Sign in to follow this  
Followers 0
elac99

Event control for changes in Registry and/or Files/Directories

6 posts in this topic

#1 ·  Posted (edited)

Is it possible to define an event function to be started, if e.g. a registry value or a file is changed ?

There are event functions like GUICtrlSetOnEvent but there seems not to be a function like RegistrySetOnEvent(...).

Edited by elac99

Share this post


Link to post
Share on other sites



Is it possible to define an event function to be started, if e.g. a registry value or a file is changed ?

There are event functions like GUICtrlSetOnEvent but there seems not to be a function like RegistrySetOnEvent(...).

Perhaps it may be be possible to implement this functionality using some Win32 API calls. I would not be the best authority on said implementation.

Would FileMon and/or RegMon be applicable in your context?

Zach Fisher...

Share this post


Link to post
Share on other sites

No, I would like to use it to run during the complete uptime of a PC, looking at a Registry key to see if it is changed and then to react to this change.

The purpose is not to have an analysis on what is changed, so Regmon, Filemon is not the solution.

An example script for using it would be e.g.:

RegistrySetOnValueChange(RegistryValue, MyFunction)

While (True)

Sleep(1000)

WEnd

Func MyFunction

;Reaction on Registry Value change

EndFunc

Share this post


Link to post
Share on other sites

... and here's the solution:

; This program monitors a single key within the registry an throws an event when this key changes.

; Within the Sub SINK_OnObjectReady it can be reacted on this change

Local $Hive, $KeyPath, $ValueName

Global $objWMIService

$Hive = "HKEY_LOCAL_MACHINE"

$KeyPath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\"

$ValueName= "LCHelper"

$MyFunc = "SINK_"

RegistrySetEventOnValueChange($Hive, $KeyPath, $ValueName, $MyFunc)

While(True)

Sleep(1000)

; You can use Regedit to make a change in the key

; to see an event generated.

Wend

Func RegistrySetEventOnValueChange($Hive, $KeyPath, $ValueName, $MyFunc)

Local $strComputer= "."

Local $objWMIService, $wmiSink, $ObjRegistry, $command, $objResult

$command = "SELECT * FROM RegistryValueChangeEvent WHERE Hive='" & $Hive & "' AND KeyPath='" & $KeyPath & "' AND ValueName='" & $ValueName & "'"

$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\default")

$wmiSink = ObjCreate("WbemScripting.SWbemSink")

Objevent($wmiSink, $MyFunc)

$objResult=$objWMIService.ExecNotificationQueryAsync ($wmiSink, $command)

; Start listening for change in key

;Msgbox(4096, "Registry Watcher","Listening for Registry Change Events..." )

EndFunc

Func SINK_OnObjectReady($objObject, $wmiAsyncContext)

MsgBox(4096, "Registry Watcher", "Received Registry Change Event" & @CRLF & $objObject.GetObjectText_() )

; Here you can react in the registry change...

EndFunc

Thank you very much for your hints.

Share this post


Link to post
Share on other sites

Great job! I tried to find something that would be able to monitor for ANY change in the registry ( a la' Regmon ), but couldn't find anything that wasn't .NET. Mind you, it was a short search. Regardless, when I change $ValueName to something that exists on my machine, it works like a champ. Thanks for sharing this.

Zach Fisher...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0