The ZwNotifyChangeKey routine allows a driver to request notification when a registry key changes.
NTSYSAPI NTSTATUS ZwNotifyChangeKey( HANDLE KeyHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG CompletionFilter, BOOLEAN WatchTree, PVOID Buffer, ULONG BufferSize, BOOLEAN Asynchronous );
Handle to a caller-created event. If not NULL, the caller is placed into a wait state until the operation succeeds, at which time the event is set to the Signaled state.
For a user-mode call, this parameter points to a caller-supplied APC routine that is run after the operation is completed. This parameter is optional and can be NULL.
For a kernel-mode call, this parameter must be NULL.
The meaning of this parameter depends on whether the routine is called from kernel mode or from user mode. For a kernel-mode call, set this parameter to one of the following WORK_QUEUE_TYPE enumeration values:
Pointer to an IO_STATUS_BLOCK structure that contains the final status and information about the operation. For successful calls that return data, the number of bytes written to Buffer is supplied in IoStatusBlock->Information.
Bitmask of operations that cause the driver to be notified. Specify one or more of the following flags:
Notify the caller if a subkey is added or deleted.
Notify the caller of changes to the attributes of the key, such as the security descriptor information.
Notify the caller of changes to a value of the key. This can include adding or deleting a value, or changing an existing value. (The caller receives no notification if the new value written to the key matches the previous value of the key.)
Notify the caller of changes to the security descriptor of the key.
If TRUE, the driver is notified about changes to all subkeys of the specified key. If FALSE, the driver is only notified for changes to the specified key.
Reserved. Specify NULL.
Reserved. Specify zero.
If FALSE, the routine does not return until the specified event occurs. If TRUE, the routine returns immediately.
The ZwNotifyChangeKey routine returns STATUS_SUCCESS on success, or the appropriate NTSTATUS value otherwise. If the caller specifies TRUE for the Asynchronous parameter, and the event has not yet occurred, the routine returns STATUS_PENDING.
If the call to the ZwNotifyChangeKey function occurs in user mode, you should use the name "NtNotifyChangeKey" instead of "ZwNotifyChangeKey".
For calls from kernel-mode drivers, the NtXxx and ZwXxx versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the NtXxx and ZwXxx versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.
|Windows version||Available starting with Windows 2000.|
|Header||ntifs.h (include Ntifs.h)|
|DDI compliance rules||PowerIrpDDis, HwStorPortProhibitedDDIs|