We needed to monitor all processes Registry calls/File Sytem calls/Process creations in the system (for the antivirus hips module) .
Also time by time it will be needed to delay some calls or decline them.
The supported method of doing this is RegNotifyChangeKeyValue
Most virus checkers likely perform some sort of API hooking instead of using this function. There's lots of information out there about API hooking, like http://www.codeproject.com/KB/system/hooksys.aspx, http://www.codeguru.com/cpp/w-p/system/misc/article.php/c5667