Can monitor registry changes made by specific program.
https://www.nirsoft.net/utils/reg_file_from_application.html
UPDATE: Just download NirLauncher (which includes all applications from NirSoft). It is one of the best additions to your Windows toolbox. https://launcher.nirsoft.net/
Regarding WMI and Registry:
There are three WMI event classes concerning registry:
But you need to be aware of these limitations:
With RegistryTreeChangeEvent and RegistryKeyChangeEvent there is no way of directly telling which values or keys actually changed. To do this, you would need to save the registry state before the event and compare it to the state after the event.
You can't use these classes with HKEY_CLASSES_ROOT or HKEY_CURRENT_USER hives. You can overcome this by creating a WMI class to represent the registry key to monitor:
Defining a Registry Class With Qualifiers
and use it with __InstanceOperationEvent derived classes.
So using WMI to monitor the Registry is possible, but less then perfect. The advantage is that it is possible to monitor the changes in 'real time'. Another advantage could be WMI permanent event subscription:
a method to monitor the Registry 'at all times', ie. event if your application is not running.
A straightforward way to do this with no extra tools is to export the registry to a text file before the install, then export it to another file after. Then, compare the two files.
Having said that, the Sysinternals tools are great for this.
There are a few different ways. If you want to do it yourself on the fly WMI is probably the way to go. RegistryKeyChangeEvent and its relatives are the ones to look at. There might be a way to monitor it through __InstanceCreationEvent, __InstanceDeletionEvent and __InstanceModificationEvent classes too.
http://msdn.microsoft.com/en-us/library/aa393040(VS.85).aspx
I concur with Franci, all Sysinternals utilities are worth taking a look (Autoruns is a must too), and Process Monitor, which replaces the good old Filemon and Regmon is precious.
Beside the usage you want, it is very useful to see why a process fails (like trying to access a file or a registry key that doesn't exist), etc.
There is a python-hids called sobek ( http://code.google.com/p/sobek-hids/ ) that is able to monitor some parts of the SO. It's working fine for my for monitoring file changes, and although the doc sais that it's able to monitor registry changes it does not work for me.
Good piece of software for easily deplay a python based hids.
When using a VM, I use these steps to inspect changes to the registry:
HKLM\SYSTEM or HKLM\SOFTWARENow use your favourite diff program to compare the 'before' and 'after' snapshots.
Regshot deserves a mention here. It scans and takes a snapshot of all registry settings, then you run it again at a later time to compare with the original snapshot, and it shows you all the keys and values that have changed.
PhiLho has mentioned AutoRuns in passing, but I think it deserves elaboration.
It doesn't scan the whole registry, just the parts containing references to things which get loaded automatically (EXEs, DLLs, drivers etc.) which is probably what you are interested in. It doesn't track changes but can export to a text file, so you can run it before and after installation and do a diff.
Process Monitor allows you to monitor file and registry activity of various processes.
PhiLho has mentioned AutoRuns in passing, but I think it deserves elaboration.
It doesn't scan the whole registry, just the parts containing references to things which get loaded automatically (EXEs, DLLs, drivers etc.) which is probably what you are interested in. It doesn't track changes but can export to a text file, so you can run it before and after installation and do a diff.
Source: Stackoverflow.com