Helping people with computers... one answer at a time.

One part of most program's installation process is modifying and updating the registry. It is possible to see exactly what was touched in the registry.

All I want to do is: make a copy of the registry, install a program, make another copy of the registry, and compare to see the changes.

Monitoring what happens in the registry can sometimes be a very useful thing.

I think that in general, you'll be very surprised at how much activity happens in the registry, particularly for an install.

There are a couple of ways to do what you're suggesting: comparing before and after snapshots of the registry and monitoring the changes as they happen.

I'll discuss both.

Comparing Registry Snapshots

Before you run the installation program, run the Registry Editor. Use the Run item on the Start menu, or press the Windows key plus the letter R, and then type in "regedit" and click OK.

Registry Editor

Make sure that the top-level item - "Computer" - is selected as shown above.. Just click it once.

Now click File, and then Export...

Registry Editor export dialog

In this Save As dialog box, give the file a name. In the example above, I've named it "before" and the file saved will be "before.reg."

This will export the entire registry.

Leave the Registry Editor open.

Run your install.

Once the install has completed, repeat the File, Export..., but this time, give the export file a new name. Perhaps "after.reg" might be appropriate.

You can now compare the two (Unicode text) files. There are various file-difference tools available. I'm partial to the free, open source WinMerge utility.

Using WinMerge, you can view the before and after registry dumps side by side to see exactly what's changed:

Before and After registry dumps compared in WinMerge

The registry is large and complex, so expect to spend some time here if you really want to review all of the differences. As I said, I expect you'll be surprised by how many changes there are as a result of the install.

Also, be aware that other registry activity may have occurred during the install. Naturally, you'll want to have as little software running as possible when you do this, but even then, Windows itself may sneak in an unrelated change or two.

Monitoring registry activity

Download the program Process Monitor from Microsoft (do not confuse this with Process Explorer, a different program).

Run Process Monitor (procmon). It will begin monitoring right away.

Run your install.

As soon as your installation is done, switch back to Process Monitor and type Ctrl+E to stop monitoring.

Click the Filter menu and then the Filter... menu item.

Process Monitor has a default filter that excludes things, such as displaying events related to itself. We're going to add a filter to narrow down the information that it displays.

Process Monitor Filter

In this example, I've selected Operation, "begins with," and "Reg." All registry related operations begin with the letters "Reg," so this will display only registry related operations.

Click Add to add the filter, and then OK to update the display.

Process Monitor filtered to only registry operations

What you'll find is ... well, a lot of registry operations. The registry is constantly in use even when you're doing nothing. In the few minutes that it took for me to start Process Monitor, run the install, and type Ctrl+E to stop monitoring, almost 400,000 registry events were collected.

There are ways to narrow this down some more, but each has its drawbacks, depending on your situation.

  • Rather than looking for all registry events, you can set the filter to look only at specific events - perhaps specific registry events like RegCreateKey, which is used to create new registry entries. However, not knowing exactly how the setup program operates, you'll need to include all Registry operations in your filter that might possibly affect the contents of the registry. I count seven such operations (RegCreateKey, RegDeleteKey, RegDeleteValue, RegRenameKey, RegSetInfoKey, RegSetKeySecurity, RegSetVale). There are probably things I've overlooked. Even narrowing the scope to only registry altering operations, you still will see activity from other applications and Windows, even though not directly involved in the installation.

  • You could only look at activity from a specific process. In my case (I was installing the FTP program "CyberDuck"), the installer process was Cyberduck-installer-4.2.1.exe. The risk here is that many installers hand off their work to other processes - some their own and often Windows own installer misexec.exe. You'll need to watch for that and include that in your filter as well.

  • You can combine the two approaches, looking for specific registry events from specific programs.

  • You can use something else. Process Monitor has something like 26 different "things" that it can look for ("Operation" is just one) and each can be restricts to different values in various ways.

I'm not including specific examples for these cases because, as I said, what's needed really varies dramatically on what you're installing and how it all works.

And, to be completely honest, this approach to using Process Monitor is somewhat technical and best experimented with on your own if you are appropriately skilled.

Particularly since, as it turns out, the information that you'll be looking at is going to require some level of skill to understand as well.

Article C5251 - April 25, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

3 Comments
c l coon
April 27, 2012 6:59 PM

I use Win Patrol, it does a good job of detecting any registry changes, and gives you the opportunity to allow them or not.

Yes, however it doesn't notify you for EVERYTHING. You'd never be able to use your computer for all the warnings. WinPatrol notifies for certainly classes of updates typically related to startup and auto-run and a few more areas frequently targetted for malware. But certainly not everything.
Leo
29-Apr-2012
RMB
April 28, 2012 3:18 PM

I use Tiny Watcher on Windows XP from http://kubicle.dcmembers.com/watcher/, which as far as I can tell will work all the way through Vista. I found conflicting reports about its use in Windows 7, and have no idea how Windows 8 maintains a registry. I run the Logon command each time I reboot, and the Quick after each install. I like the log so I can go back and look at changes over time. I also run the Deep scan once a week just for S&G's. I loaded them into batch files and rename the log with a timestamp after each scan so the log does not get so long and unwieldy. I like Tiny Watcher because it does not have to run all the time, but due to this, it will not flag changes in real time, only after the fact like a registry comparison. It also monitors C:\, C:\Windows, and C:\Windows\system32\ and can monitor custom folders.

DiggerP
April 30, 2012 10:00 PM

Hi,
I often used WhatChanged on XP. Have yet to try it on Win7. You'll find it on this page : http://www.vtaskstudio.com/support.php
To minimize unwanted recording of changes ,close all running programs and other back ground services not involved in running your system ,including AV etc.
I usually disconnect from the internet while taking the snapshots before and after the (test)program's install.
I've also used it to detect what malware does when it's installed ,but for this I use a minimal setup of the OS and run it in a VM.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.