注册表监控
filemon和regmon可以分别用来监视文件操作和注册表超作,功能和强大的 搜一下就可以找到下载
❷ C#实现注册表监控
||这个也许对你有用,看看吧!using System;
using System.ComponentModel;
using System.IO;
using System.Threading;
using System.Runtime.InteropServices;
using Microsoft.Win32;namespace RegistryUtils
{
public class RegistryMonitor : IDisposable
{
#region P/Invoke [DllImport("advapi32.dll", SetLastError = true)]
private static extern int RegOpenKeyEx(IntPtr hKey, string subKey, uint options, int samDesired,
out IntPtr phkResult); [DllImport("advapi32.dll", SetLastError = true)]
private static extern int RegNotifyChangeKeyValue(IntPtr hKey, bool bWatchSubtree,
RegChangeNotifyFilter dwNotifyFilter, IntPtr hEvent,
bool fAsynchronous); [DllImport("advapi32.dll", SetLastError = true)]
private static extern int RegCloseKey(IntPtr hKey); private const int KEY_QUERY_VALUE = 0x0001;
private const int KEY_NOTIFY = 0x0010;
private const int STANDARD_RIGHTS_READ = 0x00020000; private static readonly IntPtr HKEY_CLASSES_ROOT = new IntPtr(unchecked((int) 0x80000000));
private static readonly IntPtr HKEY_CURRENT_USER = new IntPtr(unchecked((int) 0x80000001));
private static readonly IntPtr HKEY_LOCAL_MACHINE = new IntPtr(unchecked((int) 0x80000002));
private static readonly IntPtr HKEY_USERS = new IntPtr(unchecked((int) 0x80000003));
private static readonly IntPtr HKEY_PERFORMANCE_DATA = new IntPtr(unchecked((int) 0x80000004));
private static readonly IntPtr HKEY_CURRENT_CONFIG = new IntPtr(unchecked((int) 0x80000005));
private static readonly IntPtr HKEY_DYN_DATA = new IntPtr(unchecked((int) 0x80000006)); #endregion #region Event handling /// <summary>
/// Occurs when the specified registry key has changed.
/// </summary>
public event EventHandler RegChanged;
protected virtual void OnRegChanged()
{
EventHandler handler = RegChanged;
if (handler != null)
handler(this, null);
} /// <summary>
/// Occurs when the access to the registry fails.
/// </summary>
public event ErrorEventHandler Error;
protected virtual void OnError(Exception e)
{
ErrorEventHandler handler = Error;
if (handler != null)
handler(this, new ErrorEventArgs(e));
} #endregion #region Private member variables private IntPtr _registryHive;
private string _registrySubName;
private object _threadLock = new object();
private Thread _thread;
private bool _disposed = false;
private ManualResetEvent _eventTerminate = new ManualResetEvent(false); private RegChangeNotifyFilter _regFilter = RegChangeNotifyFilter.Key | RegChangeNotifyFilter.Attribute |
RegChangeNotifyFilter.Value | RegChangeNotifyFilter.Security; #endregion /// <summary>
/// Initializes a new instance of the <see cref="RegistryMonitor"/> class.
/// </summary>
/// <param name="registryKey">The registry key to monitor.</param>
public RegistryMonitor(RegistryKey registryKey)
{
InitRegistryKey(registryKey.Name);
} /// <summary>
/// Initializes a new instance of the <see cref="RegistryMonitor"/> class.
/// </summary>
/// <param name="name">The name.</param>
public RegistryMonitor(string name)
{
if (name == null || name.Length == 0)
throw new ArgumentNullException("name"); InitRegistryKey(name);
}
/// <summary>
/// Initializes a new instance of the <see cref="RegistryMonitor"/> class.
/// </summary>
/// <param name="registryHive">The registry hive.</param>
/// <param name="subKey">The sub key.</param>
public RegistryMonitor(RegistryHive registryHive, string subKey)
{
InitRegistryKey(registryHive, subKey);
} /// <summary>
/// Disposes this object.
/// </summary>
public void Dispose()
{
Stop();
_disposed = true;
GC.SuppressFinalize(this);
} /// <summary>
/// Gets or sets the <see cref="RegChangeNotifyFilter">RegChangeNotifyFilter</see>.
/// </summary>
public RegChangeNotifyFilter RegChangeNotifyFilter
{
get { return _regFilter; }
set
{
lock (_threadLock)
{
if (IsMonitoring)
throw new InvalidOperationException("Monitoring thread is already running"); _regFilter = value;
}
}
}
#region Initialization private void InitRegistryKey(RegistryHive hive, string name)
{
switch (hive)
{
case RegistryHive.ClassesRoot:
_registryHive = HKEY_CLASSES_ROOT;
break; case RegistryHive.CurrentConfig:
_registryHive = HKEY_CURRENT_CONFIG;
break; case RegistryHive.CurrentUser:
_registryHive = HKEY_CURRENT_USER;
break; case RegistryHive.DynData:
_registryHive = HKEY_DYN_DATA;
break; case RegistryHive.LocalMachine:
_registryHive = HKEY_LOCAL_MACHINE;
break; case RegistryHive.PerformanceData:
_registryHive = HKEY_PERFORMANCE_DATA;
break; case RegistryHive.Users:
_registryHive = HKEY_USERS;
break; default:
throw new InvalidEnumArgumentException("hive", (int)hive, typeof (RegistryHive));
}
_registrySubName = name;
} private void InitRegistryKey(string name)
{
string[] nameParts = name.Split('\\'); switch (nameParts[0])
{
case "HKEY_CLASSES_ROOT":
case "HKCR":
_registryHive = HKEY_CLASSES_ROOT;
break; case "HKEY_CURRENT_USER":
case "HKCU":
_registryHive = HKEY_CURRENT_USER;
break; case "HKEY_LOCAL_MACHINE":
case "HKLM":
_registryHive = HKEY_LOCAL_MACHINE;
break; case "HKEY_USERS":
_registryHive = HKEY_USERS;
break; case "HKEY_CURRENT_CONFIG":
_registryHive = HKEY_CURRENT_CONFIG;
break; default:
_registryHive = IntPtr.Zero;
throw new ArgumentException("The registry hive '" + nameParts[0] + "' is not supported", "value");
} _registrySubName = String.Join("\\", nameParts, 1, nameParts.Length - 1);
}
#endregion /// <summary>
/// <b>true</b> if this <see cref="RegistryMonitor"/> object is currently monitoring;
/// otherwise, <b>false</b>.
/// </summary>
public bool IsMonitoring
{
get { return _thread != null; }
} /// <summary>
/// Start monitoring.
/// </summary>
public void Start()
{
if (_disposed)
throw new ObjectDisposedException(null, "This instance is already disposed");
lock (_threadLock)
{
if (!IsMonitoring)
{
_eventTerminate.Reset();
_thread = new Thread(new ThreadStart(MonitorThread));
_thread.IsBackground = true;
_thread.Start();
}
}
} /// <summary>
/// Stops the monitoring thread.
/// </summary>
public void Stop()
{
if (_disposed)
throw new ObjectDisposedException(null, "This instance is already disposed");
lock (_threadLock)
{
Thread thread = _thread;
if (thread != null)
{
_eventTerminate.Set();
thread.Join();
}
}
} private void MonitorThread()
{
try
{
ThreadLoop();
}
catch (Exception e)
{
OnError(e);
}
_thread = null;
} private void ThreadLoop()
{
IntPtr registryKey;
int result = RegOpenKeyEx(_registryHive, _registrySubName, 0, STANDARD_RIGHTS_READ | KEY_QUERY_VALUE | KEY_NOTIFY,
out registryKey);
if (result != 0)
throw new Win32Exception(result); try
{
AutoResetEvent _eventNotify = new AutoResetEvent(false);
WaitHandle[] waitHandles = new WaitHandle[] {_eventNotify, _eventTerminate};
while (!_eventTerminate.WaitOne(0, true))
{
result = RegNotifyChangeKeyValue(registryKey, true, _regFilter, _eventNotify.Handle, true);
if (result != 0)
throw new Win32Exception(result); if (WaitHandle.WaitAny(waitHandles) == 0)
{
OnRegChanged();
}
}
}
finally
{
if (registryKey != IntPtr.Zero)
{
RegCloseKey(registryKey);
}
}
}
}
/// <summary>
/// Filter for notifications reported by <see cref="RegistryMonitor"/>.
/// </summary>
[Flags]
public enum RegChangeNotifyFilter
{
/// <summary>Notify the caller if a subkey is added or deleted.</summary>
Key = 1,
/// <summary>Notify the caller of changes to the attributes of the key,
/// such as the security descriptor information.</summary>
Attribute = 2,
/// <summary>Notify the caller of changes to a value of the key. This can
/// include adding or deleting a value, or changing an existing value.</summary>
Value = 4,
/// <summary>Notify the caller of changes to the security descriptor
/// of the key.</summary>
Security = 8,
}
}
❸ 有什么办法可以监控注册表的改动
regshot、regmon或regsnap等软件是可以监视注册表变化的工具,通过它们可以了解、监视应用程序在注册表中的动作,利用它们可以监视应用程序在注册表中的变化。
❹ 如何监控注册表及文件
卡巴斯基杀毒软件里的主动防御共嫩能够就是注册表监控和防护用的,还好用,可以试一下.此外,瑞星专杀里有注册表的修复软件
❺ 哪一款的注册表实时监控比较好
Regmon注册表监视实用工具,可以显示哪些应用程序正在访问注册表、这些应用程序正版在访问哪权些注册表项以及这些应用程序正在读取和写入的注册表数据,所有这些都是实时的点此下载Process Monitor Process Monitor 是一个用于 Windows 的高级监视工具,可以显示实时文件系统、注册表和进程/线程活动。它结合了两个传统 Sysinternals 实用工具(Filemon 和 Regmon) 的功能,并增加了大量增强功能,其中包括丰富且不具破坏性的筛选功能、全面的事件属性(如会话 ID 和用户名)、可靠的进程信息、完整的线程堆栈(支持每个操作的集成符号)、同一文件并行日志记录等功能。异常强大的功能使 Process Monitor 成为系统故障排除和恶意软件捕获工具包的核心实用工具。点此下载
❻ 有什么办法能监控或者检测到注册表新增的内容吗
regsnap这个可以的哦
Advanced Registry Tracer这个也可以的噻(Advanced Registry Tracer (ART)是一个用来跟踪Windows注册表变内化的工具软件容。 当安装软件的时候,您可以在安装软件之前使用 ART 制作一个注册表的拷贝,在安装之后再制作另一个拷贝。然后您就可以通过比较来看新增的内容了)
试试看
❼ 请推荐一个好的注册表监视的软件
Regmon(Registry Monitor
)是一个出色的注册表数据库监视软件,它将与注册表数据库相关的一切操作(如读取、修改、出错信息等)全部记录下来以供用户参考,并允许用户对记录的信息进行保存、过滤、查找等处理,这就为用户对系统的维护提供了极大的便利。Regmon的使用非常简单,我们只需运行该程序即可启动它的系统监视功能,自动将系统对注册表数据库的读取、修改等操作逐笔记录下来,此后我们就可以凭借它所做的记录从事有关系统维护操作了。具体来说,Regmon所做的记录非常全面,我们可利用它完成许多系统设置工作。如,Windows 98在开始菜单上新增了一个名为“收藏夹”的子菜单,它主要针对网络用户,对未上网的用户而言没有多大实用价值,因此这部分用户就希望能取消开始菜单中的“收藏夹”子菜单。为此,我们可事先启动Regmon,激活其注册表数据库的监视功能,然后启动TweakUI等软件,利用它们的设置功能取消Windows 9X的“收藏夹”子菜单。切换回Regmon之后,我们就可以从它所做的记录中,发现TweakUI是通过将注册表数据库“HKEY_CURRENT_USER\Software \Microsoft \Windows \CurrentVersion \Policies \Explorer”主键下的“NoFavoritesMenu”的“dword”值由0改为1来达到取消“收藏夹”子菜单的目的。再如,当我们在安装某些不具备自动卸载功能的应用软件并手工将其删除之后,该程序就会在注册表数据库中留下一些残余信息,从而影响系统的安全运行,手工修改也比较困难,而利用Regmon则可轻易解决这一问题。我们只需在安装有关软件之前先行启动Regmon程序,将该软件在安装过程中对注册表数据库的修改全部记录下来,然后在卸载该程序时再手工清除注册表数据库中的残余信息即可,从而满足了用户的需要,提高了系统的安全性。
需要说明的是,缺省情况下Regmon会同时对注册表数据库的读取、修改、错误信息等内容进行监视,其中后两项的监视当然是非常必要的,但对读取功能的监视却值得商讨。其实我们可采取平常不对读取操作进行监视,以加快系统运行速度,而在某些特殊情况下再临时打开读取监视功能,以充分发挥Regmon监视作用的变通方法。为此,我们只需执行“Events”菜单的“Filter”命令,打开“Regmon Filter”设置框,然后取消“Log reads”选项即可。另外,我们还可以利用“Regmon Filter”设置框对监视过程、路径范围、监视的级别层次等选项加以设置,以便更好地满足日常操作的需要。
从上面的介绍中可以看出,充分利用Regmon的注册表数据库监视功能对于简化我们对系统的维护操作、提高系统运行效率是非常有利的,况且它还是一个免费软件!怎么样?赶快到(在MYDOWN下载)下载一个试试吧!
❽ 什么软件可以监控注册表
Regshot (注册表监视复比较工具) V2.0.1.66 绿色免制费版 ]
RegShot是个小巧的注册表静态比较工具,它能快速地帮助您发现注册表的变化,甚至通过扫描硬盘来让您掌握硬盘上某些文件夹[或是整个硬盘]的改变! [因为越来越多的可疑软件将自己的"脚印"留在您硬盘中最不显眼的地方]。在最新的版本中它还可以通过动态监控注册表[Windows9x平台]来辅助分析。所有的比较结果输出为详细的纯文本格式或HTML格式的文档。
❾ 想要一个可以监控注册表的软件.!!
注册表监控软件
在BAIDU 搜一下 多得很,至于哪个好用 就看你选择了回!
去这个地址看答下
http://www..com/s?wd=%D7%A2%B2%E1%B1%ED%BC%E0%BF%D8%C8%ED%BC%FE&cl=3
❿ Process Monitor监控进程操作注册表如何实现
如题,假如我要安装一个软件,我想知道安装过程中他都在注册表里面加了些什么东西回?(具体到键答)
有能够监测的软件吗?或者有什么别的方法可以找出来?
最好功能针对某制定程序,因为我经常安装了一些软件后却不知道它对我的电脑做了什么事