def run(self):
old_cache = self.enum_values()
while True:
win32api.RegNotifyChangeKeyValue(
self.key_handle,
True,
win32api.REG_NOTIFY_CHANGE_LAST_SET,
self.event,
True
)
# Check for event signal
event_signal = win32event.WaitForSingleObject(
self.event, 1
)
if event_signal == 0:
# Event has been signalled
new_cache = self.enum_values()
this = old_cache.get_change(new_cache)
for key, hash in this.items():
decoded_key = codecs.decode(key, 'rot-13')
record = {
"guid": self.name,
"timestamp": datetime.datetime.utcnow().time().strftime("%H:%M:%S"),
"key_name": self.key_path,
"value_name": key,
"value_decoded_name": decoded_key
}
value_data, value_type = win32api.RegQueryValueEx(
self.key_handle,
key
)
if len(value_data) >= 68:
user_assist = UserAssist(
value_data
)
record.update(
user_assist.as_dict()
)
self.callback(
Box(record)
)
win32event.ResetEvent(self.event)
win32api.RegNotifyChangeKeyValue(
self.key_handle,
True,
win32api.REG_NOTIFY_CHANGE_LAST_SET,
self.event,
True
)
old_cache = new_cache
def testNotifyChange(self):
def change():
hkey = win32api.RegCreateKey(win32con.HKEY_CURRENT_USER,
self.key_name)
try:
win32api.RegSetValue(hkey, None, win32con.REG_SZ, "foo")
finally:
win32api.RegDeleteKey(win32con.HKEY_CURRENT_USER,
self.key_name)
evt = win32event.CreateEvent(None, 0, 0, None)
## REG_NOTIFY_CHANGE_LAST_SET - values
## REG_CHANGE_NOTIFY_NAME - keys
# REG_NOTIFY_CHANGE_SECURITY - security descriptor
# REG_NOTIFY_CHANGE_ATTRIBUTES
win32api.RegNotifyChangeKeyValue(win32con.HKEY_CURRENT_USER, 1,
win32api.REG_NOTIFY_CHANGE_LAST_SET,
evt, True)
ret_code = win32event.WaitForSingleObject(evt, 0)
# Should be no change.
assert ret_code == win32con.WAIT_TIMEOUT
change()
# Our event should now be in a signalled state.
ret_code = win32event.WaitForSingleObject(evt, 0)
assert ret_code == win32con.WAIT_OBJECT_0
def _initialize_key():
global key_event, registry_key_handle, registry_access_flags
try:
# make sure the registry key is not currently open
if registry_key_handle:
_close_key()
# get an event for monitoring registry updates
key_event = win32event.CreateEvent(None, True, True, None)
#print(f"KEY_EVENT: {key_event}")
# open the registry key
registry_key_handle = win32api.RegOpenKeyEx(
win32con.HKEY_CURRENT_USER,
r"SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss", 0,
registry_access_flags)
#print(f"registry_key_handle: {registry_key_handle}")
# register for registry change events
win32api.RegNotifyChangeKeyValue(
registry_key_handle, True, win32api.REG_NOTIFY_CHANGE_LAST_SET,
key_event, True)
# trigger reading the list for the first time
win32event.SetEvent(key_event)
except WindowsError:
log_exception(f'[_initialize_key()] {sys.exc_info()[1]}')
def start(self):
while True:
handle_to_be_watched = win32api.RegOpenKeyEx(
self.reg_root, self.reg_key, 0, win32con.KEY_NOTIFY)
win32api.RegNotifyChangeKeyValue(
handle_to_be_watched, False, win32api.REG_NOTIFY_CHANGE_LAST_SET, None, False)
win32api.RegCloseKey(handle_to_be_watched)
def _watch_thread(self, hive, watchKey, name, callback):
self._log("Watch thread active for key: %s" % name, messageType="DEBUG")
while self.alive:
watchHandle = win32api.RegOpenKey(hive, watchKey, 0, win32con.KEY_NOTIFY)
win32api.RegNotifyChangeKeyValue(watchHandle, False, win32api.REG_NOTIFY_CHANGE_NAME, None, False)
win32api.RegCloseKey(watchHandle)
self._log("Change detected in thread: %s" % name, messageType="DEBUG")
callback(name)
self._log("Watch thread returning for key: %s" % name, messageType="DEBUG")
return
def runNoMain(self,key):
evt = win32event.CreateEvent(None,0,0,None)#PyHANDLE-Creates a waitable event
#Notifies the caller about changes to the attributes or contents of a specified registry key.
win32api.RegNotifyChangeKeyValue(self.key #A handle to an open registry key
, 1,
win32api.REG_NOTIFY_CHANGE_NAME |
win32api.REG_NOTIFY_CHANGE_ATTRIBUTES |
win32api.REG_NOTIFY_CHANGE_LAST_SET |
win32api.REG_NOTIFY_CHANGE_SECURITY
, evt #A handle to an event
, True)
return evt
import win32event, win32api, win32con
print "Monitoring..."
hive = win32con.HKEY_CURRENT_USER
key = 'Software\Microsoft\Windows\CurrentVersion\Run'
handle = win32api.RegOpenKeyEx(hive, key, 0, win32con.KEY_NOTIFY)
win32api.RegNotifyChangeKeyValue(handle, True,
win32api.REG_NOTIFY_CHANGE_LAST_SET, None,
False)
print "Have a program add to start-up!"
