Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 2  
09 Oct 17 09:19
Denis Panin
xxxxxx@mail.ru
Join Date: 04 Oct 2017
Posts To This List: 4
Registry -> distinguish between open and create key.

I am trying to record all registry changes, and it appears, that there is no NtRegPreCreateKey(Ex) events coming at all. If I manually create key - I'll get NtRegPreOpenKeyEx. So, I am unable to check, if this key is just opened, or created. There is an "Option" field in REG_OPEN_KEY_INFORMATION_V1, but it does not seem reliable. Is there any _reliable_ way to distinguish creation from simple opening?
  Message 2 of 2  
09 Oct 17 10:04
Denis Panin
xxxxxx@mail.ru
Join Date: 04 Oct 2017
Posts To This List: 4
Registry -> distinguish between open and create key.

Disregard please, looks like I'm just dumb
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 02:14.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license