Registry monitor and protector 4.5.4.7

Registry monitor and protector is a tool which was developed with registry filter driver SDK. A registry filtering driver is any kernel-mode driver that filters registry calls, such as the driver component of an antivirus software package. The configuration manager, which implements the registry, allows registry filtering drivers to filter any thread’s calls to registry functions. By registering a RegistryCallback routine in the registry filter driver, it can receive notifications of each registry operation before the configuration manager processes the operation. A set of REG_XXX_KEY_INFORMATION data structures contain information about each registry operation. The RegistryCallback routine can block a registry operation. The callback routine also receives notifications when the configuration manager has finished creating or opening a registry key.
Handling registry call notifications

To be notified of registry operations, it needs to register the RegistryCallback routine with REG_NOTIFY_CLASS which specifies the type of registry operation that the configuration manager is passing to a RegistryCallback routine, When the configuration manager calls a driver’s RegistryCallback routine, it passes a REG_NOTIFY_CLASS enumeration value to the routine. The configuration manager also passes a notification-specific structure that contains information about the notification. The RegistryCallback routine can inspect the contents of the input and output buffers that are supplied for registry operations.
Monitoring registry calls to track the registry changes

To track the registry changes, register these ‘Reg_Post_Create_Key, Reg_Post_Delete_Key, Reg_Post_Set_Value_Key, Reg_Post_Delete_Value_Key, Reg_Post_SetInformation_Key, Reg_Post_Rename_Key, Reg_Post_Create_KeyEx, Reg_Post_Restore_Key,Reg_Post_Replace_Key’ notification classes. When the registry key, value or security was modified, the callback routine will be invoked with a data structure that contains in