使用ETW进行注册表监控 [英] Registry Monitoring using ETW
问题描述
I am writing my own C++ application that is using Event tracing window to monitor the Registry changes in real time mode.
这里,
我已将注册表GUID设置为 providerId。
I have set the Registry GUID to providerId.
Registry GUID - > {70EB4F03-C1DE-4F73-A051-33D13D5413BD}
Registry GUID -> {70EB4F03-C1DE-4F73-A051-33D13D5413BD}
启用掩码为"0x0000000000000200"的轨迹。 - DeleteValueKey
Enabling the trace with mask of "0x0000000000000200" - DeleteValueKey
_status = EnableTraceEx2(this-> hSession,& providerId,EVENT_CONTROL_CODE_ENABLE_PROVIDER,TRACE_LEVEL_VERBOSE,0x0000000000000200,0,0,NULL);
_status = EnableTraceEx2(this->hSession, &providerId, EVENT_CONTROL_CODE_ENABLE_PROVIDER, TRACE_LEVEL_VERBOSE, 0x0000000000000200, 0, 0, NULL);
之后,我能够处理并在我的回调方法中读取事件。
After that,I can able to process and reads the events in my call back method.
在我的注册编辑器中,当我为密钥创建新值时,收到如下事件详细信息。
事件ID :6
06/27/2017 12:53:41.295557800
KeyObject:0xFFFFC00077FC6B70
状态: 0x0
KeyName:
ValueName:新值#1
当我删除一个值为钥匙,收到如下事件详情,活动ID:6
06/27/2017 12:54:33.435716200
KeyObject:0xFFFFC00077FC6B70
状态:0x0
KeyName:
ValueName:Hai
In my Registy Editor,When i was created new value to the key, received the event details like below..
Event ID: 6
06/27/2017 12:53:41.295557800
KeyObject: 0xFFFFC00077FC6B70
Status: 0x0
KeyName:
ValueName: New Value #1
When i was deleted a value to the key, received the event details like below,
Event ID: 6
06/27/2017 12:54:33.435716200
KeyObject: 0xFFFFC00077FC6B70
Status: 0x0
KeyName:
ValueName: Hai
但我无法获得价值的总路径h被删除了。
But I can't able to get the total path of the value which is deleted.
你能帮我吗?
如何获取值和键的路径?
how to get the path of the value and key ?
如何将keyObject转换为有用的数据?
how to convert keyObject to a useful data?
推荐答案
感谢您在此处发布。
>>但是我无法获得被删除的值的总路径。
你可以帮助我吗,
如何获取值和键的路径?
如何将keyObject转换为有用的数据?
对于这种情况,您可以使用LoadLibrary和NtQueryKey来获取注册表项的路径。例如:
For this case, you could use LoadLibrary and NtQueryKey to get the path of the registry key. For example:
std::wstring GetKeyPathFromKKEY(HKEY key)
{
std::wstring keyPath;
if (key != NULL)
{
HMODULE dll = LoadLibrary(L"ntdll.dll");
if (dll != NULL) {
typedef DWORD (__stdcall *NtQueryKeyType)(
HANDLE KeyHandle,
int KeyInformationClass,
PVOID KeyInformation,
ULONG Length,
PULONG ResultLength);
NtQueryKeyType func = reinterpret_cast<NtQueryKeyType>(::GetProcAddress(dll, "NtQueryKey"));
if (func != NULL) {
DWORD size = 0;
DWORD result = 0;
result = func(key, 3, 0, 0, &size);
if (result == STATUS_BUFFER_TOO_SMALL)
{
size = size + 2;
wchar_t* buffer = new (std::nothrow) wchar_t[size/sizeof(wchar_t)]; // size is in bytes
if (buffer != NULL)
{
result = func(key, 3, buffer, size, &size);
if (result == STATUS_SUCCESS)
{
buffer[size / sizeof(wchar_t)] = L'\0';
keyPath = std::wstring(buffer + 2);
}
delete[] buffer;
}
}
}
FreeLibrary(dll);
}
}
return keyPath;
}
希望这可以帮到你。
最好的问候,
Sera Yu
Best Regards,
Sera Yu
这篇关于使用ETW进行注册表监控的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!