 |
|
|
|
|
|
Could someone advise me how i could go about getting the process which caused the key change?
Thank you
|
|
|
|
|
|
|
|
|
|
That's not possible by using RegNotifyChangeKeyValue, it just notifies you when something has changed, but not who or what. Just follow the documentation.
To get the causing process, you have to implement hooks just like ProcMon[^].
Regards
Thomas
Disclaimer:
Because of heavy processing requirements, we are currently using some of your unused brain capacity for backup processing. Please ignore any hallucinations, voices or unusual dreams you may experience. Please avoid concentration-intensive tasks until further notice. Thank you.
|
|
|
|
|
|
|
Has something changed in Windows 7, or am I doing something wrong.
Here is my code (in vb.net) that changes the registry key ...
Dim tracingRegKey As RegistryKey = Registry.LocalMachine.OpenSubKey("Software\GDI\Tracing", True)
If tracingRegKey Is Nothing Then
tracingRegKey = Registry.LocalMachine.CreateSubKey("Software\GDI\Tracing")
End If
If tracingRegKey IsNot Nothing Then
Dim csvString As New StringBuilder()
For Each item As String In clbVBFiles.CheckedItems
If csvString.Length > 0 Then
csvString.Append(",")
End If
csvString.Append(item)
Next
tracingRegKey.SetValue("SourceFileList", csvString.ToString())
tracingRegKey.SetValue("TraceCCFilePath", txtCCLogFileName.Text)
tracingRegKey.SetValue("TraceCCServiceFilePath", txtCCServiceLogFileName.Text)
If rbErrors.Checked = True Then
tracingRegKey.SetValue("TraceThreshold", Convert.ToInt16(TraceLevel.Error))
ElseIf rbWarnings.Checked = True Then
tracingRegKey.SetValue("TraceThreshold", Convert.ToInt16(TraceLevel.Warning))
ElseIf rbInfo.Checked = True Then
tracingRegKey.SetValue("TraceThreshold", Convert.ToInt16(TraceLevel.Info))
ElseIf rbverbose.Checked = True Then
tracingRegKey.SetValue("TraceThreshold", Convert.ToInt16(TraceLevel.Verbose))
Else
tracingRegKey.SetValue("TraceThreshold", Convert.ToInt16(TraceLevel.Off))
End If
tracingRegKey.Close()
End If
The Registry monitor output is 'Monitoring "HKEY_LOCAL_MACHINE\Software\GDI\Tracing" started', but I never see any event when I run my own program.
Thanks
Peter.
|
|
|
|
|
|
|
I have found the answer myself. Windows 7 creates a registry entry Wow6432Node, to map registry keys from a 32-bit application to the 64-bit operating system (go figure), so the key I need to monitor is "HKEY_LOCAL_MACHINE\Software\Wow6432Node\GDI\Tracing". Go figure .
I was running my own app as 32-bit because I need edit-and-continue, which 64-bit broke.
|
|
|
|
|
|
|
First off, thank you for putting this class together – it exposes exactly what I need in a nice, clean manner.
The reason for this post is that I’m having issues consuming the events that RegistryMonitor generates (if it is indeed generating them) from a Windows service.
To make sure I had everything working I first created a stand-alone WinForms executable. The program was pretty basic and consisted of a single form with a private RegistryMonitor variable. In the form’s constructor there was code to instantiate a new object assigned to that variable, and then lines to delegate the RegChanged and Error events to subroutines in the form’s code. I called Start on the class as the last line of the constructor, and everything worked as expected.
I then tried to port that code over to a service without much luck. I copied the RegChanged and Error routines verbatim, copied the private variable declaration over, and moved the code from the stand-alone executable’s constructor to the service’s OnStart event. The service starts fine, I can attach to it from Visual Studio, and I know it’s running because it will break on the OnStop event when I stop the service, but I never get any events.
The RegistryMonitor class remains unchanged from the one provided on this site, and my class looks as follows:
<code>
using System;
using System.IO;
using System.ServiceProcess;
using Microsoft.Win32;
namespace Lullaby
{
public partial class Lullaby : ServiceBase
{
private RegistryMonitor p_oMonitor;
public Lullaby()
{
InitializeComponent();
}
protected override void OnStart(string[] args)
{
p_oMonitor = new RegistryMonitor(RegistryHive.CurrentUser, "Control Panel\\PowerCfg");
p_oMonitor.RegChanged += new EventHandler(OnRegChanged);
p_oMonitor.Error += new ErrorEventHandler(OnError);
p_oMonitor.Start();
}
protected override void OnStop()
{
if (p_oMonitor != null)
{
p_oMonitor.Stop();
p_oMonitor.RegChanged -= new EventHandler(OnRegChanged);
p_oMonitor.Error -= new ErrorEventHandler(OnError);
p_oMonitor = null;
}
}
private void OnRegChanged(object sender, EventArgs e) { }
private void OnError(object sender, ErrorEventArgs e) { }
}
}
</code>
I’m a moderately experienced C# coder but admittedly have done little to no work with either Windows services or threaded code so I may be missing something obvious, but if you had any insights they’d be appreciated.
|
|
|
|
|
|
|
You are monitoring a key inside HKEY_CURRENT_USER
If you are running the app as a desktop app it will be monitor the key in the presently logged on users registry hive.
If you are running the app as a service it will be looking in the registry hive of the service user account, not the logged on user.
By default this will be the
HKEY_USERS\S-1-5-18 for local system
HKEY_USERS\S-1-5-19 for local service
HKEY_USERS\S-1-5-20 for network service
If you are trying to monitor the logged on users keys from a service, you need to do something like getting the sids of the logged on users (or users) or monitoring the windows logon events, and then monitoring from you service HKEY_USERS\.
Note if you do this you need ot be extremly careful that you detect user session ends and removing the monitoring, otherwise it can prevent things like roaming profile uploads at logoff as you have the users registry hive locked.
-
Drayath
|
|
|
|
|
|
|
Hello Thomas,
It's really very good for monitoring registry entry.Its Really very good.
How can i get the name of created or modified or deleted registry entry name.
If you have any suggestion or answer please help.
Thanks
If you can think then I Can.
|
|
|
|
|
|
|
It's not possible, see my reply to puyopuy.
Regards
Thomas
Disclaimer:
Because of heavy processing requirements, we are currently using some of your unused brain capacity for backup processing. Please ignore any hallucinations, voices or unusual dreams you may experience. Please avoid concentration-intensive tasks until further notice. Thank you.
|
|
|
|
|
|
|
Hello, I keep getting the above exception no matter what key I try to watch.
The exception is thrown by:
RegistryUtils.RegistryMonitor.ThreadLoop()
I'm pretty sure these are the offending lines of code:
private void ThreadLoop()
{
IntPtr registryKey;
int result = RegOpenKeyEx(_registryHive, _registrySubName, 0,
STANDARD_RIGHTS_READ | KEY_QUERY_VALUE | KEY_NOTIFY,
out registryKey);
if (result != 0)
throw new Win32Exception(result);
...
}
Unfortunately, I have no idea what the exception message means. What file is it looking for? Any help would be appreciated. This code would be awesome if it worked for me! 
Thanks,
Andrew
|
|
|
|
|
|
|
What does the callstack say?
Regards
Thomas
Disclaimer:
Because of heavy processing requirements, we are currently using some of your unused brain capacity for backup processing. Please ignore any hallucinations, voices or unusual dreams you may experience. Please avoid concentration-intensive tasks until further notice. Thank you.
|
|
|
|
|
|
|
<EOM>
|
|
|
|
|
|
|
Hi,
Never had much luck with trial ware for monitoring registry. However I managed a reasonable solution using commonly installed windows components.
1. Load RegEdit.EXE
2. Export tree to file1.reg
3. Perform your task
4. Export tree to file2.reg
5. Use WinMerge.EXE on the files
100% works and is faster then purchasing other snapshot software. http://winmerge.org/[^]
|
|
|
|
|
|
|
Hello all,
In the demo it only tell us if there a key changed but it cannot tell whether it is a new key or modified old key, what is the new value and what is the key type(e.g. string, boolean or integer ...). Anyone have idea how to do it?
I would appreciate any help and suggestion.
puyo
|
|
|
|
|
|
|
Hi Puyo,
Unfortunately, the API of RegNotifyChangeKeyValue[^] does not expose that information.
Regards
Thomas
Disclaimer:
Because of heavy processing requirements, we are currently using some of your unused brain capacity for backup processing. Please ignore any hallucinations, voices or unusual dreams you may experience. Please avoid concentration-intensive tasks until further notice. Thank you.
|
|
|
|
|
|
|
Thanks Thomas, is that mean we can't get that information using?
|
|
|
|
|
|
|
Not as far as I know.
Regards
Thomas
Disclaimer:
Because of heavy processing requirements, we are currently using some of your unused brain capacity for backup processing. Please ignore any hallucinations, voices or unusual dreams you may experience. Please avoid concentration-intensive tasks until further notice. Thank you.
|
|
|
|
|
|
|
Thanks for info
|
|
|
|
|
|
|
I have this silly idea..
Can we get the keys subkeys and the values in any way?
If we can, we can store them in a struct (with fields: name,type,value,solitary hash code) and order it by the field solitary hashcode (which field will be a special solitary number that would generate when the key or value is going to store in the struct through an MD5 or something like algorithm)
then we use the function RegNotifyChangeKeyValue[^] which gives us the key that is modified and not the type and the value). Then we can take in the same struct but in another instance the subkeys and the values of the modified keys and compare them with the first struct (with that we have the changed keys and the values) after comparing the hashcodes of the 2 structs. With that we can find the type that is changed and the value)
is this possible? sounds tricky.
thanks
Alex
|
|
|
|
|
|
|
Of course, that's possible.
Regards
Thomas
Disclaimer:
Because of heavy processing requirements, we are currently using some of your unused brain capacity for backup processing. Please ignore any hallucinations, voices or unusual dreams you may experience. Please avoid concentration-intensive tasks until further notice. Thank you.
|
|
|
|
|
|
|
Hi,
I'm having problems using the class in a Windows Service. On changing the monitored registry I get the error:
"Object reference not set to an instance of an object.."
The handled 'crash' is in the protected virtual void OnRegChanged() function in the RegistryMonitor class, when setting the handler constructor (Ln99)
The change is clearly caught, but I don't seem to get the signal, any thoughts?
The implementation is simple:
string keyName = string.Format("{0}\\{1}", Registry.LocalMachine.Name, registryPath);
monitor = new RegistryMonitor(keyName);
monitor.RegChanged += new EventHandler(OnRegChanged);
monitor.Error += new System.IO.ErrorEventHandler(OnError);
monitor.Start();
...
private void OnRegChanged(object sender, EventArgs e)...
|
|
|
|
|
|
|
Cannot download the attached files.
Are they missing?
Thanks
|
|
|
|
|
|
|
I can download both files without a problem. Maybe it was a temporary glitch. Please try again.
Regards
Thomas
Disclaimer:
Because of heavy processing requirements, we are currently using some of your unused brain capacity for backup processing. Please ignore any hallucinations, voices or unusual dreams you may experience. Please avoid concentration-intensive tasks until further notice. Thank you.
|
|
|
|
|
|
|
First off - nice article. Very helpful
It looks like there's a thread problem here, though. If I call Start(), then immediately modify the registry programmatically, then the ThreadLoop() call may not have reached RegNotifyChangeKeyValue(), so the change will go unnoticed.
This can be partially fixed by at least waiting in Start() until that call is reached (although that's not a perfect solution).
Also, if a registry change is picked up, then it's possible that another change could occur between OnRegChanged() and the next RegNotifyChangeKeyValue() call, which would also fall through the cracks.
Finally, if the terminate event is signalled, then OnRegChanged() will get called - the code doesn't differentiate between termination or notification.
Is there no alternative method of monitoring the registry, that could be done with, say, callbacks, rather than signalling?
Edit: Ha. My bad - I just checked: RegNotifyChangeKeyValue() will pick up on changes between calls, so my second point is nonsense.
-- modified at 6:52 Monday 20th August, 2007
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Rant 
Admin