Track registry changes

I'm looking for a free utility that will track the changes to my registry after installing new program. A before and after "shot'.

Regmon (http://www.sysinternals.com/Utilities/Regmon.html) shows you in real-time. I believe you can save current settings to see changes, but I've never used the program.

--RF

Registry Monitor [Regmon] records registry accesses in real time; it doesn't track and record changes made to the registry. :(

Sylvander,

What are "accesses"?

Windows plus all kinds of programs rely upon settings held in the registry to tell them what to do, where to find things.
Hence, when a program is installed, the installation program "accesses" the registry to place appropriate data values used to make that installed program work.
Then when that program is run it "accesses" the registry to read those values.
e.g.
If I double-click on a ".wri" file, then the "default action" comes into play.
My registry specifies that the "default action" is Open.
In my registry the "wrifile\shell\open\command" default data is C:\Progra~1\Access~1\WORDPAD.EXE "%1".
[It was me that manually made that setting have that value so that Wordpad would be used (by the shell) to open wri files.]
So when I double-click on a ".wri" file, the Windows shell [Explorer.exe] accesses the registry to read those settings and is told to use C:\Progra~1\Access~1\WORDPAD.EXE to "Open" the file clicked upon ["%1"].
The quotes around the %1 tells the shell to include the ability to read file locations that include long file names with spaces included.

If regmon is run to record registry accesses [reads, writes, etc] whilst doing the most seemingly simple activity, you would typically see hundreds or thousands of accesses listed/recorded.
You would see searches/checks being made to see whether certain settings exist or not.
Depending upon whether they do or do not exist, certain other actions will result.
It's all very convoluted and complex; difficult to understand what's going on unless you posses great knowledge and understanding about these.
I've found it possible to do some simple analysis and spot the most basic of activities.

Hi Sylvander,

sometimes your knowledge is frightening...:)

Do you happen to know if Linux/Unix use a registry and if it follows the same concept as the Windows registry?

"sometimes your knowledge is frightening"
Surely that's irony?
It's my lack of knowledge that frightens me.
When it comes to the registry though, I did spend lots of time studying it; enough to know that it's a nearly impossible task to know and understand it all.
The authors of "Inside the Win9x Registry" said that they originally intended the book to completely explain the registry. Once they started they soon discovered that to be impossible because every registry is unique.
And any one registry is almost certainly undergoing constant changes.
Hence the business of recording those changes.
I did come across a program that did that, but I think it wasn't free and I can't remember it's name.

"Do you happen to know if Linux/Unix use a registry and if it follows the same concept as the Windows registry?"
Don't know, but I bet it does; it's just too good an idea not to use.

So as to cut registry accesses to a minimum, I restarted my PC and went into Safe Mode.
Started up regmon.
A lot of accesses were recorded | waited till they stopped | cleared the screen | regmon sat there with a blank screen and no new accesses [no activity showing].
I right-clicked on the Taskbar | accesses began zipping down the screen | waited a few seconds and they stopped at number 3,443 | the resulting "Context Menu" was displayed [the accesses are carried out so as to find the info needed to construct the "Context Menu" as required by a right-click on an "Object". The Context Menu matches the object.]

Here's a few of them:
0 33.24337760 Explorer OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer NOTFOUND
[Looking for policies that relate to the operation of Explorer for the current version of Windows on this "Local Machine". None found = they don't exist. Note this is access number zero = the first search. Each access is completed in milli-seconds or less.]

1 33.24345280 Explorer OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer SUCCESS hKey: 0xC29C17E0
[Did the same search, but in the HKCU (Current User) key, and succeeded in finding the "Explorer" key. Notice that Explorer has attempted to open these keys; failed in access zero, succeeded in access 1.]

There are lots of "OpenKey", "CloseKey", "QueryValue", "QueryValueEx"[QueryValueExtended]

Here's a less repetitive section of the record:

11 33.25443840 Explorer OpenKey HKU\.Default\Control Panel\desktop\ResourceLocale SUCCESS hKey: 0xC29C17E0
12 33.25446080 Explorer QueryValueEx HKU\.Default\Control Panel\desktop\ResourceLocale SUCCESS "00000409"
13 33.25448080 Explorer CloseKey HKU\.Default\Control Panel\desktop\ResourceLocale SUCCESS
14 33.25464000 Explorer QueryValueEx 0xC29A9C80\C:\WINDOWS\SYSTEM\BROWSELC NOTFOUND
15 33.27409200 Explorer OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}\Enum SUCCESS hKey: 0xC29C17E0
16 33.27413360 Explorer QueryValueEx HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}\Enum\Implementing SUCCESS
17 33.27415920 Explorer QueryValueEx HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}\Enum\Implementing SUCCESS
18 33.27418400 Explorer CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}\Enum SUCCESS
19 33.27426160 Explorer OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}\Enum SUCCESS hKey: 0xC29C17E0
20 33.27429200 Explorer QueryValueEx HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}\Enum\Implementing SUCCESS
21 33.27431680 Explorer QueryValueEx HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}\Enum\Implementing SUCCESS
22 33.27434960 Explorer QueryValueEx HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}\Enum\Implementing SUCCESS
23 33.27439040 Explorer QueryValueEx HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}\Enum\Implementing SUCCESS 1C 0 0 0 1 0 0 0 ...
24 33.27442960 Explorer CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}\Enum SUCCESS
25 33.27460320 Explorer OpenKey HKCR\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383} SUCCESS hKey: 0xC29C17E0
26 33.27462800 Explorer QueryValueEx HKCR\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383} SUCCESS "&Links"
27 33.27464800 Explorer CloseKey HKCR\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383} SUCCESS
28 33.27476480 Explorer OpenKey HKCR\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383} SUCCESS hKey: 0xC29C17E0
29 33.28354400 Explorer QueryValueEx HKCR\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383}\DefaultIcon NOTFOUND
30 33.28356800 Explorer QueryValueEx HKCR\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383}\MenuText NOTFOUND
31 33.28358880 Explorer QueryValueEx HKCR\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383}\HelpText NOTFOUND
32 33.28361520 Explorer QueryValueEx HKCR\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383}\MenuTextPUI SUCCESS "@browselc.dll,-13138"
33 33.28371920 Explorer OpenKey HKCU\Software\Microsoft\Windows\ShellNoRoam SUCCESS hKey: 0xC29C1780
34 33.28376320 Explorer OpenKey HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICac he SUCCESS hKey: 0xC29C1810
35 33.28379520 Explorer QueryValueEx HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICac he\LangID SUCCESS FF FF
36 33.28382560 Explorer OpenKey HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICac he SUCCESS hKey: 0xC29C1810
37 33.28387440 Explorer QueryValueEx HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICac he\@browselc.dll,-13138 SUCCESS "&Links"
38 33.28390080 Explorer CloseKey HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICac he SUCCESS
39 33.28393280 Explorer QueryValueEx HKCR\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383}\HelpTextPUI NOTFOUND

I can't make any sense of any of it. :(

This is very interesting. There must be some difference, then, between significant vs. insignificant registry accesses. I used to have Spybot's Tea Timer running and it would tell me any time a program was trying to access my registry, or so I thought. I mainly only used to see these messages, though, during software installations when the registry was being changed. I guess therein lies the difference in significant vs. insignificant. Your research verifies that the registry is constantly being accessed (OpenKey, QueryValue, CloseKey in that order) without being changed.

I don't know if there is a free utility to do this. Total Uninstall from www.martau.com will answer your question,but it's not free. You can use it free for 30 days from the date of installation. After that you have to register (buy) it.

Vinod

I think you're right in what your saying FastLearner. :)

This might be what you are looking for. Freware prog that allows you take snap shot of before and after.

http://www.majorgeeks.com/download965.html

Thanks for the input. I think I'll try Regshot first.

Let us know if it works OK for you

It's my lack of knowledge that frightens me.
"The only true wisdom is in knowing you know nothing." Socrates.