I am trying to record all registry changes, and it appears, that there is no NtRegPreCreateKey(Ex) events coming at all.
If I manually create key - I’ll get NtRegPreOpenKeyEx. So, I am unable to check, if this key is just opened, or created.
There is an “Option” field in REG_OPEN_KEY_INFORMATION_V1, but it does not seem reliable.
Is there any reliable way to distinguish creation from simple opening?