Contacts      About the site
home Software

Tracking registry changes with Regshot. How to view changes in the Windows registry How to make changes to the system registry

From time to time, users and system administrators may need to review changes in Windows registry for a certain period. This may be due to the desire to see what changes a certain program or user actions make.

You can view the changes made to the Windows registry using both the tools built into the operating system and using third-party software. Let's start with the first.

In addition, we also mention that it all comes down to two methods: comparing two "snapshots" of the registry taken at different times, or monitoring changes in real time.

Most affordable way to see what changes were made to the registry, this is using the utility built into Windows fc.exe. The advantage of this method is that there is no need to look for additional software. In general, the fc.exe utility is used not only to view registry changes, but to compare two files or sets of files in general. Thus, it becomes clear that we need two "snapshots" of the registry.

We export the entire registry first or only the branch we need. Let's say we have two files: 1.reg and 2.reg, which we put on drive C. Then we can use the command to compare them

fc c:\1.reg c:\2.reg > c:\log.txt

In this case, we output the result of the command to a text file. But I would recommend using a more advanced format and (or) an editor stronger than Notepad so that there are no problems with .

Above I used MS Word and .doc format.

The problem with using fc.exe lies in the fact that the result of its work is hardly readable. The screenshot above says that in the branch parameter has been added primer. But it is unlikely that you will be able to understand this if you do not know about it in advance. You cannot call fc.exe a full-fledged analysis tool. This utility is more suitable when you yourself make changes to the registry, and want to make sure that they were made (but do not want to wander through the registry branches in regedit).

Therefore, let's move on to another utility, which, unfortunately, is no longer part of modern Windows versions, but may be added. It's called WinDiff. You can add it via install. Microsoft packages Windows SDK. Unfortunately, after Windows 7, WinDiff was also excluded from these packages, but you can also download it separately, for example, .

To use the WinDiff utility from the command line Windows strings, put it in the directory %WINDIR%\System32. Now, to compare the two registry files from the example, we just need to enter the command

windiff C:\1.reg C:\2.reg

The graphical interface of the utility will open, which can be seen in the screenshot above. Let's figure out how to read the output of the WinDiff program.

  • Lines on a white background mean the contents of the files match;
  • Lines on a red background show the contents of the first (left) file, which are not in the second (right);
  • Lines on a yellow background show the contents of the second (right) file, which is not in the first (left).

We have a yellow line with content "Primer"="". This indicates that the parameter appeared in the second file primer with an empty value. And he is in HKEY_LOCAL_MACHINE\SOFTWARE\Test. Since the second file was saved later than the first one, it can be concluded that this parameter was added and not removed.

Let's move on to third party utilities registry monitoring.

A popular free solution is the program Regshot. The program also works with registry snapshots, and makes them itself, and does not analyze pre-saved files. This is her minus. And the plus is that it is very simple.

First you need to take the first snapshot of the registry.

Then they can be compared.

After the end of the comparison process, the program will automatically open the file with the results of the work. Another advantage of Regshot is that this file is easy to read. True, it is worth noting that there will be a bunch of registry changes in it, which may seem like a kind of Morse code. In my case, both shots were taken less than a minute apart. My actions were only that I removed the Primer parameter. As you can see, the program fixed it. And also recorded many other changes. “Under the hood” of the operating system is constantly something going on, and most of it is hidden from our eyes.

Pictures that are no longer needed can be deleted by pressing the button. Clear in the program interface. You can download the Regshot program.

The last tool for monitoring the Windows registry discussed in this article will be the program Registry Live Watch. Perhaps you can already understand from the name that this program able to monitor registry changes in real time.

The program is also extremely simple and, in fact, does not even really have settings. You just specify the branch of the registry that you want to monitor, and start monitoring with the button Start Monitor.

However, the program has a serious drawback, which, for the most part, eliminates the very idea of ​​monitoring. It gives only messages about the change in the observed registry branch, but does not write what changes were made. The second disadvantage is that Registry Live Watch cannot monitor the entire registry. You can download the program.

At the end of the article, we will talk about how to automate the collection of information about the registry without resorting to third-party software. This can be done using a script containing the reg export command, the syntax of which is devoted to. By running this script on a schedule, you will get a series of registry snapshots that you can compare if necessary.

Even the most minor changes in settings in Windows, not to mention the installation or removal of programs, are accompanied by corresponding changes in the system registry. Usually users don't care about them, but sometimes they may need to track them, say, to compare or manually undo some change made by a script or application.

How to Track Changes in the Windows Registry

If the expected changes are small, you can track them using the operating system itself. Open the Registry Editor, select the branch you want to change, and export it to a .reg file named 1.

Make the necessary changes and re-export the branch to a .reg file, but with the name 2.

Let's say you saved both files to the root of drive D. Let's compare them. Open a command prompt and run the following two commands:

fc D:/1.reg D:/2.reg > D:/compare.log

The first sets the Cyrillic encoding, the second saves the result of the comparison to the log.

The method is working, but inconvenient, since the contents of the registry files are compared and displayed character by character in a column, which makes it difficult to read such a log. For this reason, a method is suitable for tracking very minor changes, two or three parameters, no more. In other cases, it is better to use special utilities.

Regshot

The most well-known program for tracking changes in the registry is Regshot. We launch the utility, press the "1st snapshot" button, make settings, install software, etc., after which we press the "2nd snapshot" button, and then "Compare".

The results will be displayed in a plain text or HTML file (at the choice of the comparer).

The program shows which sections and parameters have been created and deleted, which ones have been changed, and the total number of changes. Unfortunately, Regshot does not allow you to scan certain partitions and keys, which causes the changes made by Windows itself to be written to the report file.

Registry Live Watch

A slightly different approach to tracking changes in the registry is offered by another free utility Registry Live Watch. Unlike Regshot, it does not compare two snapshots of the registry, but monitors changes in its sections in real time, displaying data in a special text field in its window. In addition, Registry Live Watch allows you to track changes made by a specific executable.

But this program also has its drawbacks. It cannot monitor the entire registry and even its sections, but only individual keys.

CRegistry Comparison

Something similar to Regshot is a free program called CRegistry Comparison. After launch, it prompts you to select a directory to save the original snapshot, after which it immediately creates and saves it.

Sometimes you may want to track changes made by programs or settings to the Windows registry. For example, to later undo these changes or to find out how certain settings (for example, design settings, OS updates) are written to the registry.

In this review - popular free programs, which allow you to easily view changes to the Windows 10, 8 or Windows 7 registry and some additional information.

The free Registry Live Watch works in a slightly different way: not by comparing two samples of the Windows Registry, but by monitoring changes in real time. However, the program does not display the changes themselves, but only reports that such a change has occurred.

You can download the program from the official website of the developer http://leelusoft.altervista.org/registry-live-watch.html

WhatChanged

Another program that allows you to find out what has changed in the Windows 10, 8 or Windows 7 registry is WhatChanged. Its use is very similar to that of the first program of this review.

The program does not have its own official website, but it is easily found on the Internet and does not require installation on a computer (just in case, check the program with virustotal.com before launching, while keeping in mind that there is one false detection in the original file).

Another way to compare two variants of the Windows registry without programs

Windows has a built-in tool for comparing the contents of files - fc.exe (File Compare), which, among other things, can be used to compare two variants of registry branches.

To do this, using the Windows Registry Editor, export the necessary registry branch (right-click on the section - export) before and after changes with different file names, for example, 1.reg and 2.reg.

Then use in command line a command like:

Fc c:\1.reg c:\2.reg > c:\log.txt

Where are the paths to the two registry files first, and then the path to text file comparison results.

Unfortunately, the method is not suitable for tracking significant changes (because nothing can be parsed visually in the report), but only for some small registry key with a couple of parameters where a change is expected and, rather, for tracking the very fact of a change.

This article shows you the steps to take ownership of a registry key and gain full control rights, as well as how to revert to original rights and restore original owner.

Some sections of the Windows system registry are not editable, even if your account belongs to a group "Administrators". This usually happens because the group "Administrators" there are no appropriate permissions (rights) to write to this registry key. There are several reasons why you cannot edit a registry key:
■ Group "Administrators" is the owner of the partition, but does not have full rights to it. In this case, it is enough to simply give the group "Administrators" full rights.
■ The partition is owned by a system service TrustedInstaller. In this case, you must first become the owner of the section, and then give your group full rights, just in this article such an example will be considered.

■ The partition is owned by the system Account "System" TrustedInstaller.

The rest of the article will describe how to make changes to the registry in the absence of appropriate permissions, as well as how to restore the original permissions, and why this should be done. Before editing system registry, recommended

When you change any setting in the registry, if you do not have enough rights, you will receive an error message.

Consider first example when the group "Administrators" is the owner of the partition, but does not have full rights to it:
1 Permissions...
2 . Highlight a group "Administrators":

If a checkbox is available Full access, install it and click the button OK. This may be sufficient if the group is the owner of the partition.

If the checkbox is not available or you see an error message like in the screenshot below, then go to the second example.

Second example when the partition is owned by a system service TrustedInstaller

In the window Group Permissions press the button Additionally

In the next window, click the link Change enter local account name or address Email Microsoft account, check the name and click OK

Check box Replace owner of subcontainers and objects at the top of the window and click the button OK

Highlight a group "Administrators", check the box Full access, press the button OK

You now have full access to the registry key and can edit all of its settings.

Third example when the partition is owned by the system account "System". In this case, the actions will be the same as with TrustedInstaller.

Return of original rights and restoration of the owner

For system security purposes, after editing the necessary parameters of the registry key, you need to return the original access rights and restore the system account as the owner of the key TrustedInstaller.
1 . Right-click on the registry key and select from the menu Permissions...

2 . In the window Group Permissions press the button Additionally

3 . In the next window Additional Security Options click link Change at the top of the window, and in the dialog that appears Choice: "User" or "Group" enter account name:

Click the button OK

5 . In the window Group Permissions select a group "Administrators", uncheck Full access, press the button OK

The original rights and the owner of the registry key are restored.

■ If the partition was owned by an account System(in English version System), then instead of
NT Service\TrustedInstaller enter System(in English version System).


There is a special SysTracer utility specifically designed to track changes in the system by comparing two "system snapshots" - before and after. As a result, we get data presented in a convenient form on changes in the three categories "Registry", "Files", "Other settings" (n / a group policies, trace system utilities a.k.a netsh)
(Honestly, I’ll tell you that she doesn’t collect everything, although in most cases she is enough)

And if you are “fighting the defense of evil”, then some tricks are used there that cannot be set on fire with an ordinary trace 🙂
Otherwise, everything would be very simple, in this case, the most useful tool, in which I support the participant l0calh0st,
this is Process Monitor from Sysinternals- that's exactly what you need. (These guys use, apparently, some undocumented features, Mark Russinovich knows a lot 🙂) And it is extremely difficult to hide any movements from this utility, if it is configured correctly. (Although it is possible, I know how, but I won’t say - because neher)

PS: The only thing is to carefully read the documentation regarding filtering, as Process Monitor by default logs all events. First of all, you need to target it to the process ID of the installer, as well as (if it is not used during the installation process, disable the network dump, there is a lot of “garbage” in it that makes it hard to figure it out).

Programs for Windows

  • IT News
  • Windows 7 activation
  • Applications
  • android
  • Programs
  • We are Vkontakte

    • SysTracer Pro for Windows (Portable)

    SysTracer- a utility that can track all kinds of changes to the operating system. Initially, the program scans and analyzes the OS, and then offers the user a report on the changes found made to the system by programs and their installers. SysTracer is most often used in expert user circles, since the reports generated by the program will not be understandable to everyone.

    SysTracer is effective not only in the process of tracking the behavior of one particular installer, but also in the process of analyzing the operation of applications and the system as a whole. Monitoring changes in operating system can be done multiple times. Also, the user gets the opportunity to track changes in a certain time period.

    The program works according to a fairly simple algorithm. Initially, a snapshot of the registry and the entire file system OS. As soon as the user installs a new application, SysTracer takes a snapshot again and analyzes the changes based on the difference between the two snapshots. The scanning performed by the utility can be further configured (it is possible to exclude individual files, folders, registry keys, etc.). You can take pictures on separate days and compare the apology in the time period you need, for example, from the 15th to the 20th, etc.

    After installing and launching the tool, you will see a working window in front of you, in which there are six main tabs: Snapshots, Registry, Files, Applications, Remote Scan and Help.

    In the Snapshots tab, you can perform various operations with snapshots, such as creating, renaming, deleting, or comparing them. Attention is drawn to the ability to export images in web format or snp-extension. What's more, this is where users configure settings and view snapshot properties. The "Registry" offers to study one snapshot of the registry or compare two. The user can examine the state of partition keys in more detail. SysTracer makes it easy to spot changes thanks to the color coding. For example, new elements will be highlighted in green, modified ones in blue, red - deleted files, applications, registry components, in black - unchanged, and in gray - those elements that were not scanned.

    Download SysTracer- it's incredible to get handy tool on PC. You can download the software using the link below this review.

    Registry Change Viewer After Installing Programs

    Have you ever wondered what exactly the installed programs change on your computer? What changes do they make to the Windows registry and system files? And have you ever had to compare two seemingly similar systems?

    Of course, such questions arise only when there are reasons for it. For example, two seemingly identical systems react differently to the occurrence of the same event. Or, for example, you began to notice that after installing the program, your computer starts to behave strangely: slow loading, system freezes during certain actions, and so on.

    To find answers to these and other questions, Microsoft has released a special tool called "Windows System State Analyzer". The program is part of the "Windows Software Certification Toolkit" package, which is not so easy to find. Please note that the program requires a ". NET Framework 2.0". The utility comes in 32-bit and 64-bit versions and can be used on all current versions of Windows. Find detailed description and the download link you can find at this link to the Microsoft blog (to translate the page into Russian, on the right side of the page, go to the "Translate this page" block and select the desired language; the translation, of course, is not quite literary, but nevertheless less, it is enough for normal perception of the text).

    At the end of the Microsoft Blog article, you will see two download links for a file called "Server Logo Program Software Certification Tool" - x86 for 32-bit systems and x64 for 64-bit systems. Do not be intimidated by the name, select custom installation during installation, and already there, among the installed components, select "System State Analyzer". The figure below shows the dialog box for choosing to install the analyzer only.

    Note A: You can also install "Windows System State Monitor", which allows you to run real-time monitoring of changes.

    The Microsoft blog article describes in sufficient detail how to use the analyzer. Of course, if you are technically savvy, then you yourself will quickly figure out how the utility works. Please note that it may take some time to create the first system snapshot, especially if you choose to monitor all changes on your computer.

    However, you do not have to select all the items, you can include in the analysis only those files and registry keys that you consider necessary. You can see an example of usage in the following figure:

    Now you can find out about everything that happens on your computer.

    ida-freewares.com

    Which is better: real-time tracking or system snapshots when installing programs?

    There are 2 approaches to tracking installations of programs (for subsequent clean cleaning of their data). The first, rather old one, is the use of snapshots of the registry and file system before and after installation, then comparing them. The second, which is used by the Uninstall Tool, is to monitor changes in real mode using the Software Installation Monitor. The second method is the most progressive for the following obvious reasons:

    Share with friends or save for yourself:

    Loading...
    Recommended related articles
    Find the best noise canceling headphones
    Find the best noise canceling headphones
    When trying to activate, it fails:
    When trying to activate, it fails: "Your iPhone could not be activated because the activation server is temporarily unavailable
    Smart watch Pebble Buy now or wait
    Smart watch Pebble Buy now or wait