Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p><a href="http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx" rel="noreferrer">Process Monitor</a> is either using a kernel driver or ETW (see below) to capture registry events. I do know that Process Monitor uses ETW for some of its data (like networking information).</p> <p>An API hooking or detouring mechanism like EasyHook typically operates at the Win32 API level (e.g. <code>RegSetValue</code> or <code>RegCreateKeyEx</code> in ADVAPI32.dll). Because of this, it has the limitation you mention: only user-mode registry accesses are captured. Additionally, API hooking is usually done on a per-process basis, so you have to inject yourself into each process that you want to collect data on. You would also have to monitor for process creation if you wanted to really capture all accesses across the system.</p> <p><a href="http://msdn.microsoft.com/en-us/magazine/cc163437.aspx" rel="noreferrer">Event Tracing for Windows</a> (ETW) would be an easy way (relatively speaking) to capture all registry accesses. The basic idea behind ETW is that OS, runtime, library, and even everyday application developers can add specific instrumentation to their code to log data about interesting events and scenarios. This tracing is low overhead and can be easily collected. ETW has been around for a while, but it has really gained traction throughout the kernel starting with Vista. Almost all major kernel subsystems are now instrumented with ETW. It is also now the basis for the Windows Event Log.</p> <p>ETW has its fair share of baggage and lacks substantial documentation in some areas, but if you are interested, you can check out the following:</p> <ul> <li><a href="http://msdn.microsoft.com/en-us/library/bb968803(VS.85).aspx" rel="noreferrer">ETW MSDN documentation</a></li> <li><a href="http://blogs.msdn.com/b/ntdebugging/archive/2009/09/08/exploring-and-decoding-etw-providers-using-event-log-channels.aspx" rel="noreferrer">ETW and Event Log</a></li> <li><a href="http://blogs.msdn.com/b/ntdebugging/archive/2008/04/03/windows-performance-toolkit-xperf.aspx" rel="noreferrer">Xperf</a> (part of the Windows Performance Toolkit), used for collecting and analyzing traces</li> <li>logman.exe and tracerpt.exe for collecting and analyzing traces</li> <li><a href="http://bcl.codeplex.com/wikipage?title=TraceEvent&amp;referringTitle=Home" rel="noreferrer">TraceEvent</a>, a .NET library for collecting and analyzing ETW events</li> <li><a href="http://msdn.microsoft.com/en-us/library/aa363691(VS.85).aspx" rel="noreferrer">Using an NT Kernel Logger from native code</a></li> </ul> <blockquote> <p>To catch the kernel mode registry accesses would i have to write in C++?</p> </blockquote> <p>No, using the <a href="http://bcl.codeplex.com/wikipage?title=TraceEvent&amp;referringTitle=Home" rel="noreferrer">TraceEvent</a> library mentioned above, you could use C# to capture and analyze kernel- and user-mode registry accesses across the system.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload