Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how to trace the changes of registry?

0 views
Skip to first unread message

Bill Gates

unread,
Aug 9, 2006, 1:18:00 AM8/9/06
to
For example, a hacker program try to write a registry item. I wanna get the
notification to prevent it.

Thanks!


www.fruitfruit.com

unread,
Aug 9, 2006, 1:43:31 AM8/9/06
to
refer to the following
http://www.sysinternals.com/Utilities/Regmon.html
How Regmon Works

The heart of Regmon on Windows 9x is in the virtual device driver,
Regvxd.vxd. It is dynamically loaded, and in its initialization it uses
VxD service hooking (see our May 1996 Dr. Dobb's Journal article on VxD
service hooking for more information) to insert itself onto the call
chain of 16 registry access functions in the Windows 95 kernel (Virtual
Machine Manager). All registry activity, be it from 16-bit programs,
Win32 applications, or device drivers, are directed at these routines,
so Regmon catches all registry activity taking place on a machine.

On Windows NT, 2000 and XP the Regmon loads a device driver that uses a
technique we pioneered for NT called system-call hooking. When a
user-mode component makes a privileged system call, control is
transfered to a software interrupt handler in NTOSKRNL.EXE (the core of
the Windows NT operating system). This handler takes a system call
number, which is passed in a machine register, and indexes into a system
service table to find the address of the NT function that will handle
the request. By replacing entries in this table with pointers to hooking
functions, it is possible to intercept and replace, augment, or monitor
NT system services. Regmon, which obviously hooks just the
Registry-related services, is merely one example of this capability in
action.

On Windows .NET Server Regmon takes advantage of a new operating system
Registry callback mechanism to register for and receive information
about Registry accesses as they occur. When you run Regmon on .NET
Server it loads a version of the Regmon driver utlizing the callbacks.

When Regmon sees an open, create or close call, it updates an internal
hash table that serves as the mapping between key handles and registry
path names. Whenever it sees calls that are handle based, it looks up
the handle in the hash table to obtain the full name for display. If a
handle-based access references a key opened before Regmon started,
Regmon will fail to find the mapping in it hash table and will simply
present the key's value instead.

Information on accesses is dumped into an ASCII buffer that is
periodically copied up to the GUI for it to print in its listbox.

For more detailed information on how Regmon works on Windows NT, see:

* "Windows NT System Call Hooking," by Mark Russinovich and Bryce
Cogswell, Dr. Dobb's Journal, January 1997
* "Inside NT Utilities", Windows NT Magazine, February 1999.

Bill Gates

unread,
Aug 9, 2006, 4:27:29 AM8/9/06
to
Thanks!

WMI maybe is a other simple way for my case.

"www.fruitfruit.com" <no_e...@fruitfruit.com>
:ufrFAb3u...@TK2MSFTNGP05.phx.gbl...

David Ching

unread,
Aug 9, 2006, 11:05:11 AM8/9/06
to
"Bill Gates" <Bill...@microsoft.com> wrote in message
news:OjmntM3u...@TK2MSFTNGP05.phx.gbl...

> For example, a hacker program try to write a registry item. I wanna get
> the notification to prevent it.
>

RegNotifyChangeKeyValue

-- David


0 new messages