ZwNotifyChangeKey function

The ZwNotifyChangeKey routine allows a driver to request notification when a registry key changes.

Syntax

NTSYSAPI NTSTATUS ZwNotifyChangeKey(
  HANDLE           KeyHandle,
  HANDLE           Event,
  PIO_APC_ROUTINE  ApcRoutine,
  PVOID            ApcContext,
  PIO_STATUS_BLOCK IoStatusBlock,
  ULONG            CompletionFilter,
  BOOLEAN          WatchTree,
  PVOID            Buffer,
  ULONG            BufferSize,
  BOOLEAN          Asynchronous
);

Parameters

KeyHandle

Handle to the key to register a notification routine for. This handle is created by a successful call to ZwCreateKey or ZwOpenKey. The caller must have specified KEY_NOTIFY access.

Event

Handle to a caller-created event. If not NULL, the caller is placed into a wait state until the operation succeeds, at which time the event is set to the Signaled state.

ApcRoutine

For a user-mode call, this parameter points to a caller-supplied APC routine that is run after the operation is completed. This parameter is optional and can be NULL.

For a kernel-mode call, this parameter must be NULL.

ApcContext

The meaning of this parameter depends on whether the routine is called from kernel mode or from user mode. For a kernel-mode call, set this parameter to one of the following WORK_QUEUE_TYPE enumeration values:

  • CriticalWorkQueue

  • DelayedWorkQueue

The parameter value must be cast to type PVOID. For a user-mode call, this parameter points to a caller-specified context for the APC routine. This value is passed to the APC routine when it is run.

IoStatusBlock

Pointer to an IO_STATUS_BLOCK structure that contains the final status and information about the operation. For successful calls that return data, the number of bytes written to Buffer is supplied in IoStatusBlock->Information.

CompletionFilter

Bitmask of operations that cause the driver to be notified. Specify one or more of the following flags:

REG_NOTIFY_CHANGE_NAME

Notify the caller if a subkey is added or deleted.

REG_NOTIFY_CHANGE_ATTRIBUTES

Notify the caller of changes to the attributes of the key, such as the security descriptor information.

REG_NOTIFY_CHANGE_LAST_SET

Notify the caller of changes to a value of the key. This can include adding or deleting a value, or changing an existing value. (The caller receives no notification if the new value written to the key matches the previous value of the key.)

REG_NOTIFY_CHANGE_SECURITY

Notify the caller of changes to the security descriptor of the key.

WatchTree

If TRUE, the driver is notified about changes to all subkeys of the specified key. If FALSE, the driver is only notified for changes to the specified key.

Buffer

Reserved. Specify NULL.

BufferSize

Reserved. Specify zero.

Asynchronous

If FALSE, the routine does not return until the specified event occurs. If TRUE, the routine returns immediately.

Return Value

The ZwNotifyChangeKey routine returns STATUS_SUCCESS on success, or the appropriate NTSTATUS value otherwise. If the caller specifies TRUE for the Asynchronous parameter, and the event has not yet occurred, the routine returns STATUS_PENDING.

Remarks

If the call to the ZwNotifyChangeKey function occurs in user mode, you should use the name "NtNotifyChangeKey" instead of "ZwNotifyChangeKey".

For calls from kernel-mode drivers, the NtXxx and ZwXxx versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the NtXxx and ZwXxx versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.

Requirements

   
Windows version Available starting with Windows 2000.
Target Platform Universal
Header ntifs.h (include Ntifs.h)
Library NtosKrnl.lib
DLL NtosKrnl.exe
IRQL PASSIVE_LEVEL
DDI compliance rules PowerIrpDDis, HwStorPortProhibitedDDIs

See Also

IO_STATUS_BLOCK

Using Nt and Zw Versions of the Native System Services Routines

WORK_QUEUE_ITEM

WORK_QUEUE_TYPE

ZwCreateKey

ZwOpenKey