Листинг 4. Обработка событий доступа к системному реестру

VOID WINAPI RegistryEventCallback( PEVENT_TRACE pEvent )
{
	if(!CheckCurrentProcess( (DWORD)pEvent->Header.ThreadId ) )
		return;
	if( pEvent->Header.Flags & WNODE_FLAG_USE_MOF_PTR != WNODE_FLAG_USE_MOF_PTR )
		return;
	LPTSTR szName = NULL;
	switch( pEvent->Header.Class.Type )
	{
	case EVENT_TRACE_TYPE_REGCREATE:
		szName = «EVENT_TRACE_TYPE_REGCREATE»;
		break;
	case EVENT_TRACE_TYPE_REGDELETE:
		szName = «EVENT_TRACE_TYPE_REGDELETE»;
		break;
...
	case EVENT_TRACE_TYPE_REGSETVALUE:
		szName = «EVENT_TRACE_TYPE_REGSETVALUE»;
		break;
	}
	if( szName != NULL )
	{
		DWORD	dwOSVersion = GetWindowsVersion();
		DWORD	dwStatus = 0;
		LPWSTR	wszKey = NULL;
		HANDLE	hKey = NULL;
		if( dwOSVersion != WIN_VERSION_NONE )
		{
			printf( «Event : %s
»,szName );
			switch( dwOSVersion )
			{
			case WIN_VERSION_WIN2K:
				dwStatus = ((LPMOF_REGISTRY_2K)(pEvent->MofData))->dwStatus;
				wszKey = ((LPMOF_REGISTRY_2K)(pEvent->MofData))->wszKeyName; 
				hKey = ((LPMOF_REGISTRY_2K)(pEvent->MofData))->hKey; 
				break;
			case WIN_VERSION_WINXP:
			case WIN_VERSION_WINSRV2003:
				dwStatus = ((LPMOF_REGISTRY_XP)(pEvent->MofData))->dwStatus;           
				wszKey = ((LPMOF_REGISTRY_XP)(pEvent->MofData))->wszKeyName; 
				hKey = ((LPMOF_REGISTRY_XP)(pEvent->MofData))->hKey; 
				break;
			}
			if( wcslen( wszKey ) > 0 )
				wprintf( L» Status: %d
 Key: % s
»,dwStatus,wszKey );
			else
				wprintf( L» Status: %d
 Handle: %d
»,dwStatus,hKey );
		}
	}
}