Author: alervd
Subject: Query key control block information (ETW)
Posted: 12 June 2013 at 10:09pm
HI!
I'm trying to implement registry monitoring using ETW.
KeyHandle member of Registry_TypeGroup1 structure contains pointer to this block.
Is there any way to query according registry key path?
For example, WinDbg can do it (e.g. "!reg kcb ADDR").
It's required for me to be able to query KCB info because KcbCreate/KcbDelete events are not always issued for the specified KCB.
Subject: Query key control block information (ETW)
Posted: 12 June 2013 at 10:09pm
HI!
I'm trying to implement registry monitoring using ETW.
KeyHandle member of Registry_TypeGroup1 structure contains pointer to this block.
Is there any way to query according registry key path?
For example, WinDbg can do it (e.g. "!reg kcb ADDR").
It's required for me to be able to query KCB info because KcbCreate/KcbDelete events are not always issued for the specified KCB.
