参见这里:
http://www.sysinternals.com...Regmon.htmlOn Windows NT, 2000 and XP the Regmon loads a device driver that uses a technique we pioneered for NT called system-call hooking. When a user-mode component makes a privileged system call, control is transfered to a software interrupt handler in NTOSKRNL.EXE (the core of the Windows NT operating system). This handler takes a system call number, which is passed in a machine register, and indexes into a system service table to find the address of the NT function that will handle the request. By replacing entries in this table with pointers to hooking functions, it is possible to intercept and replace, augment, or monitor NT system services. Regmon, which obviously hooks just the Registry-related services, is merely one example of this capability in action.
For more detailed information on how Regmon works on Windows NT, see:
"Windows NT System Call Hooking," by Mark Russinovich and Bryce Cogswell, Dr. Dobb's Journal, January 1997
"Inside NT Utilities", Windows NT Magazine, February 1999.