VirtualReg is a Windows kernel-mode driver with a user-mode CLI client that demonstrates registry operation hooking and redirection. The project was created as an implementation exercise inspired by Windows Kernel Programming by Pavel Yosifovich.
The main goal of this project is to sandbox selected processes and redirect their registry write operations into a virtual registry location instead of the real system registry.
The driver hooks selected registry operations (such as key creation and value setting). If the operation originates from a sandboxed process, the changes are redirected and stored under:
HKEY_LOCAL_MACHINE\SOFTWARE\virtualreg
This allows observing or isolating registry modifications made by specific processes without affecting the real registry state.
VirtualReg/
├── VirtualRegDriver/ # Kernel-mode driver source code
└── VirtualRegClient/ # User-mode CLI application
Contains the Windows kernel driver implementation:
- Registry operation callbacks
- Process ID–based sandboxing logic
- Redirection of registry create/set operations
A user-mode command-line application used to communicate with the driver via WinAPI. It allows managing sandboxed processes and controlling driver behavior.
The CLI application supports the following commands:
USAGE:
CLEAR_ALL
RESTORE_ALL
DELETE_ALL
ADD <PID>
-
ADD Adds a process (by its PID) to the sandbox. All registry create/set operations performed by this process will be redirected to
HKLM\\SOFTWARE\\virtualreg. -
CLEAR_ALL Clears the current sandbox configuration.
-
RESTORE_ALL Restores original registry behavior for all sandboxed processes.
-
DELETE_ALL Deletes all virtualized registry data stored under
virtualreg.
- Pavel Yosifovich, Windows Kernel Programming
- Windows Driver Kit (WDK) documentation