22
5
I use Sysinternals Procmon utility to monitor the registry access by some programs. Most log entries have the Path property starting from HKCU\…
or HKLM\…
, that corresponds to the registry hives HKEY_CURRENT_USER
and HKEY_LOCAL_MACHINE
that can be seen using Regedit. But some entries have the Path starting from \REGISTRY\A\…
:
Could you please explain what part of the registry it is? Can I see it using Regedit or some other utility? Can I access it programmatically?
I am running Windows 8.1 Enterprise x64.
UPDATE: I've contacted Procmon developers and they pointed me to the following MSDN resources covering this question:
2
A related question: http://stackoverflow.com/questions/4611291/mysterious-native-a-registry-key-with-path-registry-a
– Vladimir Reshetnikov – 2013-12-19T17:24:28.167Did you try right-clicking one and selecting Jump To? – Synetech – 2013-12-22T04:18:58.737
Yes, but it jumps to an unrelated key. – Vladimir Reshetnikov – 2013-12-22T22:47:38.807
Are you sure it’s unrelated? Did you try using jump-to to a similar key to see if it jumps to a similar key or to a completely different key? For example, if
registry\a\foobar\1
jumps tohkcu\software\blah\a
butregistry\a\foobar\2
jumps tohklm\software\microsoft\internet explorer
, then they do seem to be unrelated, but if the second one jumps tohkcu\software\blah\b
, then they seem to be related in some way; there’s some sort of mapping. – Synetech – 2013-12-22T23:16:11.253Hmm, I think I know how you can find out exactly what it is, but it’ll have to wait until tomorrow morning (my time) when I can test it… – Synetech – 2013-12-22T23:31:44.797
Sorry it took so long; yesterday was busier than expected. I’ve posted the answer now. Let us know if you find out what it was. – Synetech – 2013-12-24T15:09:12.673
Maybe this could be registry virtualization? http://msdn.microsoft.com/en-us/library/windows/desktop/aa965884(v=vs.85).aspx
– NothingsImpossible – 2013-12-26T08:35:36.657@NothingsImpossible, doubtful; that is meant to redirect writes from the system keys to user keys; for example
hklm\software\foobar
tohkcu\virtualstore\machine\software\foobar
. It’s just like the virtualstore folder. However it could be like a symbolic link or junction point, mounting another registry hive to the path (in which case it would/ should be listed in the key I mentioned below). – Synetech – 2013-12-26T15:13:47.117