Reputation: 337
Monitor registry using C++
I want to monitor when a key is changed/added/deleted to the registry whenever application is being installed or removed. I have tested the sample code from the msdn(link) and it works fine.
But the problem is that it does not tell me which key has actually been modified/added/deleted. How can i retrieve this information using c++?
Upvotes: 3
Views: 3952
Answers (2)
Reputation: 1
Unfortunately Event Tracing for Windows (EWT) does not allow to see full key path in the event. You get only a partial key name and a strange handle with is actually a key control block. It's not so simple to get information from this block. Yes the process monitor uses EWT, but it does not use Windows Kernel Trace as a provider.
Upvotes: 0
Reputation: 210402
There are only 3 ways, none of which is both easy and adequate:
RegNotifyChangeKeyValue: Doesn't give you the info you need, but is very easy to use.EVENT_TRACE_FLAG_REGISTRYwhich is part of Event Tracing for Windows which is what ProcMon uses. It works well, but it's quite difficult to use.
I'm not sure exactly how to use it myself, but if I figure it out I'll post it here.CmRegisterCallback: Requires kernel-mode driver, which is a pain in 64-bit.
But it's the most perfect solution otherwise.
Upvotes: 7
Related Questions
- Query registry values
- How to read a value from the Windows registry
- WinApi: Cant read registry
- Intercept value read from registry
- WINAPI: Windows Registry functions fail
- Print name, type and data of registry
- Get value from registry C++ crashes
- Registry Handling in Cpp
- Monitor kernel registry changes
- Catch Registry request C++