Registry Key Masks
Registry key masks are "templates" against which registry key names are matched. A registry key mask may begin with a "registry key path", or may simply be a standalone key name; and both the key name part and the path part may contain single-character wildcards (?) and/or multi-character wildcards (*). Here are a few examples of registry key masks:
- \REGISTRY\MACHINE\Software\*
- HKEY_LOCAL_MACHINE\Software\*
- *Microsoft*
Note: Some registry keys are reparse points, and the driver cannot match masks that contain the names of such reparse points. E.g., "HKEY_LOCAL_MACHINE\System\CurrentControlSet" is a reparse point, thus the rule to track operations on its subkeys must refer to targets and not to the reparse point. Thus, the following sample rule will work: "HKEY_LOCAL_MACHINE\System\*ControlSet*\Enum" (here, asterisks are wildcard marks to let the rule cover various "ControlSetNN" keys).