I understand older Procmon and its predecessors (filemon, regmon etc) used virtual drivers to hook the kernel. However, Patchguard prevents SSDT hooking etc on 64-bit Vista+.
It is my understanding that Procmon now uses a minifilter driver for File IO monitoring and ETW for networking monitoring. However, I am no clear on how it monitors registry access and process/image/thread events? Does it also use ETW for these?
There are bunch of callbacks for monitoring support in kernel (since xp):
registry -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff545879(v=vs.85).aspx
process/image/thread notify - PsSetCreateProcessNotifyRoutineEx / PsSetLoadImageNotifyRoutine / PsSetCreateThreadNotifyRoutine -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff559917(v=vs.85).aspx
on xp was some limitation, but since vista they fully functional. No need to patch any internal tables for any monitoring activity.
