Problem on monitoring WindowsXP Registry...

NTFSD
1

Hi all,
We are developing a minifilter driver to monitor WindowsXp’s
registry access in such a way that it stops manual modification on specific
keys in registry editor . I have registered CmRegisterCallback. When I
monitor the register keys using REG_NOTIFY_CLASS’s value RegNtPreOpenKey and
REG_PRE_OPEN_KEY_INFORMATION structure, I am not getting the full path of
the opened key.
Also I want to monitor HKEY_CURRENT_USET,HKEY_CLASSES_ROOT as well which
has no kernel level equivalent objects.
But I found these keys are links to the sub keys of the keys which are
present either at HKLM or HKU.
Is there any method to get the full name(Including Root key name) of the
accessed key even if the accessed key exists under HKCR,HKCU,or HKCC of
registry editor?

http://www.patni.com
World-Wide Partnerships. World-Class Solutions.

This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to
whom this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at xxxxx@patni.com and delete this mail.

2

One solution to this problem is ObQueryNameString(), where you pass in
the key object pointer provided by the corresponding callbacks. For more
information on this, do a search on ObQueryNameString in the OSR
archive.

Hao

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Kathiresan M
Sent: Tuesday, July 24, 2007 9:46 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Problem on monitoring WindowsXP Registry…

Hi all,

We are developing a minifilter driver to monitor WindowsXp’s
registry access in such a way that it stops manual modification on
specific keys in registry editor . I have registered CmRegisterCallback.
When I monitor the register keys using REG_NOTIFY_CLASS’s value
RegNtPreOpenKey and REG_PRE_OPEN_KEY_INFORMATION structure, I am not
getting the full path of the opened key.

Also I want to monitor HKEY_CURRENT_USET,HKEY_CLASSES_ROOT as well which
has no kernel level equivalent objects.

But I found these keys are links to the sub keys of the keys which are
present either at HKLM or HKU.

Is there any method to get the full name(Including Root key name) of the
accessed key even if the accessed key exists under HKCR,HKCU,or HKCC
of registry editor?

http://www.patni.com
World-Wide Partnerships. World-Class Solutions.

This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to whom
this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at xxxxx@patni.com and delete this mail.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

Hi Kathir!

Below is the description of each hive of the registry:

  1. HKEY_CURRENT_ USER - Subkey under HKEY_USERS corresponding to
    currently logged on user

  2. HKEY_USERS - Not a link

  3. HKEY_CLASSES_ ROOT - HKLM\Software\Classes

  4. HKEY_LOCAL_ MACHINE - Not a link

  5. HKEY CURRENT CONFIG -
    HKLM\System\CurrentcontrolSet\HardwareProfiles\Current

When you monitor registry calls in the callback routine registered by
CmRegisterCallbackroutine, you would ALWAYS get the ACTUAL NAME.

For example:

You will get path as \Registry\Machine.… for all the keys present in the
HKEY_LOCAL_MACHINE.

If you want to map it back to the way you see them in the userspace (ex:
Regedit.exe ), you will have to do it manually.

Even ObQueryNameString would give you results like \Registry\Machine.…

If you want to print HKEY_CURRENT_USER, instead of \Registry\Users.…

Get the SID of the currently logged on user and then find that string in
\Registry\Users\SID.…

If it matches replace \Registry\Users\SID.… with HKCU.

Do similarly for all the hives that are actually present in some other
hives.

Cheers!

Ayush Gupta

K7 Computing Private Limited

4

Yeah. now I understood the registry format at kernel level. Thanks Ayush.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ayush Gupta
Sent: Wednesday, July 25, 2007 12:52 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Problem on monitoring WindowsXP Registry…

Hi Kathir!

Below is the description of each hive of the registry:

  1. HKEY_CURRENT_ USER - Subkey under HKEY_USERS corresponding to
    currently logged on user

  2. HKEY_USERS - Not a link

  3. HKEY_CLASSES_ ROOT - HKLM\Software\Classes

  4. HKEY_LOCAL_ MACHINE - Not a link

  5. HKEY CURRENT CONFIG -
    HKLM\System\CurrentcontrolSet\HardwareProfiles\Current

When you monitor registry calls in the callback routine registered by
CmRegisterCallbackroutine, you would ALWAYS get the ACTUAL NAME.

For example:

You will get path as \Registry\Machine.… for all the keys present in the
HKEY_LOCAL_MACHINE.

If you want to map it back to the way you see them in the userspace (ex:
Regedit.exe ), you will have to do it manually.

Even ObQueryNameString would give you results like \Registry\Machine.…

If you want to print HKEY_CURRENT_USER, instead of \Registry\Users.…

Get the SID of the currently logged on user and then find that string in
\Registry\Users\SID.…

If it matches replace \Registry\Users\SID.… with HKCU.

Do similarly for all the hives that are actually present in some other
hives.

Cheers!

Ayush Gupta

K7 Computing Private Limited

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
http://www.patni.com
World-Wide Partnerships. World-Class Solutions.

This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to whom this
message was originally addressed. Any review, e-transmission dissemination
or other use of or taking of any action in reliance upon this information by
persons or entities other than the intended recipient is prohibited. If you
have received this e-mail in error kindly delete this e-mail from your
records. If it appears that this mail has been forwarded to you without
proper authority, please notify us immediately at xxxxx@patni.com and
delete this mail.

http://www.patni.com
World-Wide Partnerships. World-Class Solutions.

This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to
whom this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at xxxxx@patni.com and delete this mail.