Monitoring Entry-Level Events

Microsoft® Windows® 2000 Scripting Guide

« Previous | Next »   

There are likely to be times when you want to monitor changes to specific registry entries. For example, certain registry entries are used to configure system security and are therefore potential targets for anyone trying to compromise the computer. You can create a script to monitor these entries to be sure that they are not being altered.

To monitor an entry, subscribe to the RegistryValueChangeEvent class, specifying the subtree, the subkey, and the name of the entry to be monitored. As with the other registry change events, the RegistryValueChangeEvent is fired when a modification is made to the entry being monitored, and the event does not provide any information beyond the fact that a modification has taken place.

Scripting Steps

Listing 16.19 contains a script that monitors events at the registry entry level. To carry out this task, the script must perform the following steps:

1. Use the GetObject method to connect to the WMI service.
2. Use the CreateObject method to create an event sink.
3. Use ExecNotificationQuery to register for the event.
4. Put the script in sleep mode while waiting on the event.
5. Implement the event handler as a subroutine that uses the Echo method to display a message indicating that a registry change event was received.

Listing 16.19   Monitoring Events at the Registry Entry Level

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 

strComputer = "." Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _      strComputer & "\root\default")  Set wmiSink = WScript.CreateObject("WbemScripting.SWbemSink", "SINK_")  wmiServices.ExecNotificationQueryAsync wmiSink, _      "SELECT * FROM RegistryValueChangeEvent WHERE Hive= " _         &  "'HKEY_LOCAL_MACHINE' AND KeyPath= " _             & "'SOFTWARE\\Microsoft\\Windows NT\\RegisteredOwner' AND " _                   & "ValueName='CSDVersion'"  Wscript.Echo "Listening for Registry Change Events ..." & vbCrLf  Do While(1)      WScript.Sleep 1000  Loop  Sub SINK_OnObjectReady(wmiObject, wmiAsyncContext)      Wscript.Echo "Received Registry Change Event" & vbCrLf & _          "------------------------------" & vbCrLf & _              wmiObject.GetObjectText_()  End Sub

Send us your feedback

« Previous | Next »