If you run procmon to monitor this program, you will see that the only call to write to the
registry is to
RegSetValue for the value
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed. Some indirect changes are made by the
CreateServiceA, but this program also makes direct
changes to the registry from the kernel that go undetected by procmon.
To set a breakpoint to see what happens in the kernel, you must open the executable within an
instance of WinDbg running in the virtual machine, while also debugging the kernel with another
instance of WinDbg in the host machine. When Lab10-01.exe is stopped in the
virtual machine, you first use the
!drvobj command to get a handle to the driver object, which contains a pointer ...