Registry monitoringand protection
Registry monitorand protector is a tool which was developed with registry filter driver SDK. Itcan monitor the registry access on-the-fly, to track the registry change,prevent the registry being accessed or changed by unauthorized processes orusers. It also can create the virtual registry key or value.
Easefilter registry filter driver is a kernel-mode driverthat filters registry calls, it provides you an easy way to develop Windowsapplication for registry monitoring and protection. With the EaseFilterRegistry Filter Driver, it enables your application to protect Windows coreregistry keys and values and to prevent potentially damaging system configurationchanges, besides operating system files. By registering a RegistryCallbackroutine in the registry filter driver, it can receive notifications of eachregistry operation before the configuration manager processes the operation. Aset of REG_XXX_KEY_INFORMATION data structures which contain information abouteach registry operation will return to your user mode application, yourapplication can allow the registry access or change to authorized processes orusers, and deny the registry access to unauthorized processes or users.
Handling registry call notifications
To be notified of registry operations, it needs toregister the RegistryCallback routine with REG_NOTIFY_CLASS which specifiesthe type of registry operation that the configuration manager is passing toa RegistryCallback routine, When theconfiguration manager calls a driver's RegistryCallback routine,it passes aREG_NOTIFY_CLASS enumeration value to the routine. The configurationmanager also passes a notification-specific structure that contains informationabout the notification. The RegistryCallback routine caninspect the contents of the input and output buffers that are supplied forregistry operations.
Monitoring registry calls to track theregistry changes
To track the registry changes, register these"Reg_Post_Create_Key, Reg_Post_Delete_Key, Reg_Post_Set_Value_Key,Reg_Post_Delete_Value_Key, Reg_Post_SetInformation_Key, Reg_Post_Rename_Key,Reg_Post_Create_KeyEx, Reg_Post_Restore_Key,Reg_Post_Replace_Key"notification classes. When the registry key, value or security was modified,the callback routine will be invoked with a data structure that containsinformation that is specific to the type of registry operation.
Blocking registry calls to prevent yourregistry from being changed by unauthorized processes
To block the registry changes, register these"Reg_Pre_Create_Key, Reg_Pre_Delete_Key, Reg_Pre_Set_Value_Key,Reg_Pre_Delete_Value_Key, Reg_Pre_SetInformation_Key, Reg_Pre_Rename_Key,Reg_Pre_Create_KeyEx, Reg_Pre_Restore_Key, Reg_Pre_Replace_Key" notificationclasses. When the registry key, value or security is going to be modified,the callback routine will be invoked with a data structure that containsinformation that is specific to the type of registry operation, If a RegistryCallback routinereturns a status value "STATUS_ACCESS_DENIED" for apre-notification, this registry operation will be blocked and the error codewill be returned.
Modifying registry calls to create virtualregistry key or value
To register pre-notification, RegistryCallback routine canmodify a registry operation's output parameters or returnvalue. Additionally, to handle the virtual registry key or value,the RegistryCallback routine can return yourown customized data instead of allowing the registry to handle theoperation.
Registry monitor and protector screenshot
About EaseFilter Inc.
EaseFilter Inc. is a company who specializes in windows filesystem filter driver development. It can provide architect, implement and testfile system filter drivers for a wide range of functionalities. It also canoffer several levels of assistance to meet your specific needs: Provideconsulting service for your existing file system filter driver; Customizethe SDK to meet your requirement; Create your own filter driver with SDKsource code.
FOR MORE INFO VISIT OUR SITE
https://www.easefilter.com/Forums_Files/RegMon.htm
