[NTRegmon Logo]
Copyright Š 1997 Mark Russinovich and Bryce Cogswell
Last Updated August 11, 1997
NTRegmon - Registry Monitor V3.2
Introduction NTRegmon is a device driver/GUI combination for NT 3.51
and NT 4.0 that displays all registry activity taking
place on a Windows NT System. It is a demonstration of
the power and utility of a new technique we've developed
called kernel-mode system call hooking. This technique
allows for many internal NT operations to be monitored
and altered. An article describing this technique was
published in the January 1997 issue of Dr. Dobb's
Journal.
Full source code has been uploaded, but it differs from
the source that appeared in the article in that it is now
much more portable across releases of NT. Instead of
relying on hard-wired system call numbers which had to be
changed for each revision of NTOSKRNL, this latest
version extracts system call numbers from Zw functions
(Zw functions are internal system calls made available
for device drivers). As long as the implementation of Zw
functions does not change, which is unlikely due to their
simplicity (they are 4 assembly instructions in length),
NTRegmon will remain compatible with NT updates.
Version 3.0 includes some minor bug fixes, further
improved code, and major usability enhancements including
a toolbar and output search capabilities.
Installation Installing NTRegmon is as easy as unzipping it and
and Use typing, "ntregmon." The GUI dynamically loads the driver
(based on code from the instdrv sample in the Windows NT
DDK), which starts by hooking all registry related kernel
calls. This means that NTRegmon sees all
application-level registry activity, and even most kernel
registry calls. The NTRegmon menus and tool bar buttons
can be used to set up process and path filters, toggle on
and off hooking, control the scrolling of the listview,
and to save the listview contents to an ASCII file.
Both process and path filters take expressions similar to
what the command prompt takes: you can specify names with
'*' representing wild cards. The "Path Include" filter
represents path names that will be monitored and the
"Path Exclude" filter represents path names that will not
be monitored. Where there is overlap, Path Exclude
overrides. Note that the filters are intrepreted in a
case-*in*sensitive manner.
For example, if you do not want to see activity to
Software subkeys you could specify "*Software*" as the
"Path Exclude" filter. If you only want to see activity
to the HKLM directory, set "HKLM*" as the Path Include
filter. If you set both of these filters all activity to
HKLM would be logged except to subkeys with the name
"Software" in them like HKLM\Software.
By default, the filters are set up to watch all Registry
activity. The process filter is "*", the Path Include
filter is "*", and the Path Exclude filter is empty ("").
Sample
Screenshot Here is a screenshot of NTRegmon.
More When a user-mode component makes a privileged system
Information call, control is transfered to a software interrupt
handler in NTOSKRNL.EXE (the core of the Windows NT
operating system). This handler takes a system call
number, which is passed in a machine register, and
indexes into a system service table to find the address
of the NT function that will handle the request. By
replacing entries in this table with pointers to hooking
functions, it is possible to intercept and replace,
augment, or monitor NT system services. NTRegmon, which
obviously hooks just the Registry-related services, is
merely one example of this capability in action.
For more detailed information on how NTRegmon works, see:
* "Windows NT System Call Hooking," by Mark
Russinovich and Bryce Cogswell, Dr. Dobb's Journal,
January 1997
------------------------------------------------------------------------
Download NTRegmon (x86) (33KB)
Download NTRegmon (Alpha) (72KB)
Download NTRegmon Source (110KB)
[Image]