Hi all,
I’m using a filter driver with CmRegisterCallback to monitor changes to
the registry but I can’t find any way to get a callback when a key’s
ACLs are modified.
Does anyone know of a way to monitor changes to a registry key’s ACLs?
Thanks,
Paul
Paul
This is a known weakness with the Cm callbacks indeed. I can make a
suggestion but it is not that great. Observe that keys tend to be open in
quite a transient manner. First when the key has just been opened (with
appropriate permissions perhaps) read the security descriptor and cache that
security descriptor. Second when the key is about to be closed read the
security descriptor and compare with the cached security descriptor. So far
as I know the one other option is to hook ZwSetSecurityObject which isnt
much of an option to be frank. It will be interesting to see if this
shortcoming in Cm callbacks will be rectified in Longhorn and/or if value
contributors have better suggestions.
Cheers
Lyndon
“Paul Judson” wrote in message news:xxxxx@ntfsd…
Hi all,
I’m using a filter driver with CmRegisterCallback to monitor changes to the
registry but I can’t find any way to get a callback when a key’s ACLs are
modified.
Does anyone know of a way to monitor changes to a registry key’s ACLs?
Thanks,
Paul