Jump to content

Event control for changes in Registry and/or Files/Directories


 Share

Recommended Posts

Is it possible to define an event function to be started, if e.g. a registry value or a file is changed ?

There are event functions like GUICtrlSetOnEvent but there seems not to be a function like RegistrySetOnEvent(...).

Edited by elac99
Link to comment
Share on other sites

Is it possible to define an event function to be started, if e.g. a registry value or a file is changed ?

There are event functions like GUICtrlSetOnEvent but there seems not to be a function like RegistrySetOnEvent(...).

Perhaps it may be be possible to implement this functionality using some Win32 API calls. I would not be the best authority on said implementation.

Would FileMon and/or RegMon be applicable in your context?

Zach Fisher...

Link to comment
Share on other sites

No, I would like to use it to run during the complete uptime of a PC, looking at a Registry key to see if it is changed and then to react to this change.

The purpose is not to have an analysis on what is changed, so Regmon, Filemon is not the solution.

An example script for using it would be e.g.:

RegistrySetOnValueChange(RegistryValue, MyFunction)

While (True)

Sleep(1000)

WEnd

Func MyFunction

;Reaction on Registry Value change

EndFunc

Link to comment
Share on other sites

... and here's the solution:

; This program monitors a single key within the registry an throws an event when this key changes.

; Within the Sub SINK_OnObjectReady it can be reacted on this change

Local $Hive, $KeyPath, $ValueName

Global $objWMIService

$Hive = "HKEY_LOCAL_MACHINE"

$KeyPath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\"

$ValueName= "LCHelper"

$MyFunc = "SINK_"

RegistrySetEventOnValueChange($Hive, $KeyPath, $ValueName, $MyFunc)

While(True)

Sleep(1000)

; You can use Regedit to make a change in the key

; to see an event generated.

Wend

Func RegistrySetEventOnValueChange($Hive, $KeyPath, $ValueName, $MyFunc)

Local $strComputer= "."

Local $objWMIService, $wmiSink, $ObjRegistry, $command, $objResult

$command = "SELECT * FROM RegistryValueChangeEvent WHERE Hive='" & $Hive & "' AND KeyPath='" & $KeyPath & "' AND ValueName='" & $ValueName & "'"

$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\default")

$wmiSink = ObjCreate("WbemScripting.SWbemSink")

Objevent($wmiSink, $MyFunc)

$objResult=$objWMIService.ExecNotificationQueryAsync ($wmiSink, $command)

; Start listening for change in key

;Msgbox(4096, "Registry Watcher","Listening for Registry Change Events..." )

EndFunc

Func SINK_OnObjectReady($objObject, $wmiAsyncContext)

MsgBox(4096, "Registry Watcher", "Received Registry Change Event" & @CRLF & $objObject.GetObjectText_() )

; Here you can react in the registry change...

EndFunc

Thank you very much for your hints.

Link to comment
Share on other sites

Great job! I tried to find something that would be able to monitor for ANY change in the registry ( a la' Regmon ), but couldn't find anything that wasn't .NET. Mind you, it was a short search. Regardless, when I change $ValueName to something that exists on my machine, it works like a champ. Thanks for sharing this.

Zach Fisher...

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...