I need to develop an application that monitors, and potentially filters (rejects the calls), file operations. It appears that developing a minifilter is the "standard" solution. another potential method is using API hooks. are these relevant solutions? (I read in some places the an API hook may not be suitable - but no explanation was given) are there other options?
I remember for my final year university project i wrote a C# registry monitor, however, when i compared it with the Microsoft ProcessMonitor application (i cant remember its exact name, but was a company bought by MSoft), i wasnt capturing as many registry calls. Was this because i was using a C# wrapper and as such, it would only have been catching user-mode registry accesses? I used this wrapper: http://www.codeproject.com/KB/DLL/EasyHook64.aspx To catch the kernel mode registry accesses would i have to write in C++?
Could someone please give me a high level explanation how they are able to monitor every single registry access? http://technet.microsoft.com/en-us/sysinternals/bb896645 Enough detail so that i could google around the various sub-topics and try to write my own one? I know they've used some sort of dll injection/API hooking, but i'm unsure how they reached all the kernel mode activity.