def run(self): old_cache = self.enum_values() while True: win32api.RegNotifyChangeKeyValue( self.key_handle, True, win32api.REG_NOTIFY_CHANGE_LAST_SET, self.event, True ) # Check for event signal event_signal = win32event.WaitForSingleObject( self.event, 1 ) if event_signal == 0: # Event has been signalled new_cache = self.enum_values() this = old_cache.get_change(new_cache) for key, hash in this.items(): decoded_key = codecs.decode(key, 'rot-13') record = { "guid": self.name, "timestamp": datetime.datetime.utcnow().time().strftime("%H:%M:%S"), "key_name": self.key_path, "value_name": key, "value_decoded_name": decoded_key } value_data, value_type = win32api.RegQueryValueEx( self.key_handle, key ) if len(value_data) >= 68: user_assist = UserAssist( value_data ) record.update( user_assist.as_dict() ) self.callback( Box(record) ) win32event.ResetEvent(self.event) win32api.RegNotifyChangeKeyValue( self.key_handle, True, win32api.REG_NOTIFY_CHANGE_LAST_SET, self.event, True ) old_cache = new_cache
def testNotifyChange(self): def change(): hkey = win32api.RegCreateKey(win32con.HKEY_CURRENT_USER, self.key_name) try: win32api.RegSetValue(hkey, None, win32con.REG_SZ, "foo") finally: win32api.RegDeleteKey(win32con.HKEY_CURRENT_USER, self.key_name) evt = win32event.CreateEvent(None, 0, 0, None) ## REG_NOTIFY_CHANGE_LAST_SET - values ## REG_CHANGE_NOTIFY_NAME - keys # REG_NOTIFY_CHANGE_SECURITY - security descriptor # REG_NOTIFY_CHANGE_ATTRIBUTES win32api.RegNotifyChangeKeyValue(win32con.HKEY_CURRENT_USER, 1, win32api.REG_NOTIFY_CHANGE_LAST_SET, evt, True) ret_code = win32event.WaitForSingleObject(evt, 0) # Should be no change. assert ret_code == win32con.WAIT_TIMEOUT change() # Our event should now be in a signalled state. ret_code = win32event.WaitForSingleObject(evt, 0) assert ret_code == win32con.WAIT_OBJECT_0
def _initialize_key(): global key_event, registry_key_handle, registry_access_flags try: # make sure the registry key is not currently open if registry_key_handle: _close_key() # get an event for monitoring registry updates key_event = win32event.CreateEvent(None, True, True, None) #print(f"KEY_EVENT: {key_event}") # open the registry key registry_key_handle = win32api.RegOpenKeyEx( win32con.HKEY_CURRENT_USER, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss", 0, registry_access_flags) #print(f"registry_key_handle: {registry_key_handle}") # register for registry change events win32api.RegNotifyChangeKeyValue( registry_key_handle, True, win32api.REG_NOTIFY_CHANGE_LAST_SET, key_event, True) # trigger reading the list for the first time win32event.SetEvent(key_event) except WindowsError: log_exception(f'[_initialize_key()] {sys.exc_info()[1]}')
def start(self): while True: handle_to_be_watched = win32api.RegOpenKeyEx( self.reg_root, self.reg_key, 0, win32con.KEY_NOTIFY) win32api.RegNotifyChangeKeyValue( handle_to_be_watched, False, win32api.REG_NOTIFY_CHANGE_LAST_SET, None, False) win32api.RegCloseKey(handle_to_be_watched)
def _watch_thread(self, hive, watchKey, name, callback): self._log("Watch thread active for key: %s" % name, messageType="DEBUG") while self.alive: watchHandle = win32api.RegOpenKey(hive, watchKey, 0, win32con.KEY_NOTIFY) win32api.RegNotifyChangeKeyValue(watchHandle, False, win32api.REG_NOTIFY_CHANGE_NAME, None, False) win32api.RegCloseKey(watchHandle) self._log("Change detected in thread: %s" % name, messageType="DEBUG") callback(name) self._log("Watch thread returning for key: %s" % name, messageType="DEBUG") return
def runNoMain(self,key): evt = win32event.CreateEvent(None,0,0,None)#PyHANDLE-Creates a waitable event #Notifies the caller about changes to the attributes or contents of a specified registry key. win32api.RegNotifyChangeKeyValue(self.key #A handle to an open registry key , 1, win32api.REG_NOTIFY_CHANGE_NAME | win32api.REG_NOTIFY_CHANGE_ATTRIBUTES | win32api.REG_NOTIFY_CHANGE_LAST_SET | win32api.REG_NOTIFY_CHANGE_SECURITY , evt #A handle to an event , True) return evt
import win32event, win32api, win32con print "Monitoring..." hive = win32con.HKEY_CURRENT_USER key = 'Software\Microsoft\Windows\CurrentVersion\Run' handle = win32api.RegOpenKeyEx(hive, key, 0, win32con.KEY_NOTIFY) win32api.RegNotifyChangeKeyValue(handle, True, win32api.REG_NOTIFY_CHANGE_LAST_SET, None, False) print "Have a program add to start-up!"