Monitoring Registry Changes

OSR_Community_User · November 28, 2001, 3:51am

Dear All:

My partner wrote a small WISE script (WISE is similar to InstallShield) to
create and modify some registry entries.

Regedit indicates that the script is working. I can see the keys being
created.

I use SoftIce to set a breakpoint on ZwCreateKey and ZwOpenKey. I don’t see
the change.

I would have guessed that W2K would at some point pass the registry creation
and/or change down to one of this functions.

I’m assuming my assumption is wrong.

What’s going on?

Ralph Shnelvar

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · November 28, 2001, 3:58am

Take a look at http://www.sysinternals.com/ntw2k/source/regmon.shtml to see
how you can monitor registry changes.

–
Bartjan.

My partner wrote a small WISE script (WISE is similar to InstallShield) to
create and modify some registry entries.

Regedit indicates that the script is working. I can see the keys being
created.

I use SoftIce to set a breakpoint on ZwCreateKey and ZwOpenKey. I don’t see
the change.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · November 28, 2001, 8:52am

Hello,

Putting breakpoints on ZwCreateKey and ZwOpenKey will
not work. You need to put breakpoints on NtCreateKey
and NtOpenKey in NTOSKRNL.EXE. In kernel mode, Ntxx is
the actual implementation of system service and Zwxx
is system call wrapper which issues int 2eh.

The user mode applications call system call wrappers
in NTDLL.DLL and system call handler (int 2eh handler)
ends up calling Ntxx function in NTOSKRNL.EXE.

Hope this helps.

-Prasad

— Bartjan Wattel wrote:
> Take a look at
>
http://www.sysinternals.com/ntw2k/source/regmon.shtml
> to see
> how you can monitor registry changes.
>
> –
> Bartjan.
>
> >My partner wrote a small WISE script (WISE is
> similar to InstallShield) to
> >create and modify some registry entries.
> >
> >Regedit indicates that the script is working. I
> can see the keys being
> >created.
> >
> >I use SoftIce to set a breakpoint on ZwCreateKey
> and ZwOpenKey. I don’t see
> >the change.
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

=====
Prasad S. Dabak
Chief Software Architect
Ensim India Private Limited
http://www.ensim.com
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698

__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · November 28, 2001, 4:10pm

Dear Prasad:

Are NtCreateKey and NtOpenKey exported symbols?

Ralph Shnelvar

On Wed, 28 Nov 2001 05:48:52 -0800 (PST), you wrote:

Hello,

Putting breakpoints on ZwCreateKey and ZwOpenKey will
not work. You need to put breakpoints on NtCreateKey
and NtOpenKey in NTOSKRNL.EXE. In kernel mode, Ntxx is
the actual implementation of system service and Zwxx
is system call wrapper which issues int 2eh.

The user mode applications call system call wrappers
in NTDLL.DLL and system call handler (int 2eh handler)
ends up calling Ntxx function in NTOSKRNL.EXE.

Hope this helps.

-Prasad

— Bartjan Wattel wrote:
>> Take a look at
>>
>http://www.sysinternals.com/ntw2k/source/regmon.shtml
>> to see
>> how you can monitor registry changes.
>>
>> –
>> Bartjan.
>>
>> >My partner wrote a small WISE script (WISE is
>> similar to InstallShield) to
>> >create and modify some registry entries.
>> >
>> >Regedit indicates that the script is working. I
>> can see the keys being
>> >created.
>> >
>> >I use SoftIce to set a breakpoint on ZwCreateKey
>> and ZwOpenKey. I don’t see
>> >the change.
>>
>>
>> —
>> You are currently subscribed to ntfsd as:
>> xxxxx@yahoo.com
>> To unsubscribe send a blank email to
>leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>=====
>Prasad S. Dabak
>Chief Software Architect
>Ensim India Private Limited
>http://www.ensim.com
>Co-author of the book “Undocumented Windows NT”
>ISBN 0764545698
>
> __________________________________________________
>Do You Yahoo!?
>Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
>http://geocities.yahoo.com/ps/info1
>
>—
>You are currently subscribed to ntfsd as: xxxxx@dos32.com
>To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · November 29, 2001, 1:58am

Hello,

No, they are not exported symbols from NTOSKRNL.EXE.
At least thats the case on my Windows 2000 machine
without any service packs.

However, if you are putting breakpoints from softice,
you can load symbolic information for NTOSKRNL.EXE in
Softice and then you should be able to put breakpoints
on that.

-Prasad

— Ralph Shnelvar wrote:
> Dear Prasad:
>
> Are NtCreateKey and NtOpenKey exported symbols?
>
> Ralph Shnelvar
>
>
> On Wed, 28 Nov 2001 05:48:52 -0800 (PST), you wrote:
>
> >Hello,
> >
> >Putting breakpoints on ZwCreateKey and ZwOpenKey
> will
> >not work. You need to put breakpoints on
> NtCreateKey
> >and NtOpenKey in NTOSKRNL.EXE. In kernel mode, Ntxx
> is
> >the actual implementation of system service and
> Zwxx
> >is system call wrapper which issues int 2eh.
> >
> >The user mode applications call system call
> wrappers
> >in NTDLL.DLL and system call handler (int 2eh
> handler)
> >ends up calling Ntxx function in NTOSKRNL.EXE.
> >
> >Hope this helps.
> >
> >-Prasad
> >
> >
> >— Bartjan Wattel wrote:
> >> Take a look at
> >>
>
>http://www.sysinternals.com/ntw2k/source/regmon.shtml
> >> to see
> >> how you can monitor registry changes.
> >>
> >> –
> >> Bartjan.
> >>
> >> >My partner wrote a small WISE script (WISE is
> >> similar to InstallShield) to
> >> >create and modify some registry entries.
> >> >
> >> >Regedit indicates that the script is working. I
> >> can see the keys being
> >> >created.
> >> >
> >> >I use SoftIce to set a breakpoint on ZwCreateKey
> >> and ZwOpenKey. I don’t see
> >> >the change.
> >>
> >>
> >> —
> >> You are currently subscribed to ntfsd as:
> >> xxxxx@yahoo.com
> >> To unsubscribe send a blank email to
> >leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> >
> >=====
> >Prasad S. Dabak
> >Chief Software Architect
> >Ensim India Private Limited
> >http://www.ensim.com
> >Co-author of the book “Undocumented Windows NT”
> >ISBN 0764545698
> >
> >
> >Do You Yahoo!?
> >Yahoo! GeoCities - quick and easy web site hosting,
> just $8.95/month.
> >http://geocities.yahoo.com/ps/info1
> >
> >—
> >You are currently subscribed to ntfsd as:
> xxxxx@dos32.com
> >To unsubscribe send a blank email to
> leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com