📄 regmon.htm
字号:
Select highlighting colors with Edit|Highlight
Colors. </p>
<p><em>Regmon</em> can either timestamp events or
show the time elapsed from the last time you cleared
the output window (or since you started <i>Regmon</i>).
The Options menu and the clock toolbar button
let you toggle between the two modes. The button
on the toolbar shows the current mode with a clock
or a stopwatch. When showing duration the Time
field in the output shows the number of seconds
it took for the underlying file system to service
particular requests.</p>
<p><i>Regmon</i> v4.1 introduces a powerful new
feature. When you see a Registry value or key
in <i>Regmon's</i> output that you want to edit,
simply double click on the line that includes
the reference (or use the Regedit toolbar button)
and <i>Regmon</i> will take you directly to the
specific value using Regedit.</p>
<p>Click <a
href="../../ntw2k/info/regboot.shtml">here</a> to learn about <em>Regmon's </em>boot
monitoring capability, which is available on Windows
NT.
</td>
</tr>
<tr>
<td height="40" colspan="3" valign="middle"><span class='sectionheader'>How Regmon Works
</span> </td>
</tr>
<tr>
<td colspan="3" valign="TOP"> The heart of <i>Regmon
</i>on Windows 9x is in the virtual device driver,
Regvxd.vxd. It is dynamically loaded, and in its
initialization it uses VxD service hooking (see
our May 1996 Dr. Dobb's Journal article on VxD service
hooking for more information) to insert itself onto
the call chain of 16 registry access functions in
the Windows 95 kernel (Virtual Machine Manager).
All registry activity, be it from 16-bit programs,
Win32 applications, or device drivers, are directed
at these routines, so <i>Regmon </i>catches all
registry activity taking place on a machine.
<p>On Windows NT the <em>Regmon</em> loads a device
driver that uses a technique we pioneered for
NT called <em>system-call hooking</em>. When a
user-mode component makes a privileged system
call, control is transfered to a software interrupt
handler in NTOSKRNL.EXE (the core of the Windows
NT operating system). This handler takes a system
call number, which is passed in a machine register,
and indexes into a system service table to find
the address of the NT function that will handle
the request. By replacing entries in this table
with pointers to hooking functions, it is possible
to intercept and replace, augment, or monitor
NT system services. <i>Regmon</i>, which obviously
hooks just the Registry-related services, is merely
one example of this capability in action.</p>
<p>When <i>Regmon </i>sees an open, create or close
call, it updates an internal hash table that serves
as the mapping between key handles and registry
path names. Whenever it sees calls that are handle
based, it looks up the handle in the hash table
to obtain the full name for display. If a handle-based
access references a key opened before Regmon started,
Regmon will fail to find the mapping in it hash
table and will simply present the key's value
instead.</p>
<p>Information on accesses is dumped into an ASCII
buffer that is periodically copied up to the GUI
for it to print in its listbox. </p>
<p>For more detailed information on how <i>Regmon
</i>works on Windows NT, see: </p>
<ul>
<li>"Windows NT System Call Hooking,"
by Mark Russinovich and Bryce Cogswell, Dr.
Dobb's Journal, January 1997 </li>
<li>"<a
href="http://www.win2000mag.com/Articles/Index.cfm?ArticleID=4795">Inside NT Utilities</a>", Windows NT Magazine, February
1999.</li>
</ul>
</td>
</tr>
<tr>
<td height="40" colspan="3" valign="middle"><span class='sectionheader'>Related Utilities
</span> </td>
</tr>
<tr>
<td colspan="3" valign="TOP"> Here are some other
monitoring tools available at Sysinternals:
<ul>
<li><a
href="../../ntw2k/source/filemon.shtml">Filemon</a> - a file system activity monitor</li>
<li><a href="../../ntw2k/freeware/tdimon.shtml">Tdimon</a>
- a TCP/IP monitor</li>
<li><a href="../../ntw2k/freeware/portmon.shtml">Portmon</a>
- a serial and parallel port monitor</li>
<li><a href="../../ntw2k/freeware/pmon.shtml">PMon</a>-
a process and thread monitor (NT/Win2K)</li>
<li><a href="../freeware/diskmon.shtml">Diskmon</a>
- a hard disk monitor (NT/Win2K)</li>
<li><a href="../../ntw2k/freeware/debugview.shtml">DebugView</a>
- a debug output monitor<font face="arial"></font></li>
</ul>
</td>
</tr>
<tr>
<td height="40" colspan="3" valign="middle"><span class='sectionheader'>More Information
</span> </td>
</tr>
<tr>
<td colspan="3" valign="TOP">The following serve as
additional sources of information on the Windows
NT/2000/XP and Windows 9x/Me registries:
<ul>
<li><a href="../../insidew2k.shtml">Inside Windows
2000, 3rd Edition</a> by David Solomon and Mark
Russinovich, 2000</li>
<li>"Examining the Windows 95 Registry,"
by Mark Russinovich and Bryce Cogswell, Windows
Developer's Journal, October 1996 </li>
<li><a href="../../publ.shtml">"Inside the Windows
NT Registry,"</a> by Mark Russinovich,
Windows NT Magazine, April 1997 </li>
<li><img src="../../images/amazongo.gif" border="0" width="68" height="15"
align="BOTTOM"> <a
href="http://www.amazon.com/exec/obidos/ASIN/1565921704/systemsinternals">"Inside
the Windows 95 Registry,"</a> by Ron Petrusha,
O'Reilly and Associates, 1996 </li>
<li><img src="../../images/amazongo.gif" border="0" width="68" height="15"
align="BOTTOM"> <a
href="http://www.amazon.com/exec/obidos/ASIN/1565923782/o/qid=946526688/sr=8-1/102-9688892-9937604/systemsinternals">"Managing
the Windows NT Registry"</a> by Paul Robichaux
and Robchauxg , O'Reilly and Associates, 1998
</li>
<li><img src="../../images/amazongo.gif" border="0" width="68" height="15"
align="BOTTOM"> <font color="#000000"><a
href="http://www.amazon.com/exec/obidos/ASIN/0764504371/systemsinternals">"Windows
98 Registry For Dummies,"</a> by Glenn
Weadock, IDG Press, 1998 </font> </li>
<li><img src="../../images/amazongo.gif" border="0" width="68" height="15"
align="BOTTOM"> <font color="#000000"><a
href="http://www.amazon.com/exec/obidos/ASIN/0789716585/systemsinternals">"Using
the Windows 98 Registry,"</a> by Jerry
Honeycutt, Que, 1998 </font></li>
</ul>
</td>
</tr>
<tr>
<td height="50" colspan="3" valign="middle"><a href="http://www.winternals.com"><img src="../../images/WinProd.gif" width="87" height="29" border="0"></a></td>
</tr>
<tr>
<td colspan="3" valign="TOP"> <i>Regmon Enterprise
Edition</i>, the commercial version of <i>Regmon</i>
available from <a href="http://www.winternals.com">Winternals
Software</a>, extends the functionality of <i>Regmon</i>
with several powerful features, including the ability
to monitor remote systems and save output to a log
file as the output generates.</td>
</tr>
<tr>
<td colspan="3" height="40" valign="middle" align="center">
<p> </p>
<p><strong> In order to help us track its use, please
download through the link that represents the
operating system on which you will use or mostly
use </strong><em><strong>Regmon. </strong></em><strong><br>
<br>
Note that the zip files are identical, and </strong><em><strong>Regmon</strong></em><strong>
runs </strong><b>on all Windows platforms</b><strong>.</strong></p>
<p><a href="../../files/regmon95.zip"><b>Download
Regmon (x86 - 72 KB) - you plan on using Regmon
on Win9x/Me</b></a></p>
<p><a href="../../files/ntregmon.zip"><b>Download
Regmon (x86 - 72 KB) - you plan on using Regmon
on WinNT/2K/XP</b></a></p>
<p><b><a href="../../files/regmon64.zip">Download
Regmon (XP 64-bit Edition/IA64 -116 KB )</a></b></p>
<p><a href="../../files/regsrc.zip"><b>Download
Regmon plus source (494 KB)</b></a></p>
<a href="#top"><b>Back to Top</b></a> </td>
</tr>
</table>
</td>
</tr>
</table>
</TD>
</TR>
</TABLE>
<!-- #EndEditable --></td>
</tr>
</table>
</td>
</tr>
</table>
</body>
<!-- #EndTemplate --></html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -