Download EaseFilter Registry Filter Driver Library Setup File Download EaseFilter Registry Filter Driver Library Zip File
What is Windows Registry
The Windows Registry is a form of database in which programs can save and read a variety of data. This capability is commonly used by the operating system itself, as well as most applications. The Windows Registry is a favorite attack target for malware to create auto-start entries, storing their own data and modifying existing entries. Monitor all manipulation attempts with the Registry Security, even before they are made. You can have all changes checked for harmful signs, in real time, and thus prevent malware from implanting.
Basically, malware is a kind of computer program and therefore has similar needs to other software. This includes the need to store data somewhere that may be necessary for its operation. Likewise, malware faces the challenge of being able to reactivate after restarting the computer. One component of the Windows operating system is the Registry.
Since access to this database does not require any special authentication and there are hardly any rules to save the data, it is easy for malware to infiltrate this Registry. Malware can not only use the Windows Registry to store its own data, but also to read and manipulate existing ones. For example, the specified start page of a web browser is in the form of a Registry key. If this key is manipulated by malware, the start page can be easily changed. This option is used by, for example, various Internet toolbars and some forms of ransomware. Another area that malware likes to use is the various startup areas that exist in the Registry. In these, entries can be made to start certain things automatically the next time the computer starts up. A perfect way for malware to activate after a reboot.
EaseFilter Real-Time Windows Registry Monitoring and Protection
The Windows Registry is a dangerous place that, without proper monitoring, can become a playground for malware. Monitoring the Windows Registry for such manipulations and malicious entries is therefore a good idea. However, since the Registry is huge and there are more Registry than file accesses, it’s easier said than done. The most common method of security vendors is to perform an on-demand scan. The EaseFilter Registry Filter Driver Library goes one step further with Registry Security. Instead of just performing scheduled scans that can detect bad changes later, Registry Security works in real time. It not only monitors Registry access, but protects Registry access. To prevent any performance problems, you can specify the type of access to be monitored and any desired exceptions. The real-time protection monitors access attempts even before they happen and can prevent malicious manipulation in advance.
Easefilter registry filter driver is a kernel-mode driver that filters registry calls, it provides you an easy way to develop Windows application for registry monitoring and protection. With the EaseFilter Registry Filter Driver, it enables your application to protect Windows core registry keys and values and to prevent potentially damaging system configuration changes, besides operating system files. By registering a RegistryCallback routine in the registry filter driver, it can receive notifications of each registry operation before the configuration manager processes the operation. A set of REG_XXX_KEY_INFORMATION data structures which contain information about each registry operation will return to your user mode application, your application can allow the registry access or change to authorized processes or users, and deny the registry access to unauthorized processes or users.
Monitoring registry calls to track the registry changes
To track the registry changes, register these “Reg_Post_Create_Key, Reg_Post_Delete_Key, Reg_Post_Set_Value_Key, Reg_Post_Delete_Value_Key, Reg_Post_SetInformation_Key, Reg_Post_Rename_Key, Reg_Post_Create_KeyEx, Reg_Post_Restore_Key,Reg_Post_Replace_Key” notification classes. When the registry key, value or security was modified, the callback routine will be invoked with a data structure that contains information that is specific to the type of registry operation.
Blocking registry calls to prevent your registry from being changed by unauthorized processes
To block the registry changes, register these “Reg_Pre_Create_Key, Reg_Pre_Delete_Key, Reg_Pre_Set_Value_Key, Reg_Pre_Delete_Value_Key, Reg_Pre_SetInformation_Key, Reg_Pre_Rename_Key, Reg_Pre_Create_KeyEx, Reg_Pre_Restore_Key, Reg_Pre_Replace_Key” notification classes. When the registry key, value or security is going to be modified, the callback routine will be invoked with a data structure that contains information that is specific to the type of registry operation, If a RegistryCallback routine returns a status value “STATUS_ACCESS_DENIED” for a pre-notification, this registry operation will be blocked and the error code will be returned.
Modifying registry calls to create virtual registry key or value
To register pre-notification, RegistryCallback routine can modify a registry operation’s output parameters or return value. Additionally, to handle the virtual registry key or value, the RegistryCallback routine can return your own customized data instead of allowing the registry to handle the operation.