XxXFaNtA Posted April 1, 2008 Share Posted April 1, 2008 Hey guys Have been watching these forums for quiet a long time and finally I think I might contribute with a little Script: It's monitoring what happens in the Registry! $wmiSink = ObjCreate("WbemScripting.SWbemSink") ObjEvent($wmiSink , "SINK_") $regPath = "HKEY_LOCAL_MACHINE" $strQuery = 'Select * FROM RegistryTreeChangeEvent WHERE Hive="' & $regPath & '" AND RootPath=""' Dim $Obj_WMIService = ObjGet('winmgmts:\\' & @ComputerName & '\root\default') If Not @error Then $obj_WMIService.ExecNotificationQueryAsync($wmiSink, $strQuery, Default, Default, Default) ConsoleWrite("Ready and waiting for changes") EndIf While 1 Sleep(10000) WEnd Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext) ConsoleWrite($objLatestEvent.GetObjectText_()) EndFunc ;==>SINK_OnObjectReady I hope this will be usefull for some of you (Could be used to prevent Viruses to write into the Registry or even to communicate between 2 scripts) /[center][/center] Link to comment Share on other sites More sharing options...
Swift Posted April 1, 2008 Share Posted April 1, 2008 Cool script, is there a way to block it from making registry changes, and then ask your permision, if so, then allow it to write, if not, don't? Link to comment Share on other sites More sharing options...
XxXFaNtA Posted April 1, 2008 Author Share Posted April 1, 2008 Not sure, but you could actually remove the change, ask if the user will really make the change and then either create the same registryentry or not /[center][/center] Link to comment Share on other sites More sharing options...
slayerz Posted April 3, 2008 Share Posted April 3, 2008 Nice script XxXFanta... I've been trying to do something like this b4 but don't know where to start ! AUTOIT[sup] I'm lovin' it![/sup] Link to comment Share on other sites More sharing options...
martin Posted April 3, 2008 Share Posted April 3, 2008 Not sure, but you could actually remove the change, ask if the user will really make the change and then either create the same registryentry or not How do you know what the registry was changed from so that you can remove the change? Serial port communications UDF Includes functions for binary transmission and reception.printing UDF Useful for graphs, forms, labels, reports etc.Add User Call Tips to SciTE for functions in UDFs not included with AutoIt and for your own scripts.Functions with parameters in OnEvent mode and for Hot Keys One function replaces GuiSetOnEvent, GuiCtrlSetOnEvent and HotKeySet.UDF IsConnected2 for notification of status of connected state of many urls or IPs, without slowing the script. Link to comment Share on other sites More sharing options...
XxXFaNtA Posted April 3, 2008 Author Share Posted April 3, 2008 Sry..I thought it was just a bug, but after searching at msdn I found out that it will never display the rootpath and what has been changed Sry /[center][/center] Link to comment Share on other sites More sharing options...
jaenster Posted April 3, 2008 Share Posted April 3, 2008 next stap is see what process have access on the internet -jaenster Link to comment Share on other sites More sharing options...
GEOSoft Posted April 3, 2008 Share Posted April 3, 2008 You might want to take a different approach for this. Something along the lines of doing a registry snapshot before an installation and then again after. Compare the two to get the changed values. George Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.*** The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number. Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else. "Old age and treachery will always overcome youth and skill!" Link to comment Share on other sites More sharing options...
XxXFaNtA Posted April 3, 2008 Author Share Posted April 3, 2008 Yes but wouldn't it take too long to save the state of the whole registry? Hm...We could also just Monitor special roots (like the AutoStart-Root or others). /[center][/center] Link to comment Share on other sites More sharing options...
martin Posted April 3, 2008 Share Posted April 3, 2008 I did come across an AutoIt app that has the option to monitor registry changes and revert it, if any changes occur(there's an option of whether to revert the changes or not to, it doesn't revert automatically).Sounds good. Where is it? Serial port communications UDF Includes functions for binary transmission and reception.printing UDF Useful for graphs, forms, labels, reports etc.Add User Call Tips to SciTE for functions in UDFs not included with AutoIt and for your own scripts.Functions with parameters in OnEvent mode and for Hot Keys One function replaces GuiSetOnEvent, GuiCtrlSetOnEvent and HotKeySet.UDF IsConnected2 for notification of status of connected state of many urls or IPs, without slowing the script. Link to comment Share on other sites More sharing options...
mikiutama Posted April 3, 2008 Share Posted April 3, 2008 i get this error using v3.2.10.0>Running:(3.2.10.0):C:\Program Files\AutoIt3\autoit3.exe "H:\scripts\registry change monitor.au3" H:\scripts\registry change monitor.au3 (9) : ==> The requested action with this object has failed.: $obj_WMIService.ExecNotificationQueryAsync($wmiSink, $strQuery, Default, Default, Default) $obj_WMIService.ExecNotificationQueryAsync($wmiSink, $strQuery, Default, Default, Default)^ ERROR->03:37:16 AutoIT3.exe ended.rc:1+>03:37:17 AutoIt3Wrapper Finished>Exit code: 1 Time: 5.216why? Link to comment Share on other sites More sharing options...
XxXFaNtA Posted April 3, 2008 Author Share Posted April 3, 2008 Dunno :| I think there might be a problem when it tried to get the Object :\ Hmm..@jackit: are you sure it was an AutoIt Script? I know that some Software does this though (i.e. Spybot S&D) /[center][/center] Link to comment Share on other sites More sharing options...
WeMartiansAreFriendly Posted July 15, 2008 Share Posted July 15, 2008 Sry..I thought it was just a bug, but after searching at msdn I found out that it will never display the rootpath and what has been changed Sry That's a crying shame! I was just digging through msdn at 12:22 pm at night trying to find a way to see what was being changed. muttley Don't bother, It's inside your monitor!------GUISetOnEvent should behave more like HotKeySet() Link to comment Share on other sites More sharing options...
James Posted July 15, 2008 Share Posted July 15, 2008 This is good for me, for OEMWizard I need to check (in Vista) whether or not the registry is being written without checking it all the time! Blog - Seriously epic web hosting - Twitter - GitHub - Cachet HQ Link to comment Share on other sites More sharing options...
weaponx Posted July 15, 2008 Share Posted July 15, 2008 I use RegShot to check registry changes, that is a good example to work off of. I doubt you will match its insane speed however.http://sourceforge.net/projects/regshot Link to comment Share on other sites More sharing options...
ReFran Posted July 16, 2008 Share Posted July 16, 2008 I use RegShot to check registry changes, that is a good example to work off of. I doubt you will match its insane speed however.http://sourceforge.net/projects/regshotMe too,and don't forget to download and use: http://www.larshederer.homepage.t-online.de/erunt/Works well.br, Reinhard Link to comment Share on other sites More sharing options...
duckling78 Posted October 4, 2008 Share Posted October 4, 2008 Sry..I thought it was just a bug, but after searching at msdn I found out that it will never display the rootpath and what has been changed Sry Sorry for resurrecting a dead thread, but I was interested in how to do this in AutoIt3 and got the following so far. It kind of seems to work and performance isn't horrible. expandcollapse popup#cs ---------------------------------------------------------------------------- AutoIt Version: 3.2.12.1 Author: Michael Sunwoo Script Function: Registry monitoring script. #ce ---------------------------------------------------------------------------- ; Script Start #include <Array.au3> HotKeySet("^!+{Esc}", "ExitScript") Local $wmiSink = ObjCreate("WbemScripting.SWbemSink") ObjEvent($wmiSink, "SINK_") Local $regPath = "HKEY_USERS", $regRoot = "HKCU\Software" Local $strQuery = 'Select * FROM RegistryTreeChangeEvent WHERE (Hive="' & $regPath & '" AND RootPath="")' Local $lastValue = 0 Local $saveLoc = @AppDataDir & "\StudiosQA\" & StringTrimRight(@ScriptName, 4) & "\" RegQuery($regRoot, "RegValues.txt") Dim $obj_WMIService = ObjGet('winmgmts:\\' & @ComputerName & '\root\default') If Not @error Then $obj_WMIService.ExecNotificationQueryAsync($wmiSink, $strQuery, Default, Default, Default) ConsoleWrite("Ready and waiting for changes." & @CRLF) EndIf ;Idle loop While 1 Sleep(10000) WEnd Func RegQuery($regPath, $fileWrite) ;Blah("$regPath: " & $regPath) ;#cs If $regPath = "HKCU\Software\Microsoft" Or _ $regPath = "HKCU\Software\Adobe" Or _ $regPath = "HKCU\Software\RealWorld" Or _ $regPath = "HKCU\Software\Google" Then Return 1 EndIf ;#ce Local $i = 1 While 1 Local $regQueryResult = RegEnumKey($regPath, $i) If @error Then ExitLoop Else ;If $lastValue >= UBound($arrayReg) Then ; ExitLoop ;Else ;$arrayReg[$lastValue][0] = $regPath & "\" & $regQueryResult FileWriteLine($saveLoc & $fileWrite, $regPath & "\" & $regQueryResult) $lastValue += 1 ;Get all values inside $regPath RegQueryValues($regPath, $fileWrite) If Mod($lastValue, 1000) = 0 Then Blah("Mod($lastValue, 1000) = 0, $lastValue = " & $lastValue) EndIf If RegQuery($regPath & "\" & $regQueryResult, $fileWrite) Then $i += 1 Else Return 0 EndIf ;EndIf EndIf WEnd Return 1 EndFunc ;==>RegQuery Func RegQueryValues($regPath, $fileWrite) Local $j = 1 While 1 ;Blah("$regPath: " & $regPath) Local $regQueryValueResult = RegEnumVal($regPath, $j) If @error Then ExitLoop Else $regQueryValueResultExtended = @extended $regResult = RegRead($regPath, $regQueryValueResult) Switch @error Case 0 ; Case 1 Blah("Error RegRead 1 [" & @ScriptLineNumber & "]: Unable to open requested key.") Case 2 Blah("Error RegRead 2 [" & @ScriptLineNumber & "]: Unable to open requested main key.") Case 3 Blah("Error RegRead 3 [" & @ScriptLineNumber & "]: Unable to remote connect to the registry.") Case -1 Blah("Error RegRead -1 [" & @ScriptLineNumber & "]: Unable to retrieve requested value name (value instance out of range).") EndSwitch FileWriteLine($saveLoc & $fileWrite, _ $regPath & "\" & $regQueryValueResult & @TAB & _ $regQueryValueResultExtended & @TAB & _ $regResult) $lastValue += 1 If Mod($lastValue, 1000) = 0 Then Blah("Mod($lastValue, 1000) = 0, $lastValue = " & $lastValue) EndIf $j += 1 EndIf WEnd EndFunc ;==>RegQueryValues Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext) ConsoleWrite(@CRLF & @MON & "/" & @MDAY & "/" & @YEAR & " " & @HOUR & ":" & @MIN & ":" & @SEC & ": Change detected.") ConsoleWrite($objLatestEvent.GetObjectText_()) ;Local $arrayOld = $arrayReg If FileExists($saveLoc & "RegValues.txt") Then If Not FileMove($saveLoc & "RegValues.txt", $saveLoc & "RegValues_Old.txt", 9) Then Blah("Error with FileCopy at line " & @ScriptLineNumber & ".") EndIf Else Blah("Error line " & @ScriptLineNumber & ": " & "FileMove haz problems with: " & $saveLoc & "RegValues.txt") EndIf $lastValue = 0 RegQuery($regRoot, "RegValues.txt") Local $exists If FileExists($saveLoc & "RegValues.txt") Then If FileExists($saveLoc & "RegValues_Old.txt") Then Blah('FileGetSize($saveLoc & "RegValues.txt"): ' & FileGetSize($saveLoc & "RegValues.txt") & ' FileGetSize($saveLoc & "RegValues_Old.txt"): ' & FileGetSize($saveLoc & "RegValues_Old.txt")) If FileGetSize($saveLoc & "RegValues.txt") > FileGetSize($saveLoc & "RegValues_Old.txt") * .8 And _ FileGetSize($saveLoc & "RegValues.txt") < FileGetSize($saveLoc & "RegValues_Old.txt") * 1.2 Then Blah("Notice [" & @ScriptLineNumber & "]: Filesize within limits.") ;FileWriteLine($saveLoc & "RegChanges.txt", @YEAR & "/" & @MON & "/" & @MDAY & " " & @HOUR & ":" & @MIN & ":" & @SEC & ": SINK_OnObjectReady launching file compare...") $return = RunWait(@ComSpec & ' /c fc /L /N RegValues.txt RegValues_Old.txt', $saveLoc, @SW_HIDE) ProcessWaitClose(@ComSpec) Switch $return Case 0 Blah("Notice FC [" & @ScriptLineNumber & "]: No differences encountered.") Case 1 Blah("Notice FC [" & @ScriptLineNumber & "]: Difference found between files.") FileWriteLine($saveLoc & 'RegChanges.txt', @YEAR & "/" & @MON & "/" & @MDAY & " " & @HOUR & ":" & @MIN & ":" & @SEC & ": Change detected.") RunWait(@ComSpec & ' /c fc /L /N RegValues.txt RegValues_Old.txt >> "' & $saveLoc & 'RegChanges.txt"', $saveLoc, @SW_HIDE) ProcessWaitClose(@ComSpec) Case 2 Blah("Error FC [" & @ScriptLineNumber & "]: File not found.") EndSwitch If StringInStr(FileRead($saveLoc & "RegValues.txt"), "FC: no differences encountered") Then Blah("File compare [" & @ScriptLineNumber & "]: no differences encountered.") EndIf Else Blah("Notice [" & @ScriptLineNumber & "]: Filesize not within limits.") EndIf Else Blah("Error line " & @ScriptLineNumber & ": SINK_OnObjectReady called but RegValues_Old.txt not found.") EndIf Else Blah("Error line " & @ScriptLineNumber & ": SINK_OnObjectReady called but RegValues.txt not found.") EndIf Blah(@CRLF & "End of SINK_OnObjectReady") EndFunc ;==>SINK_OnObjectReady Func Blah($text) ConsoleWrite($text & @CRLF) EndFunc ;==>Blah Func ExitScript() Exit EndFunc ;==>ExitScript Exit hotkey: Ctrl+Alt+Shift+Esc It will create logs in: %appdata%\StudiosQA\RegMonitor I am working on this because my group needs a program to track if any programs we're creating from third party developers write to the registry (possibly in incorrect locations, etc). There is a bunch of debug text in the console as I've just been working on this for a day so far. It only tracks things in HKCU\Software with the exception of things in HKCU\Software --> Microsoft, Google, Adobe and RealWorld (they take up a lot of registry keys and slow down performance). There are a lot of false positives because the function in the initial thread seems to track any write to the registry while I'm only monitoring a small portion of it. Link to comment Share on other sites More sharing options...
toxicvn Posted October 11, 2008 Share Posted October 11, 2008 I want set permisson for a key eg : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet help me thank very much Link to comment Share on other sites More sharing options...
Cdma1X Posted October 11, 2008 Share Posted October 11, 2008 I want set permisson for a key eg :HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSethelp me thank very muchi also want to know on how to set permission on a reg key. anyone knows? Link to comment Share on other sites More sharing options...
trancexx Posted October 11, 2008 Share Posted October 11, 2008 You cannot. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now