Hi, I look in the win95 ddk at the kernel-services for the registry, they are the following:

_GetRegistryKey _GetRegistryPath _RegCreateDynKey _RegCloseKey _RegCreateKey _RegDeleteKey _RegDeleteValue _RegEnumKey _RegEnumValue _RegFlushKey _RegOpenKey _RegQueryInfoKey _RegQueryMultipleValues _RegQueryValue _RegQueryValueEx _RegRemapPreDefKey _RegSetValue _RegSetValueEx

I wonder, will all the normal ring3 win32 api's for the registry eventually call these?
Or are these and the ring3 api's working independantly of each other?

I thought if the vmm-services are always called, it would be possible to create a registry-monitor,
without too much trouble, by hooking them in a vxd!? :)
Posted on 2003-02-21 16:38:44 by david

This may be one of those questions nobody wants to see, but to give a simple answer without giving code example, the answer is Yes to both parts, these are the low level versions of the Win32 calls in Win9x, perhaps thunking down to them in Win2K as well, and can be hooked.

Posted on 2003-02-21 22:22:47 by Kayaker
Thanks, that solves it.

btw kajaker, why do you think this is like 'questions nobody wants to see' ?
Posted on 2003-02-22 06:14:20 by david

Just a question of intended usage I suppose. For a C example of a registry monitor you might want to look at the SysInternals Regmon source, it outlines the proper calls and the vxd and sys source use slightly different methods of hooking.

A vxd hook proc can be quite simple to be effective and the information is outlined in the DDK. For MASM the only difference from writing regular vxd code is that the declaration syntax of the Hook proc itself requires a special macro:


;====Begin HookProc=======
BeginProc HookProc, HOOK_PROC, OldServiceAddress, LOCKED

; Important: Note syntax of BeginProc macro needed for a hook routine:
; <BeginProc ProcName, HOOK_PROC, hook_var, segment_type>
; If hook uses Hook_Device_Service, Hook_V86_Fault, Hook_PM_Fault, or Hook_VMM_Fault,
; then it must be marked with the HOOK_PROC attribute so that the service can be unhooked.
; The hook_var parameter is the name of the variable into which the address of the previous
; hook will be stored.

Hope this helps,
Posted on 2003-02-22 12:34:26 by Kayaker
hi david i am looking for a VXD to hook registry , would you be kind enough to guide me some what in the right direction , i have successfully hooked the registry in NT/2k/XP but not on 9x

thanks in advance
Posted on 2004-02-11 03:15:45 by monty