Filtering Registry Calls
A registry filtering driver is any kernel-mode driver that filters registry calls, such as the driver component of an antivirus software package. The configuration manager, which implements the registry, allows registry filtering drivers to filter any thread's calls to registry functions. Filtering of registry calls was first supported in Microsoft Windows XP.
On Windows XP, a registry filtering driver can call CmRegisterCallback to register a RegistryCallback routine and CmUnRegisterCallback to unregister the callback routine. The RegistryCallback routine receives notifications of each registry operation before the configuration manager processes the operation. A set of REG_XXX_KEY_INFORMATION data structures contain information about each registry operation. The RegistryCallback routine can block a registry operation. The callback routine also receives notifications when the configuration manager has finished creating or opening a registry key.
Windows Server 2003 provides additional completion notifications.
Windows Vista provides the following additional registry filtering capabilities:
Registry filtering drivers can be layered in a driver stack, and each driver in the stack can filter a registry operation.
The CmRegisterCallback routine is replaced by the CmRegisterCallbackEx routine.
Drivers can completely process a registry operation (or redirect the requested operation to a different operation) and prevent the configuration manager from handling the operation.
Drivers can assign context information to individual registry operations or key objects.
Drivers can modify a registry operation's output parameters and return value.
Additional members have been added to all REG_XXX_KEY_INFORMATION data structures.
Drivers receive notifications of additional registry operations.
For a list of the registry operations that a driver can filter on each version of Windows, see REG_NOTIFY_CLASS.
To learn more about filtering registry calls, see the following topics:
Supporting Layered Registry Filtering Drivers
Specifying Context Information
Obtaining Additional Registry Information
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for