How can I receive a callback when the SOFTWARE registry is loaded?

I registered the registry callback as shown below, and the callback function is being invoked properly.

NTSTATUS status = CmRegisterCallbackEx(registryCallback, &registryCallbackAltitude, driverObject, nullptr, &registryCallbackCookie, nullptr);

Here is the callback function. It seems that even when the SOFTWARE hive appears under \REGISTRY\MACHINE after not being there initially, it doesn't trigger RegNtPostLoadKey. What might be going wrong?

NTSTATUS registryCallback(PVOID context, PVOID arg1, PVOID arg2)
{
REG_NOTIFY_CLASS notifyClass = (REG_NOTIFY_CLASS)(size_t)arg1;
if (notifyClass == RegNtPostLoadKey)
{
REG_POST_OPERATION_INFORMATION *postOperationInformation = (REG_POST_OPERATION_INFORMATION *)arg2;
if (postOperationInformation != nullptr && postOperationInformation->Status == STATUS_SUCCESS)
{
}
}

return STATUS_SUCCESS;
}

The reason your registry callback registered via CmRegisterCallbackEx does not trigger the RegNtPostLoadKey notification when the SOFTWARE hive is loaded is as follows:

  • During early Windows boot stages, system hives such as SYSTEM, SOFTWARE, SECURITY, and SAM typically are not loaded via the standard NtLoadKey mechanism. Instead, these essential hives are loaded internally by the operating system. Consequently, the registry callback notification types RegNtPreLoadKey / RegNtPostLoadKey are not invoked for these initial hives.
  • Rather, initial access to these system hives typically triggers callbacks of type RegNtPreOpenKeyEx / RegNtPostOpenKeyEx, since the hives are effectively already present when accessed at this stage of the boot process.
  • Thus, the RegNtPostLoadKey event will only be triggered when hives are manually loaded at runtime (e.g., via explicit calls to NtLoadKey) by a driver or user-mode process, rather than at initial system boot.

In summary, to reliably detect the SOFTWARE hive loading at system startup, you should rely on detecting key open events (using RegNtPostOpenKeyEx) instead of load-key events.


Hail GPT!

“Thanks for clarifying this, Sooncheol_Won! That makes sense why my RegNtPostLoadKey handler wasn’t firing. Good tip about monitoring RegNtPostOpenKeyEx instead, I’ll try hooking into that to catch SOFTWARE hive activity.”

1 Like