Registry hooks problems

Hi,

Introduction:
*****************
I am tring to hook to the registry using the CmRegisterCallback API ( XP and above ), all registry activity is reported to the callback registered with CmRegisterCallback.

The problem:
******************
I have to resolve the Root key of each Open/Create registry request ( e.g. HKEY_LOCAL_MACHINE, … ), BUT, I can not figure-out how to achive it, some of the values returned through the ‘RegNtPostOpenKey’ message include ‘\Registry\Machine\Hard…’, in that case there is no problem to resolve the RootKey ( Machine = HKEY_LOCAL_MACHINE ), but some messages doesn’t include the trailing ‘\Registry\Machine’ so their RootKey cannot be resolved…

How can I resolve the RootKey of any RegNtPostOpenKey/RegNtPreOpenKey call ???

Any comment help or idea would be appreciated…

Nadav.


Discover Yahoo!
Find restaurants, movies, travel & more fun for the weekend. Check it out!

Use RegNtPostOpenKeyEx

----- Original Message -----
From: Nadav
To: Windows File Systems Devs Interest List
Sent: Thursday, June 09, 2005 2:33 PM
Subject: [ntfsd] Registry hooks problems

Hi,

Introduction:
*****************
I am tring to hook to the registry using the CmRegisterCallback API ( XP and
above ), all registry activity is reported to the callback registered with
CmRegisterCallback.

The problem:
******************
I have to resolve the Root key of each Open/Create registry request ( e.g.
HKEY_LOCAL_MACHINE, … ), BUT, I can not figure-out how to achive it, some
of the values returned through the ‘RegNtPostOpenKey’ message include
‘\Registry\Machine\Hard…’, in that case there is no problem to resolve the
RootKey ( Machine = HKEY_LOCAL_MACHINE ), but some messages doesn’t include
the trailing ‘\Registry\Machine’ so their RootKey cannot be resolved…

How can I resolve the RootKey of any RegNtPostOpenKey/RegNtPreOpenKey call
???

Any comment help or idea would be appreciated…

Nadav.

Discover Yahoo!
Find restaurants, movies, travel & more fun for the weekend. Check it
out! — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: xxxxx@gmx.de To unsubscribe send a blank email to
xxxxx@lists.osr.com