RegistryCallback和RegCreateKeyEx [英] RegistryCallback and RegCreateKeyEx

问题描述

我想监视Windows计算机.我创建了Windows服务，目的是在进程尝试创建新注册表项时得到通知.

I want to monitor a windows machine. I created a windows service, and my purpose is to be notified when a process tries to create a new registry key.

我使用具有以下签名的RegistryCallback

I use RegistryCallback with the following signature

NTSTATUS RegistryCallback(
  _In_      PVOID CallbackContext,
  _In_opt_  PVOID Argument1,
  _In_opt_  PVOID Argument2
)

RegistryCallback已向CmRegisterCallback注册.问题是每次创建注册表项时都会收到通知，但是我只希望创建新注册表项时得到通知，或者至少要获得此注册表项已经存在的信息，是否有任何办法?

The RegistryCallback was registered with CmRegisterCallback . The problem is I am notified for every registry key creation , however I want to be notified only for creation of new registry keys , or at least getting the information that this key was already exist, is there any way to do so ?

推荐答案

您无法请求特定的通知，必须将其全部接收.但是，Argument1会告诉您正在执行哪种操作，因此您只能处理您感兴趣的操作.Argument2包含指向各种结构的指针，具体取决于Argument1的值，该指针可为您提供更详细的信息有关操作的信息.例如，当Argument1是RegNtPostCreateKeyEx时，Argument2指向

You can't request specific notifications, you have to receive them all. However, Argument1 tells you what kind of operation is being performed so you can process only the ones you are interested in. Argument2 contains a pointer to various structures, depending on the value of Argument1, that give you more detailed information about the operations. For example, when Argument1 is RegNtPostCreateKeyEx, Argument2 points to a REG_POST_OPERATION_INFORMATION struct whose PreInformation field points to a REG_CREATE_KEY_INFORMATION struct whose Disposition field tells you whether the key already existed or not.

这篇关于RegistryCallback和RegCreateKeyEx的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！