How to fetch registry path from EventArrivedEventArgs object

Question

I try to watch the registry events via WMI. I use the below query to watch any events inside HKLM\softwares

WqlEventQuery query = new WqlEventQuery(
                     "SELECT * FROM RegistryTreeChangeEvent WHERE " +
                     "(Hive = 'HKEY_LOCAL_MACHINE')"  +
                     "AND Rootpath = 'Software'" 

As expected it catches all events in EventArrivedEventArgs. example: 1) if there is a newkey inside Hklm\software\microsoft, it captures 2) if there is a value change inside Hklm\software\microsoft\windows, it captures

However I need to know the registry path or key or value in which change has occured.

I dont know how to interpret the EventArrivedEventArgs object to get it. Can anyone help me.

Answer 1

After the analysis, Its clear that Key path for subkeys couldnot be obtained through registry events. Because Regkeychangeevent could not monitor subkeys and reg treechange event monitors subkeys which would not give the key path, the change has occured. Hence preimage post image's diff should be the only solution so far.

Answer 2

I don't believe this is possible. EventArrivedEventArgs will return an instance of RegistryTreeChangeEvent and the only thing you know about the event is the root path you are monitoring. You can work around this using the RegistryKeyChangeEvent class, specifying more than one key in the query Where clause. For example (not tested):

SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND (KeyPath='SOFTWARE\Microsoft' OR KeyPath='SOFTWARE\Microsoft\Windows')

In this case you would use EventArrivedEventArgs.NewEvent property to get the RegistryKeyChangeEvent instance and its Keypath property to get the registry key that was changed.