Export (0) Print
Expand All

RegistryValueChangeEvent class

The RegistryValueChangeEvent class represents changes to a single value of a specific key. For more information about using the WMI registry event classes, see Modifying the System Registry. For code examples, see WMI Tasks: Registry.

The following syntax is simplified from Managed Object Format (MOF) code and includes all inherited properties. Properties and methods are in alphabetic order, not MOF order.

Syntax

class RegistryValueChangeEvent :  RegistryEvent
{
  string Hive;
  string KeyPath;
  uint8  SECURITY_DESCRIPTOR[];
  uint64 TIME_CREATED;
  string ValueName;
};

Members

The RegistryValueChangeEvent class has these types of members:

Properties

The RegistryValueChangeEvent class has these properties.

Hive
Data type: string
Access type: Read-only

Name of the hive that contains the key (or keys) that is changed. For example, HKEY_LOCAL_MACHINE. Changes to the HKEY_CLASSES_ROOT and HKEY_CURRENT_USER hives are not supported by RegistryEvent or classes derived from it, such as RegistryValueChangeEvent.

KeyPath
Data type: string
Access type: Read/write

Path to the registry key. For example, "SOFTWARE\Microsoft\WBEM\Scripting".

SECURITY_DESCRIPTOR
Data type: uint8 array
Access type: Read-only

Descriptor that the event provider uses to determine which users can receive an event. This property is inherited from __Event. A NULL access control list (ACL) in the SECURITY_DESCRIPTOR grants unlimited access to all users. For more information, see Creating a Security Descriptor for a New Object.

TIME_CREATED
Data type: uint64
Access type: Read-only

Unique value that indicates the time when an event is generated. This is a 64-bit FILETIME value that represents the number of 100-nanosecond intervals after January 1, 1601. The information is in the Coordinated Universal Time (UTC) format. This property is inherited from __Event. To convert this value to other time formats, use the SWbemDateTime methods SetFileTime and GetFileTime. For more information, see WMI Tasks: Dates and Times.

For more information about using uint64 values in scripts, see Scripting in WMI.

ValueName
Data type: string
Access type: Read/write

Name of the value in the registry key. For example, in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting you can detect changes in the value Default Namespace.

Remarks

Queries that provide a KeyPath must have backslashes escaped. For example,


wmiServices.ExecNotificationQuery(_  
    & "SELECT * FROM RegistryKeyChangeEvent " _
    & "WHERE Hive='HKEY_LOCAL_MACHINE' AND " _
    & "KeyPath='SOFTWARE\\Microsoft'")

Registry provider classes, unlike most of the Win32 classes are located in the WMI root\default namespace.

Examples

The following VBScript code example calls the asynchronous method SWbemServices_ExecNotificationQueryAsync to monitor changes in the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Namespace. Be aware that the backslashes in the registry key are escaped by a backslash ("\"). For more information about asynchronous calls and security, see Making an Asynchronous Call with VBScript. To see the operation of this script, execute the script and use a registry editor such as Regedit to change the Default Namespace value. Be sure to change it back to the original value.

The following script runs until the computer is restarted, WMI is stopped, or the script is stopped. To stop the script manually, use Task Manager to stop the process. To stop it programmatically, use the Terminate method in the Win32_Process class.


Set wmiServices = GetObject("winmgmts:root/default") 
Set wmiSink = WScript.CreateObject( _
    "WbemScripting.SWbemSink", "SINK_") 
wmiServices.ExecNotificationQueryAsync wmiSink, _ 
    "SELECT * FROM RegistryValueChangeEvent " _
    & "WHERE Hive='HKEY_LOCAL_MACHINE' AND " _
    & "KeyPath='SOFTWARE\\Microsoft\\WBEM\\sCRIPTING' " _
    & "AND ValueName='Default Namespace'" 
WScript.Echo "Listening for Registry Value" _
    & " Change Events..." & vbCrLf 
While(True) 
    WScript.Sleep 1000 
Wend 
Sub SINK_OnObjectReady(wmiObject, wmiAsyncContext) 
    WScript.Echo "Received Registry " _
        & "Change Event" & vbCrLf & _ 
        wmiObject.GetObjectText_() 
End Sub

Requirements

Minimum supported client

Windows Vista

Minimum supported server

Windows Server 2003

Namespace

\root\default

MOF

RegEvent.mof

DLL

StdProv.dll

See also

Registering for System Registry Events

 

 

Show:
© 2014 Microsoft