发表新帖
发表新帖

Tracking changes in Windows registry

前端 未结
关注
10 766
暗喜
暗喜 2020-12-12 18:58

Is there a way to track changes in Windows registry? I\'d like to see what changes in the registry are made during installation of various programs.

相关标签:
10条回答
  • 难免孤独
    2020-12-12 19:39

    There is a python-hids called sobek ( http://code.google.com/p/sobek-hids/ ) that is able to monitor some parts of the SO. It's working fine for my for monitoring file changes, and although the doc sais that it's able to monitor registry changes it does not work for me.

    Good piece of software for easily deplay a python based hids.

    0 讨论(0)
  • 说谎
    2020-12-12 19:41

    Process Monitor allows you to monitor file and registry activity of various processes.

    0 讨论(0)
  • 佛祖请我去吃肉
    2020-12-12 19:45

    A straightforward way to do this with no extra tools is to export the registry to a text file before the install, then export it to another file after. Then, compare the two files.

    Having said that, the Sysinternals tools are great for this.

    0 讨论(0)
  • 甜味超标
    2020-12-12 19:48

    Regarding WMI and Registry:

    There are three WMI event classes concerning registry:

    • RegistryTreeChangeEvent
    • RegistryKeyChangeEvent
    • RegistryValueChangeEvent

    Registry Event Classes

    But you need to be aware of these limitations:

    • With RegistryTreeChangeEvent and RegistryKeyChangeEvent there is no way of directly telling which values or keys actually changed. To do this, you would need to save the registry state before the event and compare it to the state after the event.

    • You can't use these classes with HKEY_CLASSES_ROOT or HKEY_CURRENT_USER hives. You can overcome this by creating a WMI class to represent the registry key to monitor:

    Defining a Registry Class With Qualifiers

    and use it with __InstanceOperationEvent derived classes.

    So using WMI to monitor the Registry is possible, but less then perfect. The advantage is that it is possible to monitor the changes in 'real time'. Another advantage could be WMI permanent event subscription:

    Receiving Events at All Times

    a method to monitor the Registry 'at all times', ie. event if your application is not running.

    0 讨论(0)
  • 别那么骄傲
    2020-12-12 19:51

    There are a few different ways. If you want to do it yourself on the fly WMI is probably the way to go. RegistryKeyChangeEvent and its relatives are the ones to look at. There might be a way to monitor it through __InstanceCreationEvent, __InstanceDeletionEvent and __InstanceModificationEvent classes too.

    http://msdn.microsoft.com/en-us/library/aa393040(VS.85).aspx

    0 讨论(0)
  • 无人及你
    2020-12-12 19:53

    Can monitor registry changes made by specific program.

    https://www.nirsoft.net/utils/reg_file_from_application.html

    UPDATE: Just download NirLauncher (which includes all applications from NirSoft). It is one of the best additions to your Windows toolbox. https://launcher.nirsoft.net/

    0 讨论(0)
 看不清?
提交回复
热议问题