exchange12rocks: (Default)
[personal profile] exchange12rocks
An important update of Process Monitor was released couple of a days ago:

As you may know, we can use two functions with completely opposite names to open registry key: RegCreateKeyEx and RegOpenKeyEx. When you use RegCreateKeyEx, it creates registry key if it's non-existed, but just opens it if key exists. RegCreateKeyEx writes which operation (create or open) it's performed into a separate variable.
RegOpenKeyEx cannot create registry keys and returns error if key doesn't exist.

Before this release there were no way to determine what operation exactly RegCreateKeyEx perform. "Granted Access" property for execution of that function always contained "Read/Write" value.



From this last update, Process Monitor finally can show you what RegCreateKeyEx does. There is no "Granted Access" property for RegCreateKey operation anymore, it was replaced with new "Disposition" property. "Disposition" may contains following strings:
REG_CREATE_NEW_KEY - if new registry key was created.



REG_OPENED_EXISTING_KEY - if RegCreateKeyEx just opened previously existed key.



"Desired Access" property still contains "Read/Write" value, because we cannot predict which action RegCreateKeyEx will do.

Using this new feature, you can separate RegCreateKeyEx calls: just add new condition into Process Monitor's filter with following parameters:
Column - "Detail"
Relation - "contains"
Value - "REG_CREATE_NEW_KEY" or "REG_OPENED_EXISTING_KEY"
Action - "Include"

Profile

exchange12rocks: (Default)
Kirill 'kf' Nikolaev

September 2016

S M T W T F S
    123
456789 10
11121314151617
18192021222324
252627282930 

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 22nd, 2017 12:47 am
Powered by Dreamwidth Studios