Ok if anyone can solve this they must be a genius because its nowhere on the web!
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
This program detects registry accesses and tells you which process did it.
Does anyone know how i can do this? I can detect changes, but i cant get the process.
Thanks in advance
It's done by hooking system calls. It hooks calls to RegOpenKey (etc) and records all the information about the process accessing the registry before passing the call to the real RegOpenKey.
See EasyHook for a library that makes it relatively easy to write API hooks in Windows.
However, when I say "easy", I actually mean "here be monsters!" API hooking is not for the faint of heart and you should have a very good working knowledge of the internals of Windows before you attempt it.
If you just want to find out what's doing it, then you can use ProcessMonitor, or one of the other derivations of those tools from Sysinternals, now run by Microsoft as Winternals. See the list of programs here.
If you want to write a program to do it, you'll have to hook the registry access functions. The source code for that can be found in archives of the Sysinternals tools. It doesn't seem to be available anymore with the program.
Related
I need help. I made a WPF application. Its functionality is that it launches the application when it is launched. But if it is pinned to the taskbar, then a JumpList appears. From which you can also call other applications. I ran into this problem: I do not know how to make the program automatically pinned to the taskbar after the first launch. Please help someone. I read on microsoft's website, but it's not suitable for wpf. Please help with this.
Maybe there is some kind of library? Maybe there is a way with the registry?
Don't ask for support for pinning, here is why.
Microsoft goes in great length to prevent applications altering user preferences. Why? Because otherwise, every application would do it. Giving access to user preferences via API means developers start exploiting it. It means applications fighting for screen space. You install compnay A product and it unpins company B product.
If such API existed, that is malware.
And an API for only the calling executable is not viable, it would mean that somewhere deep in the operating system the function call to do it for any executable exists. And then somebody finds it and calls it directly. Besides, it has been a big trouble for Microsoft to decouple the shell as it is.
Instead, explorer handles it.
Further reading Why is there no programmatic access to the Start menu pin list?.
Some application do manage to pin.
Regardless of what, it is a bad practice.
It is not guaranteed to work, much less in the next Windows update.
One way is to mimic user input. It is hard to consider all cases (what if the taskbar is hidden, what if it is not in the usual place, what if explorer is not running, etc.), but you can imagine setting the pointer position and sending keys.
Another way would be to write directly to the list. You might have found out that the pinned items are at:
%AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
And they are regular, good old, shortcuts. And you could add your own. And it would not work.
Thus, the answer is "Please don't do it".
For a more detailed explanation, you can try to refer here.
Is there a way to monitor processes starting in the system before they start?
Example:
On programs like ZoneAlarm or Antivirus programs, when you run a program it asks you if you allow running this program or not before it runs...
There's a few ways to do this. If you only need to track process creation coming from a specific program (or a few programs), the EasyHook/Detours method mentioned here will work pretty well, but you effectively need to install a hook on CreateProcess into each program, so it's not a great solution if you want to track all process creation in the system.
There's a specific API for this in NT-based Windows variants (NT/2000/XP/Vista) called PsSetCreateProcessNotifyRoutine(). Unfortunately, you can only call this function from ring0, so it needs to be done in a driver. There's a handy explanation (and code) in this CodeProject article: http://www.codeproject.com/KB/threads/procmon.aspx.
AFAIK, this is just a notification, and does not by itself allow you to tell the system whether the process should be created or not. However, if you needed to do this, you could pause the process (e.g. by attaching to it as a debugger) while your code decides whether to kill it or not.
You should check out the easyhook-continuing-detours project, which is a .NET port of the Microsoft Detours project. It will allow you to hook unmanaged APIs (such as CreateProcess). Check out code examples for a simple FileMon-like program here.
You can find out when processes start via using a real-time ETW consumer - however, to be able to take some action that could possibly cancel the process from starting, you'll have to do something shady / undocumented, like hooking CreateProcess, or using a kernel filter driver to block reads to the EXE.
Just use process creation notifications .
It's included in Windows.
You don't need to hook anything.
I'm attempting to automate moving between different time zones while I travel and was curious whether someone knew how to update the "Additional Clocks" setting by using the Windows API/SDK. I'll be using .NET and C# but would definitely be happy with the raw API calls as well. Thanks!
That's not how it works. The winapi would grow gargantuan if there was an api for every single little tweak dialog like this one. Instead, the dialog changes registry keys, keys that are later read back by whatever code displays the clock.
You can find them by running SysInternals' ProcMon. Start it just before you click the Apply button, stop it right after that. You'll have little trouble finding the HCKU\Control Panel\DateTime\AdditionalClocks being used in the trace. Mapping settings in the dialog to registry values is pretty straight forward.
Hacking registry keys that belong to Windows is pretty iffy. But you'll get away with it as long as you don't hope this still works in the next version in Windows. Actually changing them might require a logoff and logon to make the changes effective, I didn't try that.
FWIW here is a PowerShell cmd that gets the additional clocks setting from the registry:
Get-ChildItem -Path "HKCU:\Control Panel\TimeDate\AdditionalClocks"
I need to retrieve values from an external application but it does not provide any API to do so. The values are ever-changing and not fixed.
Is there a way to retrieve the values from the application?
Maybe getting into the message loop for that particular application and filtering for certain window messages which contains the value. Or perhaps, using Microsoft Automation Toolkit to search for the relevant controls and getting the values of it.
Thanks for taking your time to read this.
P.S. I was looking into something like SetWindowsHookEx or anything similar.
Does it help to use RegisterWindowMessage if I were to know the string which the application used to register?
You'll need to setup a global Windows Hook and you need to write a C++ DLL for receiving the callback. I'd suggest looking at this MSDN Magazine article. It describes a tool called ManagedSpy but even if you want to "spy" on an unmanaged app the hook code should be the same.
Is there a way to monitor processes starting in the system before they start?
Example:
On programs like ZoneAlarm or Antivirus programs, when you run a program it asks you if you allow running this program or not before it runs...
There's a few ways to do this. If you only need to track process creation coming from a specific program (or a few programs), the EasyHook/Detours method mentioned here will work pretty well, but you effectively need to install a hook on CreateProcess into each program, so it's not a great solution if you want to track all process creation in the system.
There's a specific API for this in NT-based Windows variants (NT/2000/XP/Vista) called PsSetCreateProcessNotifyRoutine(). Unfortunately, you can only call this function from ring0, so it needs to be done in a driver. There's a handy explanation (and code) in this CodeProject article: http://www.codeproject.com/KB/threads/procmon.aspx.
AFAIK, this is just a notification, and does not by itself allow you to tell the system whether the process should be created or not. However, if you needed to do this, you could pause the process (e.g. by attaching to it as a debugger) while your code decides whether to kill it or not.
You should check out the easyhook-continuing-detours project, which is a .NET port of the Microsoft Detours project. It will allow you to hook unmanaged APIs (such as CreateProcess). Check out code examples for a simple FileMon-like program here.
You can find out when processes start via using a real-time ETW consumer - however, to be able to take some action that could possibly cancel the process from starting, you'll have to do something shady / undocumented, like hooking CreateProcess, or using a kernel filter driver to block reads to the EXE.
Just use process creation notifications .
It's included in Windows.
You don't need to hook anything.