Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I monitor what changes in my registry?

Question:

All I want to do is: make a copy of the registry, install a program, make
another copy of the registry, and compare to see the changes.

Monitoring what happens in the registry can sometimes be a very useful
thing.

I think that in general, you’ll be very surprised at how much activity
happens in the registry, particularly for an install.

There are a couple of ways to do what you’re suggesting: comparing before
and after snapshots of the registry and monitoring the changes as they
happen.

I’ll discuss both.

Become a Patron of Ask Leo! and go ad-free!

Comparing Registry Snapshots

Before you run the installation program, run the Registry Editor. Use the
Run item on the Start menu, or press the Windows key plus the letter R, and
then type in “regedit” and click OK.

Registry Editor

Make sure that the top-level item – “Computer” – is selected as shown
above.. Just click it once.

Now click File, and then Export…

Registry Editor export dialog

In this Save As dialog box, give the file a name. In the example above,
I’ve named it “before” and the file saved will be “before.reg.”

This will export the entire registry.

Leave the Registry Editor open.

Run your install.

Once the install has completed, repeat the File,
Export…, but this time, give the export file a new name.
Perhaps “after.reg” might be appropriate.

You can now compare the two (Unicode text) files. There are various
file-difference tools available. I’m partial to the free, open source
WinMerge
utility.

Using WinMerge, you can view the before and after registry dumps side by
side to see exactly what’s changed:

Before and After registry dumps compared in WinMerge

The registry is large and complex, so expect to spend some time here if
you really want to review all of the differences. As I said, I expect you’ll be
surprised by how many changes there are as a result of the install.

Also, be aware that other registry activity may have occurred during the
install. Naturally, you’ll want to have as little software running as
possible when you do this, but even then, Windows itself may sneak in an
unrelated change or two.

Monitoring registry activity

Download the program Process Monitor from Microsoft (do not confuse this with Process
Explorer, a different program).

Run Process Monitor (procmon). It will begin monitoring right away.

Run your install.

As soon as your installation is done, switch back to Process Monitor and
type Ctrl+E to stop monitoring.

Click the Filter menu and then the
Filter… menu item.

Process Monitor has a default filter that excludes things, such as
displaying events related to itself. We’re going to add a filter to narrow
down the information that it displays.

Process Monitor Filter

In this example, I’ve selected Operation, “begins with,” and “Reg.” All
registry related operations begin with the letters “Reg,” so this will
display only registry related operations.

Click Add to add the filter, and then OK
to update the display.

Process Monitor filtered to only registry operations

What you’ll find is … well, a lot of registry operations. The registry
is constantly in use even when you’re doing nothing. In the few minutes that it
took for me to start Process Monitor, run the install, and type Ctrl+E to stop
monitoring, almost 400,000 registry events were collected.

There are ways to narrow this down some more, but each has its drawbacks,
depending on your situation.

  • Rather than looking for all registry events, you can set the filter to
    look only at specific events – perhaps specific registry events like
    RegCreateKey, which is used to create new registry entries. However, not
    knowing exactly how the setup program operates, you’ll need to
    include all Registry operations in your filter that might possibly affect the
    contents of the registry. I count seven such operations (RegCreateKey,
    RegDeleteKey, RegDeleteValue, RegRenameKey, RegSetInfoKey, RegSetKeySecurity,
    RegSetVale). There are probably things I’ve overlooked. Even narrowing the
    scope to only registry altering operations, you still will see activity from
    other applications and Windows, even though not directly involved in the
    installation.

  • You could only look at activity from a specific process. In my case (I was
    installing the FTP program “CyberDuck”), the installer process was
    Cyberduck-installer-4.2.1.exe. The risk here is that many installers hand
    off their work to other processes – some their own and often Windows own
    installer misexec.exe. You’ll need to watch for that and include that in
    your filter as well.

  • You can combine the two approaches, looking for specific registry events
    from specific programs.

  • You can use something else. Process Monitor has something like 26
    different “things” that it can look for (“Operation” is just one) and each can be
    restricts to different values in various ways.

I’m not including specific examples for these cases because, as I said,
what’s needed really varies dramatically on what you’re installing and how it
all works.

And, to be completely honest, this approach to using Process Monitor is
somewhat technical and best experimented with on your own if you are
appropriately skilled.

Particularly since, as it turns out, the information that you’ll be
looking at is going to require some level of skill to understand as well.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

3 comments on “How do I monitor what changes in my registry?”

  1. I use Win Patrol, it does a good job of detecting any registry changes, and gives you the opportunity to allow them or not.

    Yes, however it doesn’t notify you for EVERYTHING. You’d never be able to use your computer for all the warnings. WinPatrol notifies for certainly classes of updates typically related to startup and auto-run and a few more areas frequently targetted for malware. But certainly not everything.

    Leo
    29-Apr-2012
    Reply
  2. I use Tiny Watcher on Windows XP from http://kubicle.dcmembers.com/watcher/, which as far as I can tell will work all the way through Vista. I found conflicting reports about its use in Windows 7, and have no idea how Windows 8 maintains a registry. I run the Logon command each time I reboot, and the Quick after each install. I like the log so I can go back and look at changes over time. I also run the Deep scan once a week just for S&G’s. I loaded them into batch files and rename the log with a timestamp after each scan so the log does not get so long and unwieldy. I like Tiny Watcher because it does not have to run all the time, but due to this, it will not flag changes in real time, only after the fact like a registry comparison. It also monitors C:\, C:\Windows, and C:\Windows\system32\ and can monitor custom folders.

    Reply
  3. Hi,
    I often used WhatChanged on XP. Have yet to try it on Win7. You’ll find it on this page : http://www.vtaskstudio.com/support.php
    To minimize unwanted recording of changes ,close all running programs and other back ground services not involved in running your system ,including AV etc.
    I usually disconnect from the internet while taking the snapshots before and after the (test)program’s install.
    I’ve also used it to detect what malware does when it’s installed ,but for this I use a minimal setup of the OS and run it in a VM.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.