I am filtering on registry changes (CmRegisterCallback) using
ObQueryNameString to get the full key name. I am currently calling
ObQueryNameString in each pre-callback. I then store the full key or
value path in a hash table for use in the post-callback and remove the
entry from the hash table in the post-callback.
This requires a call to ObQueryNameString each time but my hash table
remains small because I remove entries after each post-callback.
My question is whether anyone knows of performance issues with
ObQueryNameString and whether it would be faster to keep the entries in
the hash table (instead of removing them in the post-callback) and use
the hashtable lookup for subsequent events on the same keys. I would
obviously have to limit the max size of my hash table.
Thanks