Tracking changes in Windows registry

Question

Is there a way to track changes in Windows registry  I d like to see what changes in the registry are made during installation of various programs

User · Answer

A straightforward way to do this with no extra tools is to export the registry to a text file before the install, then export it to another file after. Then, compare the two files.

Having said that, the Sysinternals tools are great for this.

User · Answer

Can monitor registry changes made by specific program   https   www nirsoft net utils reg file from application html  UPDATE  Just download NirLauncher  which includes all applications from NirSoft   It is one of the best additions to your Windows toolbox  https   launcher nirsoft net

User · Answer

PhiLho has mentioned AutoRuns in passing  but I think it deserves elaboration   It doesn t scan the whole registry  just the parts containing references to things which get loaded automatically  EXEs  DLLs  drivers etc   which is probably what you are interested in  It doesn t track changes but can export to a text file  so you can run it before and after installation and do a diff

User · Answer

PhiLho has mentioned AutoRuns in passing  but I think it deserves elaboration   It doesn t scan the whole registry  just the parts containing references to things which get loaded automatically  EXEs  DLLs  drivers etc   which is probably what you are interested in  It doesn t track changes but can export to a text file  so you can run it before and after installation and do a diff

User · Answer

Regarding WMI and Registry   There are three WMI event classes concerning registry    RegistryTreeChangeEvent RegistryKeyChangeEvent RegistryValueChangeEvent     Registry Event Classes  But you need to be aware of these limitations    With RegistryTreeChangeEvent and RegistryKeyChangeEvent there is no way of directly telling which values or keys actually changed  To do this  you would need to save the registry state before the event and compare it to the state after the event  You can t use these classes with HKEY CLASSES ROOT or HKEY CURRENT USER  hives  You can overcome this by creating a WMI class to represent the registry key to monitor    Defining a Registry Class With Qualifiers  and use it with   InstanceOperationEvent derived classes   So using WMI to monitor the Registry is possible  but less then perfect  The advantage is that it is possible to monitor the changes in  real time   Another advantage could be WMI permanent event subscription   Receiving Events at All Times  a method to monitor the Registry  at all times   ie  event if your application is not running

User · Answer

I concur with Franci  all Sysinternals utilities are worth taking a look  Autoruns is a must too   and Process Monitor  which replaces the good old Filemon and Regmon is precious   Beside the usage you want  it is very useful to see why a process fails  like trying to access a file or a registry key that doesn t exist   etc

User · Answer

There are a few different ways  If you want to do it yourself on the fly WMI is probably the way to go  RegistryKeyChangeEvent and its relatives are the ones to look at  There might be a way to monitor it through   InstanceCreationEvent    InstanceDeletionEvent and   InstanceModificationEvent classes too   http   msdn microsoft com en-us library aa393040 VS 85  aspx

User · Answer

Regshot deserves a mention here   It scans and takes a snapshot of all registry settings  then you run it again at a later time to compare with the original snapshot  and it shows you all the keys and values that have changed

User · Answer

Process Monitor allows you to monitor file and registry activity of various processes

User · Answer

When using a VM  I use these steps to inspect changes to the registry    Using 7-Zip  open the vdi vhd vmdk file and extract the folder C  Windows System32 config Run OfflineRegistryView to convert the registry to plaintext   Set the  Config Folder  to the folder you extracted Set the  Base Key  to HKLM SYSTEM or HKLM SOFTWARE Set the  Subkey Depth  to  Unlimited  Press the  Go  button    Now use your favourite diff program to compare the  before  and  after  snapshots

User · Answer

There is a python-hids called sobek   http   code google com p sobek-hids    that is able to monitor some parts of the SO  It s working fine for my for monitoring file changes  and although the doc sais that it s able to monitor registry changes it does not work for me   Good piece of software for easily deplay a python based hids

[windows] Tracking changes in Windows registry

Examples related to windows

Examples related to registry