An important update of
Process Monitor was released couple of a days ago:
As you may know, we can use two functions with completely opposite names to open registry key:
RegCreateKeyEx and
RegOpenKeyEx. When you use RegCreateKeyEx, it creates registry key if it's non-existed, but just opens it if key exists. RegCreateKeyEx writes which operation (create or open) it's performed into a separate variable.
RegOpenKeyEx cannot create registry keys and returns error if key doesn't exist.
Before this release there were no way to determine what operation exactly RegCreateKeyEx perform. "Granted Access" property for execution of that function always contained "Read/Write" value.
From this last update, Process Monitor finally can show you what RegCreateKeyEx does. There is no "Granted Access" property for RegCreateKey operation anymore, it was replaced with new "Disposition" property. "Disposition" may contains following strings:
REG_CREATE_NEW_KEY - if new registry key was created.
REG_OPENED_EXISTING_KEY - if RegCreateKeyEx just opened previously existed key.
"Desired Access" property still contains "Read/Write" value, because we cannot predict which action RegCreateKeyEx will do.
Using this new feature, you can separate RegCreateKeyEx calls: just add new condition into Process Monitor's filter with following parameters:
Column - "Detail"
Relation - "contains"
Value - "REG_CREATE_NEW_KEY" or "REG_OPENED_EXISTING_KEY"
Action - "Include"
[DW]