Fatal编程技术网
  • winapi/
  • Winapi regedit.exe如何创建空二进制值

Winapi regedit.exe如何创建空二进制值

winapi

Winapi regedit.exe如何创建空二进制值,winapi,registry,Winapi,Registry,我打开了regedit,并使用ProcessMonitor.exe创建了一个空的二进制值来监视它。我设置了一个过滤器,这样它就可以包含任何提到空二进制值的注册表路径的内容,并排除所有其他内容。当创建一个新的二进制值时,它会创建一个未命名的值,然后当我将其重命名为其他值时,它会删除未命名的值。但是,它没有用新名称设置任何内容,它只是查询返回错误的值,直到我在regedit中关闭密钥,然后再次打开它,它现在成功地查询空的REG_二进制文件 在任何时候我都看不到任何集值调用,我查看了msdn,它并没有

我打开了regedit,并使用ProcessMonitor.exe创建了一个空的二进制值来监视它。我设置了一个过滤器,这样它就可以包含任何提到空二进制值的注册表路径的内容,并排除所有其他内容。当创建一个新的二进制值时,它会创建一个未命名的值,然后当我将其重命名为其他值时,它会删除未命名的值。但是,它没有用新名称设置任何内容,它只是查询返回错误的值,直到我在regedit中关闭密钥,然后再次打开它,它现在成功地查询空的REG_二进制文件

在任何时候我都看不到任何集值调用,我查看了msdn,它并没有说查询不存在的值会创建它们。它是如何生成新值的?

在XP上执行此操作,还可以获得RegMon输出,其中列出了SetValue:

ProcMon:

"Sequence","Time of Day","Process Name","PID","Operation","Path","Result","Detail","Event Class"
"8456","20:15:47,6493609","regedit.exe","420","RegQueryValue","HKCU\Software\test\New Value #1","NAME NOT FOUND","Length: 144","Registry"
"8559","20:15:51,2066619","regedit.exe","420","RegQueryValue","HKCU\Software\test\foo","NAME NOT FOUND","Length: 144","Registry"
"8560","20:15:51,2066761","regedit.exe","420","RegQueryValue","HKCU\Software\test\New Value #1","SUCCESS","Type: REG_BINARY, Length: 0","Registry"
"8561","20:15:51,2066864","regedit.exe","420","RegQueryValue","HKCU\Software\test\New Value #1","SUCCESS","Type: REG_BINARY, Length: 0","Registry"
"8562","20:15:51,2075572","regedit.exe","420","RegDeleteValue","HKCU\Software\test\New Value #1","SUCCESS","","Registry"
"8618","20:15:52,9198131","regedit.exe","420","RegCloseKey","HKCU\Software\test","SUCCESS","","Registry"
雷格蒙:

1   2.38380957  regedit.exe:420 QueryValue  HKCU\Software\test\New Value #1 NOT FOUND       
2   2.38436174  regedit.exe:420 SetValue    HKCU\Software\test\New Value #1 SUCCESS     
3   5.36779499  regedit.exe:420 QueryValue  HKCU\Software\test\foo  NOT FOUND       
4   5.36780643  regedit.exe:420 QueryValue  HKCU\Software\test\New Value #1 SUCCESS     
5   5.36781597  regedit.exe:420 QueryValue  HKCU\Software\test\New Value #1 SUCCESS     
6   5.36884880  regedit.exe:420 SetValue    HKCU\Software\test\foo  SUCCESS     
7   5.36890793  regedit.exe:420 DeleteValueKey  HKCU\Software\test\New Value #1 SUCCESS     
8   9.04430676  regedit.exe:420 CloseKey    HKCU\Software\test  SUCCESS
regmon输出对我来说就像一个重命名操作(QV、QVx2、SV、DV),可能regmon使用挂钩,而procmon使用记录在案的注册表监视器api(或者procmon bug?)

我在procmon上测试了最新版本和旧版本;v1.37(当您在XP上打开/关闭监控时,旧版本不会有太大的ETW延迟)

我编写了一个python程序,将从ProcMon导出的CSV结果解析到注册表导入文件,因此您可以按照自己的喜好设置系统(包括使用调整实用程序等),它过滤掉垃圾并生成一个合并文件。现在看来,我应该选择RegMon程序作为我的选择武器:)这显然是一个ProcMon错误,它看不到变化。这意味着我要重新编写我的解析器,或者也许我不必担心它太近了,我会把它放在Glitory或类似的东西上,让其他人来做脏活:)公平地说,可能是官方的事件监控系统出了错,而不是procmon,但由于他们选择了错误的监控系统,它仍然算作procmon bug。