Registry Key Masks

Registry key masks are "templates" against which registry key names are matched. A registry key mask may begin with a "registry key path", or may simply be a standalone key name; and both the key name part and the path part may contain single-character wildcards (?) and/or multi-character wildcards (*). Here are a few examples of registry key masks:

  • \REGISTRY\MACHINE\Software\*
  • HKEY_LOCAL_MACHINE\Software\*
  • *Microsoft*

Note: Some registry keys are reparse points, and the driver cannot match masks that contain the names of such reparse points. E.g., "HKEY_LOCAL_MACHINE\System\CurrentControlSet" is a reparse point, thus the rule to track operations on its subkeys must refer to targets and not to the reparse point. Thus, the following sample rule will work: "HKEY_LOCAL_MACHINE\System\*ControlSet*\Enum" (here, asterisks are wildcard marks to let the rule cover various "ControlSetNN" keys).

Copyright (c) 2021 Callback Technologies, Inc. - All rights reserved.
CBFS Filter 2020 Go Edition - Version 20.0 [Build 7989]