I registered the registry callback as shown below, and the callback function is being invoked properly.
NTSTATUS status = CmRegisterCallbackEx(registryCallback, ®istryCallbackAltitude, driverObject, nullptr, ®istryCallbackCookie, nullptr);
Here is the callback function. It seems that even when the SOFTWARE hive appears under \REGISTRY\MACHINE after not being there initially, it doesn't trigger RegNtPostLoadKey. What might be going wrong?
NTSTATUS registryCallback(PVOID context, PVOID arg1, PVOID arg2)
{
REG_NOTIFY_CLASS notifyClass = (REG_NOTIFY_CLASS)(size_t)arg1;
if (notifyClass == RegNtPostLoadKey)
{
REG_POST_OPERATION_INFORMATION *postOperationInformation = (REG_POST_OPERATION_INFORMATION *)arg2;
if (postOperationInformation != nullptr && postOperationInformation->Status == STATUS_SUCCESS)
{
}
}
return STATUS_SUCCESS;
}