使用ETW进行注册表监控 [英] Registry Monitoring using ETW

问题描述

I am writing my own C++ application that is using Event tracing window to monitor the Registry changes in real time mode.

这里，

我已将注册表GUID设置为 providerId。

I have set the Registry GUID to providerId.

Registry GUID - > {70EB4F03-C1DE-4F73-A051-33D13D5413BD}

Registry GUID -> {70EB4F03-C1DE-4F73-A051-33D13D5413BD}

启用掩码为"0x0000000000000200"的轨迹。 - DeleteValueKey

Enabling the trace with mask of "0x0000000000000200" - DeleteValueKey

_status = EnableTraceEx2（this-> hSession，& providerId，EVENT_CONTROL_CODE_ENABLE_PROVIDER，TRACE_LEVEL_VERBOSE，0x0000000000000200,0,0，NULL）;

_status = EnableTraceEx2(this->hSession, &providerId, EVENT_CONTROL_CODE_ENABLE_PROVIDER, TRACE_LEVEL_VERBOSE, 0x0000000000000200, 0, 0, NULL);

之后，我能够处理并在我的回调方法中读取事件。

After that,I can able to process and reads the events in my call back method.

在我的注册编辑器中，当我为密钥创建新值时，收到如下事件详细信息。
事件ID ：6
06/27/2017 12：53：41.295557800
KeyObject：0xFFFFC00077FC6B70
状态： 0x0
KeyName：
ValueName：新值＃1

当我删除一个值为钥匙，收到如下事件详情，活动ID：6
06/27/2017 12：54：33.435716200
KeyObject：0xFFFFC00077FC6B70
状态：0x0
KeyName：
ValueName：Hai

In my Registy Editor,When i was created new value to the key, received the event details like below..
Event ID: 6
06/27/2017 12:53:41.295557800
KeyObject: 0xFFFFC00077FC6B70
Status: 0x0
KeyName:
ValueName: New Value #1

When i was deleted a value to the key, received the event details like below,
Event ID: 6
06/27/2017 12:54:33.435716200
KeyObject: 0xFFFFC00077FC6B70
Status: 0x0
KeyName:
ValueName: Hai

但我无法获得价值的总路径h被删除了。

But I can't able to get the total path of the value which is deleted.

你能帮我吗？

如何获取值和键的路径？

how to get the path of the value and key ?

如何将keyObject转换为有用的数据？

how to convert keyObject to a useful data?

推荐答案

您好
Duraikannu Jeyamani，

感谢您在此处发布。

>>但是我无法获得被删除的值的总路径。

你可以帮助我吗，

如何获取值和键的路径？

如何将keyObject转换为有用的数据？

对于这种情况，您可以使用LoadLibrary和NtQueryKey来获取注册表项的路径。例如：

For this case, you could use LoadLibrary and NtQueryKey to get the path of the registry key. For example:

std::wstring GetKeyPathFromKKEY(HKEY key)
{
    std::wstring keyPath;
    if (key != NULL)
    {
        HMODULE dll = LoadLibrary(L"ntdll.dll");
        if (dll != NULL) {
            typedef DWORD (__stdcall *NtQueryKeyType)(
                HANDLE  KeyHandle,
                int KeyInformationClass,
                PVOID  KeyInformation,
                ULONG  Length,
                PULONG  ResultLength);

            NtQueryKeyType func = reinterpret_cast<NtQueryKeyType>(::GetProcAddress(dll, "NtQueryKey"));

            if (func != NULL) {
                DWORD size = 0;
                DWORD result = 0;
                result = func(key, 3, 0, 0, &size);
                if (result == STATUS_BUFFER_TOO_SMALL)
                {
                    size = size + 2;
                    wchar_t* buffer = new (std::nothrow) wchar_t[size/sizeof(wchar_t)]; // size is in bytes
                    if (buffer != NULL)
                    {
                        result = func(key, 3, buffer, size, &size);
                        if (result == STATUS_SUCCESS)
                        {
                            buffer[size / sizeof(wchar_t)] = L'\0';
                            keyPath = std::wstring(buffer + 2);
                        }

                        delete[] buffer;
                    }
                }
            }

            FreeLibrary(dll);
        }
    }
    return keyPath;
}

希望这可以帮到你。

最好的问候，

Sera Yu

Best Regards,
Sera Yu

这篇关于使用ETW进行注册表监控的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！