Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,245 questions
ETW Registry event monitoring
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 90%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
Baked Byte
20
Reputation points
I'm trying to use ETW (event trace) to trace registry activity in real time. The bottom line is, I'm having a problem constructing the full registry path being modified - I only have a relative path. Here's a more detailed description, it's a bit long but essential to understanding my issue:
Using message analyzer, I set up a session with the microsoft-windows-kernel-registry provider and began editing the registry in order to trigger ETW events. Here are the relevant events I saw:
Event Id 1 - create a registry key
Event Id 2 - open a registry key
Event Id 5 - set a value name (plus it contains only the key object -discussed later- and a value name.)
Event Id 13 - close a registry key (same as evt id 5)
Events 1 and 2 contain several interesting fields:
- keyObject, which is a pointer. My guess is that this is an object from the Windows Object Manager, of type 'key' (registry object), corresponding to the current relative path I'm currently opening.
- baseObject, similar to keyObject, but should point instead to the object of the base path.
- RelativeName, the relative registry path. For example: SOFTWARE\Microsoft\Windows\CurrentVersion.
But It NEVER contains the root key. It even contains a much smaller path than this, like 'app' of something.
In other cases it contains the kernel-space path representation starting with REGISTRY\SYSTEM...
- BaseName, my guess is this here should appear the path that is missing from 'relative name', and that together they should form the full path. The problem is it's always empty ("").
My question is - is there a way, given the base object pointer or whatsoever, to deduct the full path for each event?
Basically each time that I manage to trigger an OpenKey, CreateKey, SetValueKey event I NEVER get the full path being opened, created, or the path of the value set. Some external posts like thisone talk about KCB events, saying that those events contain the full path. Another resource referencing those events is this one, but the fact is that i cannot find in the ETW provider or in the documentation where those KCBCreate or KCBRundown etc. are. Beside that it is not 100% clear what keyObject and baseObject are and how can be useful to solve this issue.
Thanks!
question baseline was taken by https://sysinternals32.rssing.com/chan-7466651/all_p358.html since the issue is basically the same but the sysinternals website hosting this question and its answers (if any) is now offline.
Sysinternals
Sign in to answer