Hooking registry calls

May 26, 2012 at 7:03 PM

I am using EasyHook to build a registry sandbox around an application. 

That is: I hook win32 api registry functions as soon as the application is loaded and then I try to redirect all read and write calls to registry to my own shadow registry keys. 

So far I have implemented a small monitoring application and I notice that EasyHook is not able to hook all the calls. When I run Sysinternals Process Monitor on the same application. Then the latter create more entries in the log. 

Did anyone have a similar experience?

It is especially some of the RegOpenKey calls that are missing. In my monitor it is actually RegOpenKeyEx that show up occasionally. 

If you are interested you can find all my registry hooks here: 

http://roztest.blob.core.windows.net/www/downloads/ProcMonInject.7z

Thanks, Thomas

May 27, 2012 at 10:48 AM

Ah.... :-)

I solved it. Guess I was too tied yesterday..

There were several minor bugs, but the main problem was that I cannot call HookRuntimeInfo.Callback after I have called the the Win32Api function in my hook handler. 

Jun 19, 2012 at 8:13 AM

Hi thomas3d,

I want to do some similar work with yours . But I meet a elementary problem about Easyhook . That is I can not run the example in visual studio 2010 on windows 7 64bit . So I want to know how you run it or your program . thx:)

ps: I saw many similar problems in this discussion list , but did not find any effective solution for me .

Feb 23, 2015 at 12:55 PM
Hi Thomas,
I have the same isue. i have to hook the registry calls when my application application is load and try to redirect all read and write calls to registry to my own shadow registry keys.
you said you solved it. and i checked this link to download your project but the link doesn't work yet.

http://roztest.blob.core.windows.net/www/downloads/ProcMonInject.7z

Can you help me please??

Waiting your Reply.

thank's a lot.