4

Could people please give me pointers (no pun intended) for topics I will need to research in order to be able to do this? I'm not really an expert on Windows, however I'm very quick at picking up new concepts.

I saw the process monitor program which Mark Russinovich and Bryce Cogswell wrote: http://technet.microsoft.com/en-gb/sysinternals/bb896645

which can look at everything happening registry key-wise within the kernel. I've been able to do this sort of thing using C# and user-level registry accesses in the past, but i couldnt reach the kernel using the wrapper suite I got from codeproject.

Can people please help with me regards to where i should start? I guess i'm asking more for help on the Windows/OS aspect of this.

Reason for doing this: (I'm more of a Java than C++ programmer, however I want to get into the latter. The best way to learn is to do something which interests you, so as i'm interested in real-time applications, this is the cheapest one I could think of (without having to pay for data).)

ben
  • 13
  • 4
David
  • 53
  • 1
  • 4

2 Answers2

3

For kernel-mode, take a look at CmRegisterCallback.

I believe Process Monitor uses the Event Tracing for Windows functions, however; see, for example, EtwRegister.

user541686
  • 205,094
  • 128
  • 528
  • 886
1

Writing a kernel-mode driver to intercept registry reads/writes is extremely difficult. If you just want to see both user and kernel-mode registry accesses, the best way to do so is via a real-time ETW trace listener. With this, you get all of the monitoring you want, without the terrifying proposition of modifying a running kernel. Mark doesn't use this because at the time it didn't exist, but nowadays I'm sure he'd recommend you do this instead. If you're familiar with DTrace on Linux, ETW is Windows' closest equivalent (it's as performant as DTrace, but not nearly as user-friendly or scriptable)

Check out http://blogs.msdn.com/b/matt_pietrek/archive/2005/03/23/401080.aspx for an intro to ETW, and here's a question on SO related to real-time ETW consumers: How do I register as a real-time ETW consumer for NT Kernel Events?

Community
  • 1
  • 1
Ana Betts
  • 73,868
  • 16
  • 141
  • 209
  • 1
    Maybe it _was_ difficult before Vista, but not anymore. Just a few lines of code really with help of CmRegisterCallbackEx. ([link](http://lordjeb.com/2014/01/14/registry-filter-drivers-part-1/)) – rustyx Aug 26 '15 at 14:54