I was trying to monitor the registry with WMI - Windows Management Instrumentation. I could find almost everything in the namespace "root\CIMV2" for my needs except for registry changes. Those where located in "root\DEFAULT" and did not use the regular WQL polling operator "WITHIN".
I searched for examples on the net using C# or VB.NET. The net was quite dry on this subject. I found some examples but when implementing those I got "Invalid Class". After some testing I found that you need to specify the class in the EventQuery. And the class changes depending on the type of registry query you want todo.
Registry changes are divided in three parts:
RegistryTreeChangeEvent - Monitors changes to a hierarchy of keys.
RegistryKeyChangeEvent - KeyPath Monitors changes to a single key.
RegistryValueChangeEvent - ValueName Monitors changes to a single value.
This is a VB.NET example:
Dim evQuery As New WqlEventQuery()
evQuery.EventClassName = "RegistryValueChangeEvent" <--- here you specify the classname which should match the "tablename" in the querystring evQuery.WithinInterval = New TimeSpan(0, 0, 0, 10, 0) evQuery.QueryString = "SELECT * FROM RegistryValueChangeEvent WHERE hive = '" & _ "HKEY_LOCAL_MACHINE" & "' AND KeyPath = '" & _ "Software\\Activision" &amp; "'" & _ "AND ValueName='mamma'"
So remember to change the EventClassName depending on the tablename.
While testing I also stumbled upon the ManagementException "Not found". This error is due to that there is not match in the WQL. Maybe you have specified the wrong KeyPath or your are missing the double backspace.
The error "Access denied" is however not solved. I am getting the error when using the LIKE operator in WQL. If you have any idea about this the please comment that :)