Registry Monitoring and Protection Example

Download EaseFilter Registry Filter Driver SDK Setup File
Download EaseFilter Registry Filter Driver SDK Zip File

 What is the registry filter driver

The Easefilter Registry Filter Driver SDK is a kernel-mode filter driver development kit. It runs as part of the Windows executive above the registry component. By intercepting the registry request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. The EaseFilter Registry Filter Driver provides you an easy way to develop Windows application for registry monitoring and protection, track the registry change and prevent the registry from being changed by unauthorized processes or users. 

With the EaseFilter Registry Filter Driver, it enables your application to protect Windows core registry keys and values and to prevent potentially damaging system configuration changes, besides operating system files. By registering a RegistryCallback routine in the registry filter driver, it can receive notifications of each registry operation before the configuration manager processes the operation. A set of REG_XXX_KEY_INFORMATION data structures which contain information about each registry operation will return to your user mode application, your application can allow the registry access or change to authorized processes or users, and deny the registry access to unauthorized processes or users.

Registry access monitoring

To be notified of registry operations,  it needs to register the RegistryCallback routine with REG_NOTIFY_CLASS which specifies the type of registry operation that the configuration manager is passing to a RegistryCallback routine, When the configuration manager calls a driver’s RegistryCallback routine, it passes aREG_NOTIFY_CLASS enumeration value to the routine. The configuration manager also passes a notification-specific structure that contains information about the notification. The RegistryCallback routine can inspect the contents of the input and output buffers that are supplied for registry operations.

Track the registry key changes

To track the registry key changes,  register these “Reg_Post_Create_Key, Reg_Post_Delete_Key, Reg_Post_Set_Value_Key, Reg_Post_Delete_Value_Key, Reg_Post_SetInformation_Key, Reg_Post_Rename_Key, Reg_Post_Create_KeyEx, Reg_Post_Restore_Key,Reg_Post_Replace_Key” notification classes. When the registry key, value or security was modified, the callback routine will be invoked with a data structure that contains information that is specific to the type of registry operation. 

Registry protector

To block the registry changes by unauthorized processes,  register these “Reg_Pre_Create_Key, Reg_Pre_Delete_Key, Reg_Pre_Set_Value_Key, Reg_Pre_Delete_Value_Key, Reg_Pre_SetInformation_Key, Reg_Pre_Rename_Key, Reg_Pre_Create_KeyEx, Reg_Pre_Restore_Key, Reg_Pre_Replace_Key” notification classes. When the registry key, value or security is going to be modified, the callback routine will be invoked with a data structure that contains information that is specific to the type of registry operation, If a RegistryCallback routine returns a status value “STATUS_ACCESS_DENIED” for a pre-notification, this registry operation will be blocked and the error code will be returned.

Registry key virtualization

Modifying registry calls to create virtual registry key or value: To register pre-notification, RegistryCallback routine can modify a registry operation’s output parameters or return value. Additionally, to handle the virtual registry key or value, the RegistryCallback routine can return your own customized data instead of allowing the registry to handle the operation. 

A C# example to use the Registry Filter Driver SDK

It is very simple to use the EaseFilter Registry Filter Driver SDK. There is C# and C++ demo source code to demonstrate how to use the SDK. To monitor or control the Windows registry activities, you need to create a filter rule first as below:

  1. Setup the process filter rule with registry key name filter mask.
  2. Setup the process name filter mask or process Id, only filter the registry from these processes.
  3. You can exclude registry operations from the excluded process name filter mask. It is optional.
  4. You can exclude the registry operations from the excluded user filter mask. It is optional.
  5. Setup the registry access control flags. By setting the control flag, you can block the registry operations.
  6. Setup the registry callback class if you want to get the notification of the registry access operation.

registry filter rule

The registry demo application screenshot.

registry screenshot