Can anyone explain the purpose and function of the "splunkdrv" Windows service? It appears as though this is some kind of kernel-mode driver. I'm curious what Splunk needs to do in kernel-mode that couldn't be done at user-level.
splunkdrv is kernel mode filter driver for Windows registry. Essentially it allows Splunk to listen to every call to registry and log it as a registry event. Windows implements its driver framework such that it allows such lightweight filter drivers to be plugged into existing drivers such as registry file system, etc.
splunkdrv is kernel mode filter driver for Windows registry. Essentially it allows Splunk to listen to every call to registry and log it as a registry event. Windows implements its driver framework such that it allows such lightweight filter drivers to be plugged into existing drivers such as registry file system, etc.