Tracking changes in Windows registry

Process Monitor allows you to monitor file and registry activity of various processes.

Regarding WMI and Registry:

There are three WMI event classes concerning registry:

• RegistryTreeChangeEvent
• RegistryKeyChangeEvent
• RegistryValueChangeEvent

Registry Event Classes

But you need to be aware of these limitations:

• With RegistryTreeChangeEvent and RegistryKeyChangeEvent there is no way of directly telling which values or keys actually changed. To do this, you would need to save the registry state before the event and compare it to the state after the event.

• You can't use these classes with HKEY_CLASSES_ROOT or HKEY_CURRENT_USER hives. You can overcome this by creating a WMI class to represent the registry key to monitor:

Defining a Registry Class with Qualifiers

and use it with __InstanceOperationEvent derived classes.

So, using WMI to monitor the Registry is possible, but less than perfect. The advantage is that it is possible to monitor the changes in 'real time'. Another advantage could be WMI permanent event subscription:

Receiving Events at All Times

a method to monitor the Registry 'at all times', i.e. event if your application is not running.

A straightforward way to do this with no extra tools is to export the registry to a text file before the install, then export it to another file after. Then, compare the two files.

Having said that, the Sysinternals tools are great for this.

Regshot deserves a mention here. It scans and takes a snapshot of all registry settings, then you run it again at a later time to compare with the original snapshot, and it shows you all the keys and values that have changed.

There is a python-hids called sobek ( http://code.google.com/p/sobek-hids/ ) that is able to monitor some parts of the SO. It's working fine for my for monitoring file changes, and although the doc sais that it's able to monitor registry changes it does not work for me.

Good piece of software for easily deplay a python based hids.

There are a few different ways. If you want to do it yourself on the fly WMI is probably the way to go. RegistryKeyChangeEvent and its relatives are the ones to look at. There might be a way to monitor it through __InstanceCreationEvent, __InstanceDeletionEvent and __InstanceModificationEvent classes too.

http://msdn.microsoft.com/en-us/library/aa393040(VS.85).aspx

When using a VM, I use these steps to inspect changes to the registry:

1. Using 7-Zip, open the vdi/vhd/vmdk file and extract the folder C:\Windows\System32\config
2. Run OfflineRegistryView to convert the registry to plaintext
   • Set the 'Config Folder' to the folder you extracted
   • Set the 'Base Key' to HKLM\SYSTEM or HKLM\SOFTWARE
   • Set the 'Subkey Depth' to 'Unlimited'
   • Press the 'Go' button

Now use your favourite diff program to compare the 'before' and 'after' snapshots.

I concur with Franci, all Sysinternals utilities are worth taking a look (Autoruns is a must too), and Process Monitor, which replaces the good old Filemon and Regmon is precious.

Beside the usage you want, it is very useful to see why a process fails (like trying to access a file or a registry key that doesn't exist), etc.

PhiLho has mentioned AutoRuns in passing, but I think it deserves elaboration.

It doesn't scan the whole registry, just the parts containing references to things which get loaded automatically (EXEs, DLLs, drivers etc.) which is probably what you are interested in. It doesn't track changes but can export to a text file, so you can run it before and after installation and do a diff.