![]()
VOID WINAPI RegistryEventCallback( PEVENT_TRACE pEvent )
{
if(!CheckCurrentProcess( (DWORD)pEvent->Header.ThreadId ) )
return;
if( pEvent->Header.Flags & WNODE_FLAG_USE_MOF_PTR != WNODE_FLAG_USE_MOF_PTR )
return;
LPTSTR szName = NULL;
switch( pEvent->Header.Class.Type )
{
case EVENT_TRACE_TYPE_REGCREATE:
szName = «EVENT_TRACE_TYPE_REGCREATE»;
break;
case EVENT_TRACE_TYPE_REGDELETE:
szName = «EVENT_TRACE_TYPE_REGDELETE»;
break;
...
case EVENT_TRACE_TYPE_REGSETVALUE:
szName = «EVENT_TRACE_TYPE_REGSETVALUE»;
break;
}
if( szName != NULL )
{
DWORD dwOSVersion = GetWindowsVersion();
DWORD dwStatus = 0;
LPWSTR wszKey = NULL;
HANDLE hKey = NULL;
if( dwOSVersion != WIN_VERSION_NONE )
{
printf( «Event : %s
»,szName );
switch( dwOSVersion )
{
case WIN_VERSION_WIN2K:
dwStatus = ((LPMOF_REGISTRY_2K)(pEvent->MofData))->dwStatus;
wszKey = ((LPMOF_REGISTRY_2K)(pEvent->MofData))->wszKeyName;
hKey = ((LPMOF_REGISTRY_2K)(pEvent->MofData))->hKey;
break;
case WIN_VERSION_WINXP:
case WIN_VERSION_WINSRV2003:
dwStatus = ((LPMOF_REGISTRY_XP)(pEvent->MofData))->dwStatus;
wszKey = ((LPMOF_REGISTRY_XP)(pEvent->MofData))->wszKeyName;
hKey = ((LPMOF_REGISTRY_XP)(pEvent->MofData))->hKey;
break;
}
if( wcslen( wszKey ) > 0 )
wprintf( L» Status: %d
Key: % s
»,dwStatus,wszKey );
else
wprintf( L» Status: %d
Handle: %d
»,dwStatus,hKey );
}
}
}
