Scribd Logo
Carica

Benvenuto in Scribd!

  • Monitor Changes to Windows Registry Run Keys in Real-Time

    Caricato da

    Sunil Hargunani
    35 visualizzazioni9 pagine
    The document describes a program called RegMon that monitors Windows registry keys for changes. It uses multiple threads to monitor different registry keys concurrently. The threads wait for change notifications on the keys and report any additions, deletions or modifications to the GUI. The GUI displays the registry keys being monitored and a log of changes. The program analyzes the registry data, compares values to previous ones and categorizes changes before notifying the user interface.

    Descrizione originale:

    Titolo originale

    Solution

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    DOC, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    The document describes a program called RegMon that monitors Windows registry keys for changes. It uses multiple threads to monitor different registry keys concurrently. The threads wait for change notifications on the keys and report any additions, deletions or modifications to the GUI. The GUI displays the registry keys being monitored and a log of changes. The program analyzes the registry data, compares values to previous ones and categorizes changes before notifying the user interface.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato DOC, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    35 visualizzazioni9 pagine

    Monitor Changes to Windows Registry Run Keys in Real-Time

    Caricato da

    Sunil Hargunani
    The document describes a program called RegMon that monitors Windows registry keys for changes. It uses multiple threads to monitor different registry keys concurrently. The threads wait for change notifications on the keys and report any additions, deletions or modifications to the GUI. The GUI displays the registry keys being monitored and a log of changes. The program analyzes the registry data, compares values to previous ones and categorizes changes before notifying the user interface.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato DOC, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 9

    RegMon By Sunil Hargunani

    RegMon

    By: Sunil Hargunani


    Email:- trysunil@hotmail.com
    trysunil@yahoo.com

    Page 1 of 9
    RegMon By Sunil Hargunani

    Table of Contents

    Problem Definition.........................................................................................................3
    Requirement...................................................................................................................3
    Coding language:........................................................................................................3
    GUI: ...........................................................................................................................3
    Analysis and Approach..................................................................................................4
    Preparing the GUI .....................................................................................................4
    Program Explained.........................................................................................................4
    Thread Function:........................................................................................................5
    Events:........................................................................................................................6
    Improvements.................................................................................................................7
    Test Results....................................................................................................................8

    Page 2 of 9
    RegMon By Sunil Hargunani

    Problem Definition
    Monitor "run" registry keys, for example,
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce. Whenever a
    new application is added to one of the registry keys or existing application
    changed, etc., the change should be immediately displayed to the user. There
    are several different ways to implement this; feel free to implement whichever
    way is preferable

    Requirement
    Coding language:
    - Visual C++ using MFC

    GUI:

    - Start/Stop button
    - A list of registry keys being monitored
    - Log displaying applications that were added to the "run" keys

    Page 3 of 9
    RegMon By Sunil Hargunani

    Analysis and Approach


    Registry is a directory which stores settings and options for the operating
    system. Registry is organised with keys and value pairs.

    Approach to this problem would be:

    1. Start preparing the GUI


    2. Make a multi-threaded environment on button Start & Stop
    3. In each thread monitor registry key
    4. Report registry key change to the GUI

    Preparing the GUI

    It will be a Dialog Based Application with following controls used.


    - GUI will have a buttons Derived from CButton.
    - MFC Edit Control to display the messages Derived from CEdit.

    Program Explained
    //initialize the class...
    MyClass *c = new MyClass(this->m_hWnd,HKEY_LOCAL_MACHINE,
    "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce");
    //begin first thread....
    pThread = AfxBeginThread(MyThreadFunc,c,THREAD_PRIORITY_NORMAL,0,0);
    // initialize data
    MyClass *c1 = new MyClass(this->m_hWnd,HKEY_LOCAL_MACHINE,
    "Software\\Microsoft\\Windows\\CurrentVersion\\Run");
    //begin second thread.
    pThread = AfxBeginThread(MyThreadFunc,c1,THREAD_PRIORITY_NORMAL,0,0);
    //show messsage in edit box 1.
    CString temp_str;

    m_edit1.SetWindowText("STARED:\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nH
    KLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run");
    //set event to start the application.
    g_eventStart.SetEvent();
    Table 1: OnStart()

    To start observing the registry keys in the thread we need to use the function
    called as AfxBeginThread(). This takes a parameter of type global function
    name. Here the function is called as MyThreadFunc. My Thread function is
    supposed to take only one parameter which is of type LPVOID. So, if we
    need to pass more parameters we just collect them up in a structure or a
    class and pass that as a parameter.

    Here in above program we choose MyClass to pass as one of the


    parameter. MyClass has members like HKEY , the full path of key and the

    Page 4 of 9
    RegMon By Sunil Hargunani

    handle to window. We need handle to window because we want to invoke


    user defined messages. Threads are started with normal priority.

    Thread Function:

    Thread function has following main calls:

    RegNotifyChangeKeyValue(hKey, TRUE, dwFilter, hEvent, TRUE);


    Table 2: Event Capture Key

    Notifies the caller about changes to the attributes or contents of a specified


    registry key1.

    Once a change in the key is noticed the hEvent is signaled so we need to


    capture the hEvent. To capture hEvent we have a function called

    WaitForSingleObject(hEvent, INFINITE)
    Table 3: Waiting for event to occur

    So now the thread will wait for infinite time until the event is triggered.

    Once the event is triggered we need to collect all the data. To collect data
    from that registry key we have a function called as:

    retCode = RegQueryInfoKey(
    hKey, // key handle
    achClass, // buffer for class name
    &cchClassName, // size of class string
    NULL, // reserved
    &cSubKeys, // number of subkeys
    &cbMaxSubKey, // longest subkey size
    &cchMaxClass, // longest class string
    &cValues, // number of values for this key
    &cchMaxValue, // longest value name
    &cbMaxValueData, // longest value data
    &cbSecurityDescriptor, // security descriptor
    &ftLastWriteTime); // last write time
    Table 4: Getting registry information

    With the above query info we will get the last modified time of the key as well.
    Which is required to display in logs.

    But the time is in the file format. So, we convert the time in the GMT Time
    and there after to the local time setting on the computer.

    FileTimeToSystemTime(&ftLastWriteTime, &stUTC);
    SystemTimeToTzSpecificLocalTime(NULL, &stUTC, &stLocal);
    Table 5: Find Time and Date

    1
    http://msdn2.microsoft.com/en-us/library/ms724892.aspx

    Page 5 of 9
    RegMon By Sunil Hargunani

    Now from above2 if the CValues is more than zero then we have some value
    element in the key.

    To read value elements in the key we call a function :


    retCode = RegEnumValue(hKey, i,
    achValue,
    &cchValue,
    NULL,
    &type,
    data,
    &dataSize);
    Table 6: Read data from the key

    Value is in achValue and the data is in data key. Size of data is the datasize
    key. Type of data is stored in the type key. We assume all the data to be
    string (REG_SZ).

    Now we iterate through the enum to read all the data.

    Once the data is read and we assume they are of type string then we store
    them in a form of MAP (STL). Why choose map ? Map is the container with
    the name value pair. So, we can store all the registry key values in a map. To
    find a registry key we will just search the map on the name.

    Once we have the map ready we will try to compare the latest values after
    change notification. We have categorized changes as :
    • CHANGE
    • ADD
    • DELETE

    And once these changes are identified we notify GUI of changes.

    We post a message to GUI

    PostMessage(hWnd,WM_USER_THREAD_UPDATE_PROGRESS,i,100);
    Table 7: To Notify GUI about changes

    This is a user created Message which is defined in message loop :

    ON_MESSAGE(WM_USER_THREAD_FINISHED, OnThreadFinished)
    ON_MESSAGE(WM_USER_THREAD_UPDATE_PROGRESS, OnThreadUpdateProgress)

    Then I write my own definition in the functions for OnThreadFinished &


    OnThreadUpdateProgress.

    So, once we receive message WM_USER_THREAD_UPDATE_PROGRESS we will


    process the message and display it to the user.

    Events:

    2
    Table 4

    Page 6 of 9
    RegMon By Sunil Hargunani

    During Start of Application we have an event called as :


    g_eventStart.SetEvent();
    so it should start the event. And we have a call in the Thread:
    WaitForSingleObject(g_eventStart, INFINITE);

    And for a stop we have similar pair:


    g_eventKill.SetEvent();
    WaitForSingleObject(g_eventKill, 0) == WAIT_OBJECT_0

    When we are reading and writing the data we use the critical section locks. So, the
    global string variable is protected between threads.

    Improvements
    1. Make an ini file and get the keys to be monitored.
    2. Change OnStart function to read it from ini file and then iterate through it to
    initialize thread. (Due to scope of this assignment, threads are restricted to
    watch only two keys)
    3. Instead of using the MyThreadFunc we can also use a wrapper class around
    CWinThread and functionality can be defined as we require. (This is only
    required in large applications)
    4. Change the global variable to a vector and store the strings in it. So, that we
    maintain the history of the changes and this can be later dumped into a file or
    in xml format.
    5. The registry keys can be outputted in an XML Format for easy storage and
    comparison. This can be an alternate way when we are monitoring a registry
    tree node and not a key.

    Page 7 of 9
    RegMon By Sunil Hargunani

    Test Results
    GUI

    Figure 1 : Test Results 1

    Page 8 of 9
    RegMon By Sunil Hargunani

    Page 9 of 9

    Potrebbero piacerti anche