Registry Monitor error?

[haddaway]

I am trying to execute this function, any idea what I'm doing wrong (I am getting HRESULT: 0x80042001):

public void RegistryWatcher()
{
WqlEventQuery evQuery = new WqlEventQuery();
evQuery.EventClassName = "RegistryEvent";
evQuery.WithinInterval = new TimeSpan(0, 0, 0, 15, 0);
evQuery.QueryString = @"Select * from RegistryKeyChangeEvent where
hive='HKEY_LOCAL_MACHINE' and KeyPath='SOFTWARE\\TRELLIAN'";

try
{
ManagementEventWatcher evListener = new ManagementEventWatcher();

evListener.Query = evQuery;

evListener.EventArrived += new EventArrivedEventHandler(OnRegistryChange);

ManagementScope mgrScope = new ManagementScope();
mgrScope.Path.Server = "localhost";
mgrScope.Path.NamespacePath = @"root\default";

evListener.Scope = mgrScope;
evListener.Start();
}
catch (ManagementException ex)
{
Console.WriteLine(ex.Message);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}

private void OnRegistryChange(object sender, EventArrivedEventArgs e)
{
Console.WriteLine("Changed");
}

The following work in vbscript:

Set wmiServices = GetObject("winmgmts:root/default")
Set wmiSink = WScript.CreateObject( _
"WbemScripting.SWbemSink", "SINK_")
wmiServices.ExecNotificationQueryAsync wmiSink, _
"SELECT * FROM RegistryKeyChangeEvent " _
& "WHERE Hive='HKEY_LOCAL_MACHINE' AND " _
& "KeyPath='SOFTWARE\\TRELLIAN'"
WScript.Echo "Listening for Registry Key" _
& " Change Events..." & vbCrLf
While(True)
WScript.Sleep 1000
Wend
Sub SINK_OnObjectReady(wmiObject, wmiAsyncContext)
WScript.Echo "Received Registry Change Event" _
& vbCrLf & wmiObject.GetObjectText_()
End Sub

 

[haddaway]

I decided to try the COM Windows scripting. Using the COM works - the first time. The next time the event occurs it is locked in some way. I have to kill the process wmiprvse.exe (which restarts itself after). After executing the query once again it is able to receive one new event. Any ideas on this? How can I make the subscribtion go on "forever", renew it or restart it properly.

Public Class wmi
Private wmiServices As SWbemServices = DirectCast(GetObject("winmgmts:root/default"), SWbemServices)
Private WithEvents wmiSink As SWbemSink = DirectCast(CreateObject("WbemScripting.SWbemSink", "RIS-335"), SWbemSink)
Private wmiLoc As SWbemLocator = New SWbemLocator
Private svcEvent As SWbemEventSource

Public Sub Init()

wmiServices.Security_.ImpersonationLevel = WbemImpersonationLevelEnum.wbemImpersonationLevelImpersonate
wmiServices.Security_.AuthenticationLevel = WbemAuthenticationLevelEnum.wbemAuthenticationLevelConnect

wmiServices.ExecNotificationQueryAsync(wmiSink, _
"SELECT * FROM RegistryTreeChangeEvent " _
& "WHERE Hive='HKEY_LOCAL_MACHINE' AND " _
& "rootPath='SOFTWARE\\Activision'", , , )

While (True)
System.Threading.Thread.Sleep(100)
End While
End Sub

Private Sub wmiSink_OnObjectReady(ByVal objWbemObject As WbemScripting.SWbemObject, ByVal objWbemAsyncContext As WbemScripting.SWbemNamedValueSet) Handles wmiSink.OnObjectReady
Console.WriteLine(objWbemObject.GetObjectText_())

Console.WriteLine("OnObjectReady")

End Sub

End Class

 

[haddaway]

Found the solution. The EventClassName must match the table name. If the query is: SELECT * FROM RegistryTreeChangeEvent the EventClassName must be set to: RegistryTreeChangeEvent