监视内核注册表更改 [英] Monitor kernel registry changes
问题描述
人们能否请我提供一些我需要研究的主题的指针(无双关语)才能做到这一点?我并不是Windows方面的专家,但是我很快就掌握了新概念.
Could people please give me pointers (no pun intended) for topics I will need to research in order to be able to do this? I'm not really an expert on Windows, however I'm very quick at picking up new concepts.
我看到了Mark Russinovich和Bryce Cogswell编写的过程监控程序: http://technet.microsoft.com/en-gb/sysinternals/bb896645
I saw the process monitor program which Mark Russinovich and Bryce Cogswell wrote: http://technet.microsoft.com/en-gb/sysinternals/bb896645
可以查看内核中注册表中所有发生的事情.过去,我已经能够使用C#和用户级注册表访问来执行此类操作,但是我无法使用从codeproject获得的包装器套件来访问内核.
which can look at everything happening registry key-wise within the kernel. I've been able to do this sort of thing using C# and user-level registry accesses in the past, but i couldnt reach the kernel using the wrapper suite I got from codeproject.
请问人们可以从哪里开始帮助我?我想我想在Windows/OS方面寻求更多帮助.
这样做的原因: (我比C ++程序员更像Java,但是我想学习C ++程序员.最好的学习方法是做一些您感兴趣的事情,所以当我对实时应用程序感兴趣时,这是最便宜的我能想到的一种(无需支付数据费用).
Reason for doing this: (I'm more of a Java than C++ programmer, however I want to get into the latter. The best way to learn is to do something which interests you, so as i'm interested in real-time applications, this is the cheapest one I could think of (without having to pay for data).)
推荐答案
For kernel-mode, take a look at CmRegisterCallback.
但是,我相信Process Monitor使用Windows事件跟踪功能.例如,请参见 EtwRegister .
I believe Process Monitor uses the Event Tracing for Windows functions, however; see, for example, EtwRegister.
这篇关于监视内核注册表更改的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
