Tracking changes in Windows registry

Question

Is there a way to track changes in Windows registry? I\'d like to see what changes in the registry are made during installation of various programs.

Answer 1

Regarding WMI and Registry:

There are three WMI event classes concerning registry:

• RegistryTreeChangeEvent
• RegistryKeyChangeEvent
• RegistryValueChangeEvent

Registry Event Classes

But you need to be aware of these limitations:

• With RegistryTreeChangeEvent and RegistryKeyChangeEvent there is no way of directly telling which values or keys actually changed. To do this, you would need to save the registry state before the event and compare it to the state after the event.

• You can't use these classes with HKEY_CLASSES_ROOT or HKEY_CURRENT_USER hives. You can overcome this by creating a WMI class to represent the registry key to monitor:

Defining a Registry Class With Qualifiers

and use it with __InstanceOperationEvent derived classes.

So using WMI to monitor the Registry is possible, but less then perfect. The advantage is that it is possible to monitor the changes in 'real time'. Another advantage could be WMI permanent event subscription:

Receiving Events at All Times

a method to monitor the Registry 'at all times', ie. event if your application is not running.