Reading kernel mode registry accesses?

I can do this for user mode, but how would one monitor kernel mode registry accesses at a high level description? Someone once mentioned writing some sort of driver (which wasnt really a driver) to access that low down i开发者_开发知识库n the OS?? :s

---

To do this from the kernel mode, you need to write a driver which registers callback with Configuration manager(This modules handles all the registry access from user mode and kernel mode). Once the callback is registerd successfully. Call to registry function from user mode(RegXXX) and kernel mode (ZwRegXX) will go to CM, which inturn calls your callback, if you have registerd for that specific function. Your callbacks can be registerd as Pre and Post function for different registery operation(create, open, read, write etc.).

Check http://msdn.microsoft.com/en-us/library/ff545879(v=VS.85).aspx for further information