could you tell me how to monitor registry changes (specified values) using WinAPI or so?
I know there is the function RegNotifyChangeKeyValue that allows to notify the caller about changes to the attributes or contents of a specified registry key, for example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
But I need to see if value of the specified parameter in the key was changed:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Skype
So RegNotifyChangeKeyValue only works with keys and monitors all parameters of the specified key...
Thank you!
RegNotifyChangeKeyValue is what you need. Pass in REG_NOTIFY_CHANGE_LAST_SET as the notify filter argument, and whenever you receive notification you know that some value of the key has be added, deleted or modified. You must then check whether or not the specific value of interest has changed. There is no more fine-grained monitoring functionality available to you.
Related
I've been searching for a solution to get all created/modified and deleted files by a specific process from an event trace (ETW) session (I will process data from an etl file not from a real-time session).
Apparently the simplest solution to get this done was to get the FileCreate and FileDelete events from FileIo_Name class and map them to the corresponding DiskIo_TypeGroup1 events. However, this solution isn't working for me since I don't receive any DiskIo_TypeGroup1 events for the corresponding FileDelete events, so I can not get the process ID. Also not all FileCreate events have an associated DiskIo_TypeGroup1 event (I think this happens for the empty created files or only for the opened files).
Note: I need DiskIo_TypeGroup1 mapping because FileIo_Name events don't have the ThreadId and ProcessId members populated - they are set to (ULONG)-1. Also, I can not decide which files where just opened or modified without knowing the "file write size". DiskIo_TypeGroup1 also don't have the ThreadId and ProcessId (in event header, on newer OS's) members populated, but it has the IssuingThreadId structure member from which I can obtain the ProcessId mapping to Thread_TypeGroup1 class events.
So I investigated how the FileIo_Create class can help me, and remarked that I can get the CreateOptions member which can have the following flags: (FILE_SUPERSEDE, FILE_CREATE, FILE_OPEN, FILE_OPEN_IF, FILE_OVERWRITE, FILE_OVERWRITE_IF). But the initial problem still persists. How can I check if a file was created from scratch instead of being just opened (e.g. in case of FILE_SUPERSEDE)?
Maybe I can use the FileIo_ReadWrite class to get Write event. Like using the DiskIo_TypeGroup1 class. So, if something was written to a file, then can I suppose that the file was either created or modified?
To find the deleted files I think that the FileIo_Info class and Delete event are the solution. Guess that I can receive Delete events and map them to FileIo_Name to get the file names.
Note: The FileIo_Create, FileIo_Info, FileIo_ReadWrite contain information about process id.
Are my suppositions right? What will be the best solution for my problem?
I will share my implemented solution as follow :
Created Files:
I have stored all FileIo_Create events as a pending create operation and waited to receive associated FileIo_OpEnd to decide if the file was opened, created, overwritten, or superseded from the ExtraInfo structure member.
Modified Files:
I marked files as dirty for every Write event from FileIo_ReadWrite and every SetInfo event with InfoClass->FileEndOfFileInformation and InfoClass->FileValidDataLengthInformation from FileIo_Info. Finally on Cleanup event from FileIo_SimpleOp verify if the file was marked as dirty and store as modified.
Deleted files:
I marked the files as deleted if was opened with the CreateOptions->FILE_DELETE_ON_CLOSE flag from FileIo_Create or if a Delete event from FileIo_Info appears. Finally on Cleanup event from FileIo_SimpleOp stored the file as deleted.
Also the process id and file name was obtained from the FileIo_Create events, more precisely from OpenPath structure member and ProcessId event header member.
It is my understanding that an Outlook contact's "avatar" image is stored as an Attachment object in the Attachments collection (ref).
Now suppose, as an example, that I want to keep my own (separate) contact database updated whenever the user's Outlook contacts change, so I'm registered for a PropertyChange event on the ContactItem. Is there any way to determine whether or not the picture attached to a ContactItem has changed, or do I need to call SaveAsFile() on the ContactPicture.jpg Attachment every time that I get a change notification, just on the off chance that it may have been updated?
There is no any kind of CRC of the attachment data, so you won't know if the actual binary data has changed. You can read the Attachment.Size property, and if it is different from what you had before, the data has changed for sure.
You can also read the PR_CREATION_TIME and PR_LAST_MODIFICATION_TIME properties using Attachment.PropertyAccessor.GetProperty, but these properties are not requires and can stay the same even if the data has changed.
I want to know any change files of the specific directory. So, I figured out ReadDirectoryChangesW() and FindFirstChangeNotification() - FindNextChangeNotification() APIs.
Then, I implemented using ReadDirectoryChangesW() function. But, I don't know the why there are FindFirst...blabla APIs.
I think that ReadDirectoryChangesW() function can do all of works of FindFirst... APIs.
What's the difference?
FindFirstChangeNotification:
Creates a change notification handle and sets up initial change notification filter conditions. {...} This function does not indicate the change that satisfied the wait condition. To retrieve information about the specific change as part of the notification, use the ReadDirectoryChangesW function.
ReadDirectoryChangesW:
Retrieves information that describes the changes within the specified
directory. The function does not report changes to the specified
directory itself.
Conclusion:
If you want to register a file listener then use FindFirstChangeNotification but keep in mind that this function DOESN'T wait for a change, in order to achieve that you need to use WaitForSingleObject AFTER registering the file listener.
If you don't care about the type of the change in the path you are listening then there is no need to use ReadDirectoryChangesW. If you need to know what is the exact change that triggered WaitForSingleObject then you need to use ReadDirectoryChangesW.
Which event should be used for key press handling key-down/key-up? It is sure that in both case the program will run successfully. But which one will be more user-friendly?
It depends on you. There is no such best practice. Both are used as per the need of your program and as per the convenience of the user.
keyup
Fires when the user releases a key, after the default action of that key has been performed.
keydown
Fires when the user depresses a key. It repeats while the user keeps the key depressed.
Check out this page describing the differences.
Using InstallApplicationEventHandler and RegisterEventHotKey from Carbon framework, I'm able to catch whatever key I want.
On the contrary I can't find a way to handle correctly the event when a key is held down (kept pressed). I mean, when I held down a key, RegisterEventHotKey responds like if I have pressed and then released the key; I want it, instead, to send the "event" continuously until the key is released.
What I really want to achieve, to be precise, when a key is kept pressed is this:
as soon as the key is pressed and held down I want that InstallApplicationEventHandler and RegisterEventHotKey create an event but not only once (as I have now) but every x milliseconds or so until the key is released.
The particular keys that I'm considering are not modifier keys.
Can you help me? I'm really becoming crazy on this!
You need to use an event tap; RegisterEventHotKey isn't flexible enough to do what you want. Check out Event Taps Testbench and the documentation.
Maybe start firing a timer every 0.25 seconds or something that checks to see if the appropriate keys are still down. If they are, re-invoke the action. Otherwise, invalidate the timer.