The registry branches of the Windows operating system store the settings and parameters of the system itself, as well as other software installed on the computer. Sometimes you need to find out which registry branches the program being launched or its installation distribution is changing. In order to find out what has been changed in the registry, you need to use a special program to monitor the state of the system registry parameters. The RegFromApp program monitors in real time the changes in the system registry made by the running program (process) and reflects the registry branch and the values changed in it.
Track changes in the registry
To find out what a specific program changes in the registry, you need to start RegFromApp and select the process you are interested in monitoring from the list of all running processes. As soon as the program of interest to the user accesses the registry and changes the values of its branches, RegFromApp will immediately reflect the registry branch in which the changes are taking place and show the changed values. Changes made to the registry can be saved to a registry file (* .reg). The RegFromApp utility supports launching from the command line with parameters.
Screenshots of RegFromApp
Official site: http://www.nirsoft.net
OS:
32.64 Windows XP / Vista / 7/8
Supported languages: Russian
Version: 1.32
License:freeware (free)
File size 107 Kb
More interesting programs:
- SmartLombard is the first Russian program to optimize the management of the pawnshop business
Sometimes you might want to track changes made by programs or settings in the Windows registry. For example, for the subsequent cancellation of these changes or in order to find out how certain parameters (for example, design settings, OS updates) are written to the registry.
This review contains popular free programs that make it easy to view changes in the Windows 10, 8 or Windows 7 registry and some additional information.
The free Registry Live Watch works in a slightly different way: not by comparing two samples of the Windows Registry, but by monitoring changes in real time. However, the program does not display the changes themselves, but only reports that such a change has occurred.
You can download the program from the official website of the developer http://leelusoft.altervista.org/registry-live-watch.html
WhatChanged
Another program that allows you to find out what has changed in the Windows 10, 8 or Windows 7 registry is WhatChanged. Its use is very similar to that in the first program of this review.
The program does not have its own official website, but it can be easily found on the Internet and does not require installation on a computer (just in case, before starting, check the program with virustotal.com, while keeping in mind that there is one false detection in the original file).
Another way to compare two variants of the Windows registry without programs
Windows has a built-in tool for comparing the contents of files - fc.exe (File Compare), which, among other things, can be used to compare two variants of registry branches.
To do this, using the Windows Registry Editor, export the required registry branch (right-click on the section - export) before and after changes with different file names, for example, 1.reg and 2.reg.
Then use a command like:
Fc c: \ 1.reg c: \ 2.reg> c: \ log.txt
Where first the paths to the two registry files are specified, and then the path to the text file of the comparison results.
Unfortunately, the method is not suitable for tracking significant changes (because visually it will not be possible to disassemble anything in the report), but only for some small registry key with a couple of parameters where a change is supposed to be made and rather to track the very fact of the change.
Windows registry
is perhaps the most dynamic component of the operating system. It reflects any, even the most insignificant, changes made to the system by regular and third-party programs. Experienced users can track such changes using special utilities for these purposes, one of which will be discussed today. It is called. This small portable utility from Nirsoft
allows you to monitor the operation of programs installed on the computer.
Or rather, to record all the changes that they make in the process of their work in the system registry, and, if necessary, compare the previously obtained results with later ones. The exceptions are Universal Windows Apps, connecting to their processes in most often fails.
Note: for tracking work 32-bit programs need to be used 32-bit version , even on 64-bit system.
The utility is quite simple to use. After launching it, you will be prompted to select a process to monitor and click OK ... You can also select the process manually from the main graphical menu of the program. After that, monitoring will start in the background. As soon as the monitored program makes any changes to the registry, they will immediately appear in the main window of the utility. Change data can be copied to the clipboard or saved to a file REG.
Display mode in two. By default, the utility shows only the last changed values, but it is also possible to set the display of the original values. There are no other significant settings in the program.
From time to time, users and system administrators may need to look at changes in the Windows registry for a certain period. This may be due to a desire to see what changes are made by a particular program or user actions.
You can view the changes made to the Windows registry both by means of tools built into the operating system and using third-party software. Let's start with the first ones.
In addition, we also mention that it all comes down to two methods: comparing two "snapshots" of the registry taken at different times, or monitoring changes in real time.
The most accessible way to see what changes have been made to the registry is to use the built-in Windows utility fc.exe... The advantage of this method is that there is no need to look for additional software. In general, the fc.exe utility is used not only to view registry changes, but to compare two files or sets of files in general. Thus, it becomes clear that we need two "snapshots" of the registry.
We export the entire registry or just the branch we need in advance. Let's say we have two files: 1.reg and 2.reg, which we put on disk C. Then, to compare them, you can use the command
fc c: \ 1.reg c: \ 2.reg> c: \ log.txtIn this case, we output the result of the command to a text file. But I would recommend using a more advanced format and / or an editor stronger than Notepad, so that there are no problems with.
Above I used MS Word and .doc format.
The problem with using fc.exe lies in the fact that the result of its work is hard to read. The screenshot above says that the branch the parameter was added Primer... But it is unlikely that you will be able to understand this if you do not know about it in advance. You cannot call fc.exe a complete analysis tool. This utility is more suitable when you yourself are making changes to the registry, and you want to make sure that they were made (but do not want to roam the registry branches in regedit).
Therefore, let's move on to another utility, which, unfortunately, is no longer included in modern versions of Windows, but can be added. It is called WinDiff... You can add it by installing the Microsoft Windows SDK packages. Unfortunately, after Windows 7 WinDiff was also excluded from these packages, but you can download it separately, for example,.
To use the WinDiff utility from the Windows command line, place it in the directory % WINDIR% \ System32... Now, to compare the two registry files from the example, we just need to enter the command
windiff C: \ 1.reg C: \ 2.reg
The graphical interface of the utility will open, which can be seen in the screenshot above. Let's figure out how to read the output of the WinDiff program.
- Lines on a white background mean that the contents of the files match;
- Lines with a red background show the contents of the first (left) file, which are not in the second (right);
- The lines with a yellow background show the contents of the second (right) file, which are not in the first (left).
We have a yellow line with the content "Primer" = ""... This indicates that the parameter appeared in the second file Primer with an empty value. And he is in HKEY_LOCAL_MACHINE \ SOFTWARE \ Test... Since the second file was saved later than the first, it can be concluded that this parameter was added and not removed.
Let's move on to third-party registry monitoring utilities.
A popular free solution is the program Regshot... The program also works with snapshots of the registry, and makes them itself, and does not analyze previously saved files. This is its disadvantage. And the plus is that it is very simple.
First you need to take the first snapshot of the registry.
Then they can be compared.
After the end of the comparison process, the program will automatically open the file with the results of the work. Another plus of Regshot is that the file is easy to read. True, it is worth noting that it will contain a bunch of registry changes that may seem like a kind of Morse code. In my case, both shots were taken less than a minute apart. My only action was that I removed the Primer parameter. As you can see, the program has recorded this. And also recorded many other changes. Something is constantly happening “under the hood” of the operating system, and most of it is hidden from our eyes.
Images that you no longer need can be deleted by pressing the button. Clear in the program interface. You can download the Regshot program.
The last Windows registry monitoring tool discussed in this article will be the program Registry Live Watch... Perhaps already from the name you can understand that this program is able to monitor changes in the registry in real time.
The program is also extremely simple and, in fact, does not even have any proper settings. You just specify the registry branch that you want to monitor, and start monitoring with the button Start Monitor.
However, the program has a serious flaw, which, for the most part, negates the very idea of monitoring. It only displays messages about changes in the monitored registry branch, but does not write exactly what changes were made. The second drawback is that Registry Live Watch cannot monitor the entire registry. You can download the program.
At the end of the article, let's talk about how to automate the collection of information about the registry without resorting to third-party software. This can be done using a script containing the reg export command, the syntax of which is devoted to. By running this script on a schedule, you will receive a series of registry snapshots that can be compared if necessary.
There is a special utility SysTracer specially designed to track changes in the system by comparing two "system snapshots" - before and after. As a result, we get data on changes presented in a convenient form in three categories "Registry", "Files", "Other settings" (n / a group policies, system utilities trace aka netsh)
(Honestly, she does not collect everything, although in most cases it is enough)
And if you are "fighting the defense of evil", then some tricks are used there that cannot be ignited with an ordinary trace 🙂
Otherwise, everything would be very simple, in this case, the most useful tool in which I support the participant l0calh0st,
this is Process Monitor from Sysinternals- this is exactly what you need. (These guys seem to use some undocumented features, Mark Russinovich knows a lot 🙂) And it is extremely difficult to hide any movements from this utility, if it is configured correctly. (Although it is possible, I know how, but I will not say - because it is not fucking)
PS: The only thing is to carefully read the documentation regarding filtering, as Process Monitor by default logs all events. First of all, you need to target it to the installer process ID, as well as (if it is not used during the installation process, there is a lot of "garbage" in it to disable the network dump, which greatly interferes with understanding).
Windows programs
SysTracer Pro for Windows (Portable)
SysTracer- a utility that can track all kinds of changes in the operating system. Initially, the program scans and analyzes the OS, and then offers the user a report on the changes made to the system by programs and their installers. SysTracer is most often used by experienced users, because the reports generated by the program will not be understood by everyone.
SysTracer is effective not only in tracking the behavior of one particular installer, but also in analyzing the operation of applications and the system as a whole. Changes to the operating system can be monitored multiple times. Also, the user gets the opportunity to track changes in a certain time period.
The program works according to a fairly simple algorithm. Initially, a snapshot of the registry and the entire OS file system is taken. As soon as the user installs a new application, SysTracer takes a snapshot again and analyzes the changes based on the difference between the two snapshots. The scanning performed by the utility can be additionally configured (it is possible to exclude individual files, folders, registry keys, etc.). You can take pictures on separate days and compare the apologies in the time period you need, for example, from the 15th to the 20th, etc.
After installing and running the tool, you will see a working window in front of you, in which there are six main tabs: Snapshots, Registry, Files, Applications, Remote Scan and Help.
In the "Snapshots" tab, you can perform various operations with snapshots, for example, create, rename, delete or compare them. Attention is drawn to the ability to export images in web format or snp-extension. What's more, this is where users configure settings and view properties for snapshots. The Registry suggests examining one snapshot of the registry or comparing two. The user can study the state of the partition keys in more detail. SysTracer makes it easy to identify changes thanks to the color coding. For example, new items will be highlighted in green, modified items in blue, deleted files, applications, registry components in red, unchanged items in black, and items that were not scanned in gray.
Download SysTracer Is to get an incredibly handy tool on your PC. You can download the software via the link below this review.
Registry Changes Viewer After Installing Programs
Have you ever wondered what exactly the installed programs change on your computer? What changes do they make to the Windows registry and system files? And have you ever had to compare two seemingly similar systems?
Of course, such questions only arise when there are reasons for it. For example, two seemingly identical systems react differently to the occurrence of the same event. Or, for example, you began to notice that after installing the program, your computer begins to behave strangely: slow loading, system freezes during certain actions, and so on.
To find answers to these and other questions, Microsoft has released a special tool called "Windows System State Analyzer". It is part of the Windows Software Certification Toolkit, which is not easy to find. Please note that the program requires ".NET Framework 2.0". The utility comes in 32-bit and 64-bit versions and can be used for all current versions of Windows. You can find a detailed description and a download link at this link to the Microsoft blog (to translate the page into Russian, on the right side of the page, go to the "Translate this page" section and select the language you want; the translation, of course, is not entirely literary, but , however, it is sufficient for the normal perception of the text).
At the end of the Microsoft blog post, you will see two download links for a file called "Server Logo Program Software Certification Tool" - x86 for 32-bit systems and x64 for 64-bit systems. Do not be intimidated by the name, during installation, select a custom installation, and already there, among the installed components, select "System State Analyzer". The figure below shows a dialog box for selecting an analyzer-only installation.
Note: You can also install "Windows System State Monitor", which allows you to start monitoring changes in real time.
The Microsoft blog article goes into some detail on exactly how to use the analyzer. Of course, if you are tech-savvy, then you yourself will quickly figure out how the utility works. Please note that it may take some time to take the first system snapshot, especially if you decide to monitor all changes on your computer.
However, you do not have to select all the items, you can include only those files and registry keys that you consider necessary in the analysis. You can see an example of use in the following figure:
Now you can find out about everything that is happening on your computer.
ida-freewares.ru
Which is better: real-time tracking or system snapshots when installing programs?
There are 2 approaches to tracking software installations (for subsequent clean cleaning of their data). The first, rather old, is to use snapshots of the registry and file system before and after installation, then compare them. The second, which is used in the Uninstall Tool, is to monitor changes in real mode using the Software Installation Monitor. The second method is the most progressive for the following obvious reasons:
