Regmon LogoWUGNET Shareware Pick
Copyright © 1997, 1998 Mark Russinovich and Bryce Cogswell
Last Updated April 1, 1998 V3.4
Introduction Regmon for Windows NT is a device driver/GUI combination for NT 3.51 and NT 4.0 that displays all registry activity taking place on a Windows NT System. It is a demonstration of the power and utility of a new technique we've developed called kernel-mode system call hooking. This technique allows for many internal NT operations to be monitored and altered. An article describing this technique was published in the January 1997 issue of Dr. Dobb's Journal.

Full source code has been uploaded, but it differs from the source that appeared in the article in that it is now much more portable across releases of NT. Instead of relying on hard-wired system call numbers which had to be changed for each revision of NTOSKRNL, this latest version extracts system call numbers from Zw functions (Zw functions are internal system calls made available for device drivers). As long as the implementation of Zw functions does not change, which is unlikely due to their simplicity (they are 4 assembly instructions in length), Regmon for Windows NT will remain compatible with NT updates.

Version 3.0 includes some minor bug fixes, further improved code, and major usability enhancements including a toolbar and output search capabilities.

Installation and Use Installing Regmon for Windows NT is as easy as unzipping it and typing, "ntregmon." The GUI dynamically loads the driver (based on code from the instdrv sample in the Windows NT DDK), which starts by hooking all registry related kernel calls. This means that Regmon for Windows NT sees all application-level registry activity, and even most kernel registry calls. The Regmon for Windows NT menus and tool bar buttons can be used to set up process and path filters, toggle on and off hooking, control the scrolling of the listview, and to save the listview contents to an ASCII file.

Both process and path filters take expressions similar to what the command prompt takes: you can specify names with '*' representing wild cards. The "Path Include" filter represents path names that will be monitored and the "Path Exclude" filter represents path names that will not be monitored. Where there is overlap, Path Exclude overrides. Note that the filters are intrepreted in a case-*in*sensitive manner.

For example, if you do not want to see activity to Software subkeys you could specify "*Software*" as the "Path Exclude" filter. If you only want to see activity to the HKLM directory, set "HKLM*" as the Path Include filter. If you set both of these filters all activity to HKLM would be logged except to subkeys with the name "Software" in them like HKLM\Software.

By default, the filters are set up to watch all Registry activity. The process filter is "*", the Path Include filter is "*", and the Path Exclude filter is empty ("").

If you wish to see the contents of a field that is partially obscured because the listview column it is in is to narraw, just right-click on it. You'll get a tool-tip containing the entire text of the field. To remove the tool-tip move the mouse over it, or pop up another one.

Sample Screenshot Here is a screenshot of Regmon for Windows NT.

More Information

 When a user-mode component makes a privileged system call, control is transfered to a software interrupt handler in NTOSKRNL.EXE (the core of the Windows NT operating system). This handler takes a system call number, which is passed in a machine register, and indexes into a system service table to find the address of the NT function that will handle the request. By replacing entries in this table with pointers to hooking functions, it is possible to intercept and replace, augment, or monitor NT system services. Regmon for Windows NT, which obviously hooks just the Registry-related services, is merely one example of this capability in action.

For more detailed information on how Regmon for Windows NT works, see:

  • "Windows NT System Call Hooking," by Mark Russinovich and Bryce Cogswell, Dr. Dobb's Journal, January 1997

Download Regmon for Windows NT (x86) (33KB)

Download Regmon for Windows NT (Alpha) (72KB)

Download Regmon for Windows NT Source (110KB)