Hi, im trying to find out the process name/id which caused a registry key change?

Im using an example from codeproject as my basic template to build up from:
http://www.codeproject.com/KB/system/registrymonitor.aspx?msg=3475799#xx3475799xx

I've also borrowed a class which helps getting the process owner (as you cant access handles of System processes?) from:
http://www.sellsbrothers.com/askthewonk/secure/default.aspx?content=howcanigetthesecurityprin.htm

I thought i could just equate the intPtr of the registry hives to the process handle but it doesn't appear to work?

Any help greatly appreciated

Recommended Answers

All 7 Replies

I'm not 100% sure, but I don't think this can be done.

There's no logical mechanic that allows this as far as I'm aware.

EDIT: I stand corrected, it can be done, I just don't know how. I'm going to look into this, it looks interesting :)

Yeah I already found that on my search. I'm just trying to find out how they did it.

It may be possible that they just hook every running process and monitor what it does. Then all you would have to do is filter out registry manipulation...

Hmmm...

Yeah I already found that on my search. I'm just trying to find out how they did it.

It may be possible that they just hook every running process and monitor what it does. Then all you would have to do is filter out registry manipulation...

Hmmm...

If i'm honest im not a complete expert on handles and hooks etc, but ive spent all afternoon understanding the registry monitor code and PInvoke. If you could help me i would really appreciate it!

(Im not sure but you may want to check out my second link, its a class which provides ProcessIdentity which allows you to get a few extra characteristics of a process (like the process owner).)

Did you have any luck?

Not really, I haven't had time to throw myself into this. You should look into this yourself as well, as I'll only be doing the same thing...Reading documentation, fishing on Google and experimenting with code :)

Not really, I haven't had time to throw myself into this. You should look into this yourself as well, as I'll only be doing the same thing...Reading documentation, fishing on Google and experimenting with code :)

Its amazing what 24 hours can do

I've nearly got it now, the only problem im having is that the win32 function im using to hook into the registry (RegOpenKeyExW) wont work whereas CreateFileW will work. So at the moment i can hook all processes which are accessign files in the system, i just need to swap this for 'registry accesses' and then im done :)

If you're interested look up EasyHook

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.