怪事~
private void Form1_Load(object sender, EventArgs e)
{
ConnectionOptions co = new ConnectionOptions();
co.Impersonation = ImpersonationLevel.Impersonate;
co.EnablePrivileges = true;
ManagementScope mgrScope = new ManagementScope(@"\\.\root\default", co);
WqlEventQuery evQuery = new WqlEventQuery();
evQuery.WithinInterval = new TimeSpan(0, 0, 0, 15, 0);
//evQuery.QueryString = @"Select * From RegistryKeyChangeEvent Where Hive='HKEY_USERS' And KeyPath='S-1-5-21-3743974248-512206057-3529231067-1000\\Software\\Microsoft\\Internet Explorer\\Main'";//①
evQuery.QueryString = @"Select * From RegistryKeyChangeEvent Where Hive='HKEY_USERS' And KeyPath='" + GetUserSID() + "\\Software\\Microsoft\\Internet Explorer\\Main'";//②
ManagementEventWatcher RegKeyWacher = new ManagementEventWatcher();
RegKeyWacher.Query = evQuery;
RegKeyWacher.EventArrived += new EventArrivedEventHandler(OnRegistryKeyChange);
RegKeyWacher.Scope = mgrScope;
RegKeyWacher.Start();
}
private string GetUserSID()
{
string strUserSID = "";
ConnectionOptions co = new ConnectionOptions();
co.Impersonation = ImpersonationLevel.Impersonate;
co.EnablePrivileges = true;
ManagementScope mgrScope = new ManagementScope("\\\\.\\root\\cimv2", co);
ObjectQuery myQuery = new ObjectQuery("SELECT * FROM Win32_UserAccount WHERE Domain=\"" + Environment.UserDomainName + "\"" + " And Name=\"" + Environment.UserName + "\"");
ManagementObjectSearcher searcher = new ManagementObjectSearcher(mgrScope, myQuery);
ManagementObjectCollection oReturnCollection = searcher.Get();
foreach (ManagementObject sid in oReturnCollection)
{
strUserSID = sid["SID"].ToString();
}
return strUserSID;
}
{
ConnectionOptions co = new ConnectionOptions();
co.Impersonation = ImpersonationLevel.Impersonate;
co.EnablePrivileges = true;
ManagementScope mgrScope = new ManagementScope(@"\\.\root\default", co);
WqlEventQuery evQuery = new WqlEventQuery();
evQuery.WithinInterval = new TimeSpan(0, 0, 0, 15, 0);
//evQuery.QueryString = @"Select * From RegistryKeyChangeEvent Where Hive='HKEY_USERS' And KeyPath='S-1-5-21-3743974248-512206057-3529231067-1000\\Software\\Microsoft\\Internet Explorer\\Main'";//①
evQuery.QueryString = @"Select * From RegistryKeyChangeEvent Where Hive='HKEY_USERS' And KeyPath='" + GetUserSID() + "\\Software\\Microsoft\\Internet Explorer\\Main'";//②
ManagementEventWatcher RegKeyWacher = new ManagementEventWatcher();
RegKeyWacher.Query = evQuery;
RegKeyWacher.EventArrived += new EventArrivedEventHandler(OnRegistryKeyChange);
RegKeyWacher.Scope = mgrScope;
RegKeyWacher.Start();
}
private string GetUserSID()
{
string strUserSID = "";
ConnectionOptions co = new ConnectionOptions();
co.Impersonation = ImpersonationLevel.Impersonate;
co.EnablePrivileges = true;
ManagementScope mgrScope = new ManagementScope("\\\\.\\root\\cimv2", co);
ObjectQuery myQuery = new ObjectQuery("SELECT * FROM Win32_UserAccount WHERE Domain=\"" + Environment.UserDomainName + "\"" + " And Name=\"" + Environment.UserName + "\"");
ManagementObjectSearcher searcher = new ManagementObjectSearcher(mgrScope, myQuery);
ManagementObjectCollection oReturnCollection = searcher.Get();
foreach (ManagementObject sid in oReturnCollection)
{
strUserSID = sid["SID"].ToString();
}
return strUserSID;
}
运行完①②之后,evQuery.QueryString 的值都是一样的,但①可以正常监视,但②RegKeyWacher.Start()的总是时候异常!!怪事!