function RegSetValueExWCallback(hKey: HKEY; lpValueName: PWideChar; Reserved: DWORD; dwType: DWORD; lpData: Pointer; cbData: DWORD): Longint; stdcall;
var
St : WideString;
begin
Result :=RegSetValueExWNext(hKey, lpValueName, Reserved, dwType, lpData, cbData);
St :=lpValueName;
if not IsAllowed(MsgRegType , 'RegSetValueExW', PWideChar(St)) then
begin
Result :=0;
SetLastError(ERROR_ACCESS_DENIED);
end
else
begin
Result :=RegSetValueExWNext(hKey, lpValueName, Reserved, dwType, lpData, cbData);
RenewHook(@RegSetValueExWNext);
end; { if }
end; { RegSetValueExWCallback }
I got hKey that means the Registry Key handle.
From that handle, how can I get the original value like HKEY_LOCAL_MACHINE\Software\... ???
If you need it to work in win9x, too, then I don't know any solution. I think SysInternal's ProcessMonitor can somehow do it in win9x, too, but I don't know how. In the NT family it's possible by using some more or less undocumented native APIs (Nt***).
NtQueryValueKey(
IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation, IN ULONG Length,
OUT PULONG ResultLength);
If I hook in this API Procedure. I'll got the KeyHandle. It's the same as hKey. So, how can I got the registry path (eg. HKEY_LOCAL_MACHINE\Software\...) from that KeyHandle ???
LeVuHoang wrote:
I got hKey that means the Registry Key handle.
From that handle, how can I get the original value like HKEY_LOCAL_MACHINE\Software\... ???
You could hook RegOpenKeyEx() and see cache the HKEY returned. Then look for it in the RegSetValueEx().
hi dcsoft,
If we save the hKey in the cache (or array) then the buffer can be grow too big.
If a program open 100 key in time, our program must have a array with 100 item to save that keys. It's too big ...
But, If this is the last solution for this problem. Maybe I can use.
Thank you dcsoft. And is there anybody got another solutions ?