I tried working on a sample calling SHCopyKeyA which subsequently calls the following APIs in a Windows XP system:
RegOpenKeyExA
RegEnumKeyExA
RegCreateKeyExA
and so on
It logged the APIs just fine. However, when in a Windows 7 system SHCopyKeyA calls SHCopyKeyW which subsequently calls the following APIs:
RegOpenKeyExW - logged properly
RegEnumKeyExW - not logged - replaced by NtEnumerateKey
RegCreateKeyExW - not logged - replaced by NtCreateKey
and so on
The logged NtCreateKey is actually fine since it contains almost the same information as RegCreateKeyExW. However, the logged NtEnumerateKey doesn't have the same information as RegEnumKeyExW.
Is there a way to log RegEnumKeyExW in Windows 7. If there's none, can we expand the logged information for NtEnumerateKey to resemble that of RegEnumKeyExW?
Hi,
I tried working on a sample calling SHCopyKeyA which subsequently calls the following APIs in a Windows XP system:
RegOpenKeyExA RegEnumKeyExA RegCreateKeyExA and so on
It logged the APIs just fine. However, when in a Windows 7 system SHCopyKeyA calls SHCopyKeyW which subsequently calls the following APIs:
RegOpenKeyExW - logged properly RegEnumKeyExW - not logged - replaced by NtEnumerateKey RegCreateKeyExW - not logged - replaced by NtCreateKey and so on
The logged NtCreateKey is actually fine since it contains almost the same information as RegCreateKeyExW. However, the logged NtEnumerateKey doesn't have the same information as RegEnumKeyExW.
Is there a way to log RegEnumKeyExW in Windows 7. If there's none, can we expand the logged information for NtEnumerateKey to resemble that of RegEnumKeyExW?