Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

Registry -> distinguish between open and create key.

I am trying to record all registry changes, and it appears, that there is no NtRegPreCreateKey(Ex) events coming at all.

If I manually create key - I'll get NtRegPreOpenKeyEx. So, I am unable to check, if this key is just opened, or created.

There is an "Option" field in REG_OPEN_KEY_INFORMATION_V1, but it does not seem reliable.

Is there any _reliable_ way to distinguish creation from simple opening?

Comments

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!