Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Registering for Notifications

To filter registry calls, your kernel-mode registry filtering driver must first call CmRegisterCallback or CmRegisterCallbackEx to register a RegistryCallback routine. (For Windows Vista and later operating system versions, drivers should use CmRegisterCallbackEx instead of CmRegisterCallback.)

After your driver has registered a RegistryCallback routine, the configuration manager calls the routine each time that a thread attempts to perform a registry operation. Threads that perform registry operations can be from user-mode applications that call the user-mode registry routines (RegCreateKeyEx, RegOpenKeyEx, and so on) and from drivers that call the kernel-mode registry routines (ZwCreateKey, ZwOpenKey, and so on).

For most operations, your driver can receive notification before the configuration manager processes the registry operation (a pre-notification) or immediately after the operation completes (but before the configuration manager returns to the caller—a post-notification). For a list of the types of notifications that your driver can receive, see REG_NOTIFY_CLASS.

After a driver has called CmRegisterCallback or CmRegisterCallbackEx, the driver will receive notifications until it calls CmUnRegisterCallback or is unloaded.

 

 

Send comments about this topic to Microsoft

Show:
© 2015 Microsoft