如何hook注册表的项值变化?

forestchi

如何hook注册表的项值变化?如变化则重启.

马甲

最简单的方法是循环读取注册表。如果不一样，就重启

小三

#include <date.au3>

$strComputer = "."
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\default")
$colEvents = $objWMIService.ExecNotificationQuery _
    ("SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND " & _
        "KeyPath='SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'")

While 1
        Sleep(250)
    $objLatestEvent = $colEvents.NextEvent
    MsgBox(0,0,"注册表已更改")       
WEnd

forestchi

感谢小三,有没有api的函数,wmi开机运行太慢了,另外我只监控:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network
config 这个项,要怎么监控?

akmm88

CreateEventA
RegNotifyChangeKeyValue
WaitForSingleObject
返回WAIT_OBJECT_0为被更改
返回WAIT_ABANDONED为发生错误，可以以此做异常处理。

tle_sammy

都是天书，看不懂

pusofalse

#include <WinAPI.au3>
#include <LocalSecurityAuthority.au3>

$hKey = _RegOpenKeyEx($HKEY_LOCAL_MACHINE, "Software\Test", $KEY_NOTIFY)
$hEvent = _RegNotifyChangeKeyValue($hKey, False, 15)
_WinAPI_WaitForSingleObject($hEvent, -1)
Msgbox(0, "", "Machine\Software\Test has changed.")
_RegCloseKey($hKey)

Func _RegNotifyChangeKeyValue($hKey, $fWatchSub = False, $iFilter = 15)
        Local $hEvent, $iResult

        $hEvent = _WinAPI_CreateEvent()
        $iResult = DllCall("Advapi32.dll", "long", "RegNotifyChangeKeyValue", _
                        "hWnd", $hKey, "int", $fWatchSub, "dword", $iFilter, _
                        "hWnd", $hEvent, "int", 1)
        Return SetError($iResult[0], 0, $hEvent)
EndFunc        ;==>_RegNotifyChangeKeyValue

LocalSecurityAuthority.au3 - http://www.autoitx.com/forum.php ... &extra=page%3D1