Record all Registry Values that a Process Reads/Writes

Question

Is there a way to record all the registry values that a process reads/writes, similar to what Process Monitor does?

score 0 · Accepted Answer · edited Apr 18 '14 at 07:34

Handling WMI Events in .NET --- In order to handle WMI events in .NET, we can use classes from the System.Management namespace. For example, this is a piece of code produced by the WMI Code Creator:

using System;
using System.Management;
using System.Windows.Forms;

namespace WMISample
{
  public class WMIReceiveEvent
  {
    public static void Main()
    {
      try
      {
        //Construct the query. Keypath specifies the key in the registry to watch.
        //Note the KeyPath should be must have backslashes escaped. Otherwise 
        //you will get ManagementException.
        WqlEventQuery query = new WqlEventQuery(
                  "SELECT * FROM RegistryKeyChangeEvent WHERE " +
                  "Hive = 'HKEY_LOCAL_MACHINE'" +
                 @"AND KeyPath = 'SOFTWARE\\Microsoft\\.NETFramework'");

         ManagementEventWatcher watcher = new ManagementEventWatcher(query);
         Console.WriteLine("Waiting for an event...");

         ManagementBaseObject eventObj = watcher.WaitForNextEvent();

         Console.WriteLine("{0} event occurred.", eventObj["__CLASS"]);

         // Cancel the event subscription
         watcher.Stop();
         return;
      }
      catch(ManagementException err)
      {
          MessageBox.Show("An error occurred while trying to receive an event: " + 
        err.Message);
      }
    }
  }
}

Link rot happens. Please sum up or quote the crucial bits right here. Link-only answers are subject to deletion without further notice. Thanks. — ЯegDwight, Sep 06 '12 at 08:46

Record all Registry Values that a Process Reads/Writes

1 Answers1