full path of the registry key

OSR_Community_User · May 15, 2007, 7:10am

Hi all,

we are developing a filter driver to monitor the registry. we are using CmRegisterCallback() to get the notifications of the registry access. but the thing is for some notifications the fullname of the accessed registry key is not obtained. can anyone give some information on how to get the full registry key path.

regards,
venu.d

OSR_Community_User · May 15, 2007, 8:04am

Venu,

You need to build the name when the key is first opened or created; the
RegNtPreOpen(Ex). You can allocate a context and associate this context
through the CmSetCallbackObjectContext(). Then for each subsequent
notification on this object you will be passed your context pointer
which contains the name.

There are others ways.

Pete

Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

xxxxx@patni.com wrote:

Hi all,

we are developing a filter driver to monitor the registry. we are using CmRegisterCallback() to get the notifications of the registry access. but the thing is for some notifications the fullname of the accessed registry key is not obtained. can anyone give some information on how to get the full registry key path.

regards,
venu.d

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 15, 2007, 9:56am

You can use ObQueryNameString to obtain the full path to the registry
object. To use this function, you just pass in the corresponding
registry object passed to you by the registry callback function.

Hao

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@patni.com
Sent: Tuesday, May 15, 2007 6:12 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] full path of the registry key

Hi all,

we are developing a filter driver to monitor the registry. we are using
CmRegisterCallback() to get the notifications of the registry access.
but the thing is for some notifications the fullname of the accessed
registry key is not obtained. can anyone give some information on how to
get the full registry key path.

regards,
venu.d

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@securitastech.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 16, 2007, 5:46am

hi peter,
we are developing this driver for winXp, but the call you mentioned CmSetCallbackObjectContext is available only on vista and above. is there any other way in Xp?

OSR_Community_User · May 16, 2007, 11:12am

You will need to implement it as Hao pointed out or keep your own
mapping from KeyObject to name in an internal cache.

Pete

Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

xxxxx@patni.com wrote:

hi peter,
we are developing this driver for winXp, but the call you mentioned CmSetCallbackObjectContext is available only on vista and above. is there any other way in Xp?

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com