 28 '11 at 22:43
  • Process Monitor is the one i used, yes! – Tom Jan 28 '11 at 22:46
  • 1
    Didn't the earlier versions of these SysInternals utilities come with source code, or am I dreaming? – Chris O Jan 29 '11 at 00:20

2 Answers2

11

Process Monitor is either using a kernel driver or ETW (see below) to capture registry events. I do know that Process Monitor uses ETW for some of its data (like networking information).

An API hooking or detouring mechanism like EasyHook typically operates at the Win32 API level (e.g. RegSetValue or RegCreateKeyEx in ADVAPI32.dll). Because of this, it has the limitation you mention: only user-mode registry accesses are captured. Additionally, API hooking is usually done on a per-process basis, so you have to inject yourself into each process that you want to collect data on. You would also have to monitor for process creation if you wanted to really capture all accesses across the system.

Event Tracing for Windows (ETW) would be an easy way (relatively speaking) to capture all registry accesses. The basic idea behind ETW is that OS, runtime, library, and even everyday application developers can add specific instrumentation to their code to log data about interesting events and scenarios. This tracing is low overhead and can be easily collected. ETW has been around for a while, but it has really gained traction throughout the kernel starting with Vista. Almost all major kernel subsystems are now instrumented with ETW. It is also now the basis for the Windows Event Log.

ETW has its fair share of baggage and lacks substantial documentation in some areas, but if you are interested, you can check out the following:

To catch the kernel mode registry accesses would i have to write in C++?

No, using the TraceEvent library mentioned above, you could use C# to capture and analyze kernel- and user-mode registry accesses across the system.

Chris Schmich
  • 29,128
  • 5
  • 77
  • 94
  • 1
    Interesting, so using the ETW, can I capture file accesses in real time? – Chibueze Opata Jun 16 '13 at 20:55
  • 1
    @ChibuezeOpata: Essentially, yes. There will be some latency depending on system load and how many ETW events are being processed, but in the general case, you should be able to see file accesses as they're happening. ETW is incredibly powerful in this regard. – Chris Schmich Jun 17 '13 at 02:04
2

To capture kernel-mode registry access you have to write a driver in C++, there isn't any other way to do it. Process Monitor is a driver, that's why it can capture both user and kernel accesses.

You can download old versions of Regmon and Filemon here:

http://www.decuslib.com/decus/vmslt00a/nt/filemon.htm

http://www.decuslib.com/decus/vmslt00a/nt/regmon.htm

Hasturkun
  • 35,395
  • 6
  • 71
  • 104
Paul Exchange
  • 2,637
  • 3
  • 26
  • 33
  • +1 for clarity on ProcMon, but RE: "there isn't any other way to do it" - the Windows kernel has built-in ETW instrumentation for registry events. It's even possible to get full user- and kernel-mode stacks for the registry accesses as well. – Chris Schmich Feb 12 '11 at 02:50
  • 1
    That is not available in XP, that's why I didn't mentioned. – Paul Exchange Feb 12 '11 at 11:55