Registering for Notifications
To filter registry calls, your kernel-mode registry filtering driver must first call CmRegisterCallback or CmRegisterCallbackEx to register a RegistryCallback routine. (For Windows Vista and later operating system versions, drivers should use CmRegisterCallbackEx instead of CmRegisterCallback.)
After your driver has registered a RegistryCallback routine, the configuration manager calls the routine each time that a thread attempts to perform a registry operation. Threads that perform registry operations can be from user-mode applications that call the user-mode registry routines (RegCreateKeyEx, RegOpenKeyEx, and so on) and from drivers that call the kernel-mode registry routines (ZwCreateKey, ZwOpenKey, and so on).
For most operations, your driver can receive notification before the configuration manager processes the registry operation (a pre-notification) or immediately after the operation completes (but before the configuration manager returns to the caller—a post-notification). For a list of the types of notifications that your driver can receive, see REG_NOTIFY_CLASS.
After a driver has called CmRegisterCallback or CmRegisterCallbackEx, the driver will receive notifications until it calls CmUnRegisterCallback or is unloaded.
Build date: 11/16/2013