Reputation: 345
Registry - get last time a value (not key) changed, and key creation date
I want to get the last time a Name/Value in a Registry key was written. Is it possible?
I also want to get the date the key was created (not modified).
I know about the RegQueryInfoKey() function, but it looks like it works only at the key level, and gives only the modification date, not the creation date.
I looked at the API and couldn't find any thing else that can do what I want.
Upvotes: 1
Views: 1683
Answers (1)
Reputation: 34280
The answer is no in both cases. We cannot query the time a value was last modified, and we cannot query the time a key was created. The data does not exist. A Key object (i.e. CM_KEY_BODY) references a key control block (i.e. CM_KEY_CONTROL_BLOCK or KCB). The KCB has a pointer to the hive (i.e. HHIVE) and the index of the cell in the hive that contains the key node (i.e. CM_KEY_NODE), which has a LastWriteTime timestamp, but none of the other timestamps associated with File objects (i.e. CreationTime, LastAccessTime, and ChangeTime). (The KCB caches this timestamp as KcbLastWriteTime, but it's kept in sync with the key node.) A value is also stored in a hive cell, in this case containing a value node (i.e. CM_KEY_VALUE), which has the name, type, data, and flags, but no timestamp.
Upvotes: 6
Related Questions
- Query registry values
- How to recover all the elements of a registry key? (last write time, type, value, name …) Is this the right method?
- C# winApi - getting registry last write date
- Get which Registry value changed when RegNotifyChangeKeyValue triggered in c#
- Determine a Registry Key's Object Name
- RegistryKey last write time
- How to find what registry values changed?
- Getting the date that a registry key was created/modified in C++
- Can I use RegNotifyChangeKeyValue to track changes to a value of a Registry key?
- Finding out what Registry keys have been changed C#