Registry monitor and protector

Download EaseFilter Registry Filter Driver SDK Setup File
Download EaseFilter Registry Filter Driver SDK Zip File

 

Introduction

Registry monitor and protector is a tool which was developed with registry filter driver SDK. A registry filtering driver is any kernel-mode driver that filters registry calls, such as the driver component of an antivirus software package. The configuration manager, which implements the registry, allows registry filtering drivers to filter any thread's calls to registry functions. By registering a RegistryCallback routine in the registry filter driver, it can receive notifications of each registry operation before the configuration manager processes the operation. A set of REG_XXX_KEY_INFORMATION data structures contain information about each registry operation. The RegistryCallback routine can block a registry operation. The callback routine also receives notifications when the configuration manager has finished creating or opening a registry key. 

Handling registry call notifications

To be notified of registry operations,  it needs to register the RegistryCallback routine with REG_NOTIFY_CLASS which specifies the type of registry operation that the configuration manager is passing to a RegistryCallback routine, When the configuration manager calls a driver's RegistryCallback routine, it passes a REG_NOTIFY_CLASS enumeration value to the routine. The configuration manager also passes a notification-specific structure that contains information about the notification. The RegistryCallback routine can inspect the contents of the input and output buffers that are supplied for registry operations.

Monitoring registry calls to track the registry changes

To track the registry changes,  register these "Reg_Post_Create_Key, Reg_Post_Delete_Key, Reg_Post_Set_Value_Key, Reg_Post_Delete_Value_Key, Reg_Post_SetInformation_Key, Reg_Post_Rename_Key, Reg_Post_Create_KeyEx, Reg_Post_Restore_Key,Reg_Post_Replace_Key" notification classes. When the registry key, value or security was modified, the callback routine will be invoked with a data structure that contains information that is specific to the type of registry operation.

Blocking registry calls to prevent your registry from being changed by unauthorized processes

To block the registry changes,  register these "Reg_Pre_Create_Key, Reg_Pre_Delete_Key, Reg_Pre_Set_Value_Key, Reg_Pre_Delete_Value_Key, Reg_Pre_SetInformation_Key, Reg_Pre_Rename_Key, Reg_Pre_Create_KeyEx, Reg_Pre_Restore_Key, Reg_Pre_Replace_Key" notification classes. When the registry key, value or security is going to be modified, the callback routine will be invoked with a data structure that contains information that is specific to the type of registry operation, If a RegistryCallback routine returns a status value "STATUS_ACCESS_DENIED" for a pre-notification, this registry operation will be blocked and the error code will be returned.

Modifying registry calls to create virtual registry key or value

To register pre-notification, RegistryCallback routine can modify a registry operation's output parameters or return value. Additionally, to handle the virtual registry key or value, the RegistryCallback routine can return your own customized data instead of allowing the registry to handle the operation.

Registry monitor and protector screenshot

Registry Monitor Screenshot

About EaseFilter Inc.

EaseFilter Inc. is a company who specializes in windows file system filter driver development. It can provide architect, implement and test file system filter drivers for a wide range of functionalities. It also can offer several levels of assistance to meet your specific needs: Provide consulting service for your existing file system filter driver; Customize the SDK to meet your requirement; Create your own filter driver with SDK source code.