Addendum

Registry Notifications

As with driver and object notifications, registry activity can be monitored by third-party drivers. These drivers register with the kernel using:

• CmRegisterCallback()
• CmRegisterCallbackEx()

These functions allow drivers to subscribe to specific notification classes (e.g., key creation, deletion, modification, value changes).

The kernel maintains a global CallbackListHead, which points to a list of _CMREG_CALLBACK structures.

Key Windows Kernel Structures

_CMREG_CALLBACK

This undocumented structure holds information about registered registry callbacks.

typedef struct _CMREG_CALLBACK {
    LIST_ENTRY List;
    ULONG Unknown1;
    ULONG Unknown2;
    LARGE_INTEGER Cookie;
    PVOID Unknown3;
    PEX_CALLBACK_FUNCTION Function;
} CMREG_CALLBACK, *PCMREG_CALLBACK;