EaseFilter Registry Protection SDK is a filter driver, it allows you to develop application to track or block the registry changes. When the registry key, value or security was modified, the callback routine will be invoked with a data structure that contains information that is specific to the type of registry operation.

Blocking registry calls to prevent your registry from being changed by unauthorized processes. When the registry key, value or security is going to be modified, the callback routine will be invoked with a data structure that contains information that is specific to the type of registry operation, If a RegistryCallback routine returns a status value “STATUS_ACCESS_DENIED” for a pre-notification, this registry operation will be blocked and the error code will be returned.

Registry Filter Driver

Registry filter driver is a kernel-mode driver that filters registry calls, it provides you an easy way to develop Windows application for registry monitoring and protection, track the registry change and prevent the registry from being changed by unauthorized processes or users. With the EaseFilter Registry Filter Driver, it enables your application to protect Windows core registry keys and values and to prevent potentially damaging system configuration changes, besides operating system files. By registering a RegistryCallback routine in the registry filter driver, it can receive notifications of each registry operation before the configuration manager processes the operation. A set of REG_XXX_KEY_INFORMATION data structures which contain information about each registry operation will return to your user mode application, your application can allow the registry access or change to authorized processes or users, and deny the registry access to unauthorized processes or users.

Registry access monitoring

To be notified of registry operations, it needs to register the RegistryCallback routine with REG_NOTIFY_CLASS which specifies the type of registry operation that the configuration manager is passing to a RegistryCallback routine, When the configuration manager calls a driver's RegistryCallback routine, it passes a REG_NOTIFY_CLASS enumeration value to the routine. The configuration manager also passes a notification-specific structure that contains information about the notification. The RegistryCallback routine can inspect the contents of the input and output buffers that are supplied for registry operations.

Track the registry key changes

To track the registry key changes, register these "Reg_Post_Create_Key, Reg_Post_Delete_Key, Reg_Post_Set_Value_Key, Reg_Post_Delete_Value_Key, Reg_Post_SetInformation_Key, Reg_Post_Rename_Key, Reg_Post_Create_KeyEx, Reg_Post_Restore_Key,Reg_Post_Replace_Key" notification classes. When the registry key, value or security was modified, the callback routine will be invoked with a data structure that contains information that is specific to the type of registry operation.

Registry protector

To block the registry changes by unauthorized processes, register these "Reg_Pre_Create_Key, Reg_Pre_Delete_Key, Reg_Pre_Set_Value_Key, Reg_Pre_Delete_Value_Key, Reg_Pre_SetInformation_Key, Reg_Pre_Rename_Key, Reg_Pre_Create_KeyEx, Reg_Pre_Restore_Key, Reg_Pre_Replace_Key" notification classes. When the registry key, value or security is going to be modified, the callback routine will be invoked with a data structure that contains information that is specific to the type of registry operation, If a RegistryCallback routine returns a status value "STATUS_ACCESS_DENIED" for a pre-notification, this registry operation will be blocked and the error code will be returned.

Registry key virtualization

Modifying registry calls to create virtual registry key or value: To register pre-notification, RegistryCallback routine can modify a registry operation's output parameters or return value. Additionally, to handle the virtual registry key or value, the RegistryCallback routine can return your own customized data instead of allowing the registry to handle the operation.

Quick Navigation;