Tracking changes in Windows registry

Question

Is there a way to track changes in Windows registry? I\'d like to see what changes in the registry are made during installation of various programs.

Answer 1

Regshot deserves a mention here. It scans and takes a snapshot of all registry settings, then you run it again at a later time to compare with the original snapshot, and it shows you all the keys and values that have changed.

Answer 2

When using a VM, I use these steps to inspect changes to the registry:

1. Using 7-Zip, open the vdi/vhd/vmdk file and extract the folder C:\Windows\System32\config
2. Run OfflineRegistryView to convert the registry to plaintext
   • Set the 'Config Folder' to the folder you extracted
   • Set the 'Base Key' to HKLM\SYSTEM or HKLM\SOFTWARE
   • Set the 'Subkey Depth' to 'Unlimited'
   • Press the 'Go' button

Now use your favourite diff program to compare the 'before' and 'after' snapshots.

Answer 3

PhiLho has mentioned AutoRuns in passing, but I think it deserves elaboration.

It doesn't scan the whole registry, just the parts containing references to things which get loaded automatically (EXEs, DLLs, drivers etc.) which is probably what you are interested in. It doesn't track changes but can export to a text file, so you can run it before and after installation and do a diff.

Answer 4

I concur with Franci, all Sysinternals utilities are worth taking a look (Autoruns is a must too), and Process Monitor, which replaces the good old Filemon and Regmon is precious.

Beside the usage you want, it is very useful to see why a process fails (like trying to access a file or a registry key that doesn't exist), etc.