I hooked ZwCreateKey function to monitor creation of registry key.
By the way, registry open operation as well as registry creat operation
seem to go via this function.
Is there any method that can distinguish create from open in the
ZwCreateKey function?
Any answer’ll be great appreciated!
Best regards.
csjung.
Actually I notice more ZwOpenKey calls than
ZwCreateKey calls.
In ZwCreateKey, you can tell if the key was created or
opened by looking at the Disposition parameter. If
the API returns STATUS_SUCCESS, Disposition (assuming
it is non-NULL) will have either
REG_CREATED_NEW_KEY(0x00000001L) or
REG_OPENED_EXISTING_KEY(0x00000002L).
Randy
— “Chang Sung, Jung.” wrote:
> I hooked ZwCreateKey function to monitor creation of
> registry key.
> By the way, registry open operation as well as
> registry creat operation
> seem to go via this function.
> Is there any method that can distinguish create from
> open in the
> ZwCreateKey function?
>
> Any answer’ll be great appreciated!
>
> Best regards.
> csjung.
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com