Breakpoints at the Cmxxkey level, with the bp/t (/P) command, can monitor the creation and deletion of the specified registry key values for the specified thread process.
$$*****************************************************************$$ Script by KMS_HHL to monitor Regvalue deleteSet$$ Create time 2014_11$$ Execute by $$><D:\BaiduYunTongBu\ Baidu Cloud synchronization disk \windbg_sc\6sc_regvalue_monitor_x32.txt$$*****************************************************************BP NT! Cmdeletevaluekey"R @ $t 0 =0r @ $t 0=poi (@esp +8+4) as/mu $regdelvalue @ $t 0.block{.if($SICMP (\"${$regdelvalue} \ ", \" type \ ") = = 0){. Echo found the pattern. Echo $regdelvalue AD* }.Else{. Echo not found the pattern. Echo'$regdelvalueAD *GC}}"BP NT! Cmsetvaluekey"R @ $t 1 =0r @ $t 1=poi (POI (@esp +8)+4) as/mu $regsetvalue @ $t 1.block{.if($spat (\"${$regsetvalue} \ ", \" *start* \ ")){. Echo found the pattern. Echo $regsetvalue AD* }.Else{. Echo not found the pattern. Echo'$regsetvalueAD *GC}}"
WinDbg Scripting Practice 2----Monitoring specific registry key creation and deletion