Helping people with computers... one answer at a time.
One part of most program's installation process is modifying and updating the registry. It is possible to see exactly what was touched in the registry.
All I want to do is: make a copy of the registry, install a program, make another copy of the registry, and compare to see the changes.
Monitoring what happens in the registry can sometimes be a very useful thing.
I think that in general, you'll be very surprised at how much activity happens in the registry, particularly for an install.
There are a couple of ways to do what you're suggesting: comparing before and after snapshots of the registry and monitoring the changes as they happen.
I'll discuss both.
Before you run the installation program, run the Registry Editor. Use the Run item on the Start menu, or press the Windows key plus the letter R, and then type in "regedit" and click OK.
Make sure that the top-level item - "Computer" - is selected as shown above.. Just click it once.
Now click File, and then Export...
In this Save As dialog box, give the file a name. In the example above, I've named it "before" and the file saved will be "before.reg."
This will export the entire registry.
Leave the Registry Editor open.
Run your install.
Once the install has completed, repeat the File, Export..., but this time, give the export file a new name. Perhaps "after.reg" might be appropriate.
You can now compare the two (Unicode text) files. There are various file-difference tools available. I'm partial to the free, open source WinMerge utility.
Using WinMerge, you can view the before and after registry dumps side by side to see exactly what's changed:
The registry is large and complex, so expect to spend some time here if you really want to review all of the differences. As I said, I expect you'll be surprised by how many changes there are as a result of the install.
Also, be aware that other registry activity may have occurred during the install. Naturally, you'll want to have as little software running as possible when you do this, but even then, Windows itself may sneak in an unrelated change or two.
Download the program Process Monitor from Microsoft (do not confuse this with Process Explorer, a different program).
Run Process Monitor (procmon). It will begin monitoring right away.
Run your install.
As soon as your installation is done, switch back to Process Monitor and type Ctrl+E to stop monitoring.
Click the Filter menu and then the Filter... menu item.
Process Monitor has a default filter that excludes things, such as displaying events related to itself. We're going to add a filter to narrow down the information that it displays.
In this example, I've selected Operation, "begins with," and "Reg." All registry related operations begin with the letters "Reg," so this will display only registry related operations.
Click Add to add the filter, and then OK to update the display.
What you'll find is ... well, a lot of registry operations. The registry is constantly in use even when you're doing nothing. In the few minutes that it took for me to start Process Monitor, run the install, and type Ctrl+E to stop monitoring, almost 400,000 registry events were collected.
There are ways to narrow this down some more, but each has its drawbacks, depending on your situation.
Rather than looking for all registry events, you can set the filter to look only at specific events - perhaps specific registry events like RegCreateKey, which is used to create new registry entries. However, not knowing exactly how the setup program operates, you'll need to include all Registry operations in your filter that might possibly affect the contents of the registry. I count seven such operations (RegCreateKey, RegDeleteKey, RegDeleteValue, RegRenameKey, RegSetInfoKey, RegSetKeySecurity, RegSetVale). There are probably things I've overlooked. Even narrowing the scope to only registry altering operations, you still will see activity from other applications and Windows, even though not directly involved in the installation.
You could only look at activity from a specific process. In my case (I was installing the FTP program "CyberDuck"), the installer process was Cyberduck-installer-4.2.1.exe. The risk here is that many installers hand off their work to other processes - some their own and often Windows own installer misexec.exe. You'll need to watch for that and include that in your filter as well.
You can combine the two approaches, looking for specific registry events from specific programs.
You can use something else. Process Monitor has something like 26 different "things" that it can look for ("Operation" is just one) and each can be restricts to different values in various ways.
I'm not including specific examples for these cases because, as I said, what's needed really varies dramatically on what you're installing and how it all works.
And, to be completely honest, this approach to using Process Monitor is somewhat technical and best experimented with on your own if you are appropriately skilled.
Particularly since, as it turns out, the information that you'll be looking at is going to require some level of skill to understand as well.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.