Bewerken

Delen via

Registering for System Registry Events

  • Artikel

To receive notifications from the System Registry provider, a management application must register as a temporary event consumer. Most of the requirements to register for the System Registry provider are the same as any other event registration, except you must also perform the following procedure.

The registry provider supplies event classes for events in the system registry. For more information about general event registration, see Receiving a WMI Event.

The following procedure describes how to register for system registry events.

To register for system registry events

  1. Call a notification query method.

    In either script or C++, use a notification query such as SWbemServices.ExecNotificationQueryAsync or IWbemServices::ExecNotificationQueryAsync. Create a query string for the bstrQuery parameter of IWbemServices::ExecNotificationQueryAsync or the strQuery in script.

  2. Determine which type of event you want to receive and create the query.

    The following table lists the registry event classes that you can use.

    Event class Hive location Description
    RegistryEvent N/A
    		 Abstract base class for changes in the registry.
    RegistryTreeChangeEvent RootPath
    		 Monitors changes to a hierarchy of keys.
    RegistryKeyChangeEvent KeyPath
    		 Monitors changes to a single key.
    RegistryValueChangeEvent ValueName
    		 Monitors changes to a single value.

    These classes have a property called Hive that identifies the hierarchy of keys to be monitored for change, such as HKEY_LOCAL_MACHINE.

    Changes to the HKEY_CLASSES_ROOT and HKEY_CURRENT_USER hives are not supported by RegistryEvent or classes derived from it, such as RegistryTreeChangeEvent.

  3. Create the WHERE clause for your event registration.

    The System Registry provider has specific rules for WHERE clauses. For more information, see Creating a Proper WHERE Clause for the Registry Provider. For more general information about creating a WHERE clause, see Querying with WQL.

  4. Determine whether your consumer is receiving events.

    The System Registry provider does not guarantee that all sent events are delivered. For more information, see Receiving Registry Events.

The following VBScript code example shows how to detect a registry change in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft hive or subtree. This is a monitoring script that, for demonstration purposes, runs in a process named Wscript.exe until it is terminated in Task Manager, WMI is stopped, or the operating system is rebooted. The script uses a semisynchronous call to SWbemServices.ExecNotificationQuery. For more information about semisynchronous calls, see Making a Semisynchronous Call with VBScript.

Set wmiServices = GetObject("winmgmts:root/default") 
Set colTreeChanges = wmiServices.ExecNotificationQuery _
    ("SELECT * FROM RegistryTreeChangeEvent " _
    & "WHERE Hive='HKEY_LOCAL_MACHINE' " _
    & "AND RootPath='SOFTWARE\\Microsoft'")

While (True)
   Set TreeChange = colTreeChanges.NextEvent
   TreeChange.GetObjectText_()
   Wscript.Echo  "Hive = " & TreeChange.Hive & VBNewLine _
      & "RootPath = "& TreeChange.RootPath _
      & TreeChange.GetObjectText_()      
Wend

The following VBScript code example shows how to monitor the change in the values of a key by registering for the registry provider event type RegistryKeyChangeEvent. The script calls an asynchronous method, SWbemServices.ExecNotificationQueryAsync. For more information about asynchronous calls and security, see Making an Asynchronous Call with VBScript.

The following script runs indefinitely until the computer is rebooted, WMI is stopped, or the script is stopped. To stop the script manually, use Task Manager to stop the process. To stop it programmatically, use the Terminate method in the Win32_Process class.

strComputer = "."
Set objWMIServices = GetObject("winmgmts:root/default") 
Set wmiSink = WScript.CreateObject( _
    "WbemScripting.SWbemSink", "SINK_") 
Set ObjRegistry = GetObject("winmgmts:_
    {impersonationLevel = impersonate}!\\" _
    & strComputer & "\root\default:StdRegProv")

' Create a new key
strPath = "SOFTWARE\MyKey\MySubKey\"
Return = objRegistry.CreateKey(HKEY_LOCAL_MACHINE, strPath)

' Start listening for change in key
objWMIServices.ExecNotificationQueryAsync wmiSink, _ 
    "SELECT * FROM RegistryKeyChangeEvent " _ 
    & "WHERE Hive='HKEY_LOCAL_MACHINE' AND " _ 
    & "KeyPath='SOFTWARE\\MyKey\\MySubKey\\'" 
WScript.Echo "Listening for Registry Change Events..." 

While(True) 
    WScript.Sleep 1000
' You can use Regedit to make a change in the key 
' HKEY_LOCAL_MACHINE\SOFTWARE\MyKey\MySubKey\ 
'    to see an event generated.
Wend 

Sub SINK_OnObjectReady(EventObject, wmiAsyncContext) 
    WScript.Echo "Received Registry Change Event" & vbCrLf & _
      EventObject.GetObjectText_() 
End Sub