[Image] Copyright © 1996-97 Mark Russinovich and Bryce Cogswell last updated March 3, 1997 NTRegmon - Registry Monitor V2.0 Introduction NTRegmon is a device driver/GUI combination for NT 3.51 and NT 4.0 that displays all registry activity taking place on a Windows NT System. It is a demonstration of the power and utility of a new technique we've developed called kernel-mode system call hooking. This technique allows for many internal NT operations to be monitored and altered. An article describing this technique was published in the January 1997 issue of Dr. Dobb's Journal. Full source code has been uploaded, but it differs from the source that appeared in the article in that it is now much more portable across releases of NT. Instead of relying on hard-wired system call numbers which had to be changed for each revision of NTOSKRNL, this latest version extracts system call numbers from Zw functions (Zw functions are internal system calls made available for device drivers). As long as the implementation of Zw functions does not change, which is unlikely due to their simplicity (they are 4 assembly instructions in length), NTRegmon will remain compatible with NT updates. Version 2.0 cleans up the code, fixes some bugs, and adds advanced filtering capability. In addition, root key abbreviations now adhere to the common standard (e.g. HKLM == HKEY_LOCAL_MACHINE). Filters can be established on processes that are logged, as well as paths. Click here for a screenshot of NTRegmon. Installation and Installing NTRegmon is as easy as unzipping it and Use typing, "ntregmon." The GUI dynamically loads the driver (based on code from the instdrv sample in the Windows NT DDK), which starts by hooking all registry related kernel calls. This means that NTRegmon sees all application-level registry activity, and even most kernel registry calls. The NTRegmon menus can be used to set up process and path filters, toggle on and off hooking, control the scrolling of the listview, and to save the listview contents to an ASCII file. Both process and path filters take expressions similar to what the command prompt takes: you can specify names with '*' representing wild cards. The "Path Include" filter represents path names that will be monitored and the "Path Exclude" filter represents path names that will not be monitored. Where there is overlap, Path Exclude overrides. Note that the filters are intrepreted in a case-*in*sensitive manner. For example, if you do not want to see activity to Software subkeys you could specify "*Software*" as the "Path Exclude" filter. If you only want to see activity to the HKLM directory, set "HKLM*" as the Path Include filter. If you set both of these filters all activity to HKLM would be logged except to subkeys with the name "Software" in them like HKLM\Software. By default, the filters are set up to watch all Registry activity. The process filter is "*", the Path Include filter is "*", and the Path Exclude filter is empty (""). More Information When a user-mode component makes a privileged system call, control is transfered to a software interrupt handler in NTOSKRNL.EXE (the core of the Windows NT operating system). This handler takes a system call number, which is passed in a machine register, and indexes into a system service table to find the address of the NT function that will handle the request. By replacing entries in this table with pointers to hooking functions, it is possible to intercept and replace, augment, or monitor NT system services. NTRegmon, which obviously hooks just the Registry-related services, is merely one example of this capability in action. For more detailed information on how NTRegmon works, see: * "Windows NT System Call Hooking," by Mark Russinovich and Bryce Cogswell, Dr. Dobb's Journal, January 1997 ---------------------------------------------------------------------------- Download NTRegmon (29KB) Download NTRegmon Plus Source (90KB) [Image]