Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Query key control block information (ETW)
125 views
Skip to first unread message
aler...@gmail.com
Jun 12, 2013, 4:33:03 PM6/12/13
to
HI!
I'm trying to implement registry monitoring using ETW.
KeyHandle member of Registry_TypeGroup1 structure contains pointer to this block.
Is there any way to query according registry key path?
For example, WinDbg can do it (e.g. "!reg kcb ADDR").
It's required for me to be able to query KCB info because KcbCreate/KcbDelete events are not always issued for the specified KCB.
I'm trying to implement registry monitoring using ETW.
KeyHandle member of Registry_TypeGroup1 structure contains pointer to this block.
Is there any way to query according registry key path?
For example, WinDbg can do it (e.g. "!reg kcb ADDR").
It's required for me to be able to query KCB info because KcbCreate/KcbDelete events are not always issued for the specified KCB.
0 new messages