Microsoft Windows Registry Guide, Second Edition
Monitoring the Registry
Monitoring the registry for changes is different from comparing snapshots in that you're watching registry access as it happens. Thus, you can change a setting in the user interface and then look at the monitor to see what value Windows wrote to the registry. I tend to monitor the registry instead of compare snapshots when I'm looking for a large number of settings. When doing this, it's helpful to eliminate distractions. I'll show you how to do that in the section “Filtering for Better Results,” later in this chapter.
My favorite monitoring tool is Regmon from Winternals. You can download a freeware version of this tool from http://www.sysinternals.com. Regmon Enterprise Edition is available at http://www.winternals.com and is inexpensive. The difference between the two is that the enterprise edition enables you to monitor a remote registry, which makes the process a little easier if you can work on one computer and see the results on a different computer. Although the freeware version of Regmon contains the enterprise edition's other features, I purchased Regmon Enterprise Edition for the convenience of remote monitoring.
Download either version of Regmon. The freeware version doesn't have a setup program, so you just run it from the directory in which you unzip it. Regmon Enterprise Edition comes with a setup program that adds a shortcut for Regmon to the Start menu. The following sections show you how to use this useful product.
Using Winternals Regmon
Figure 10-5 shows the freeware version of Regmon. Every time that Windows or programs access the registry, Regmon adds a row to the window. The first two columns are the line number and the time. The next column displays the name of the process that accessed the registry, which is usually the program's file name. Next you see the type of access, followed by the path and the result. The last column gives you additional information, such as the contents of a value. The most interesting information here is the type of access, the path of the key, and the Other column. Any time a column is too narrow to display the entire contents of a row, you can point to the data, and Regmon displays its full contents in a balloon–a nifty feature.
Figure 10-5 Regmon's window quickly fills up with unimportant information. This is Regmon's window seconds after starting it.
Two columns, Request and Other, need more attention. Request tells you what Windows or a program was trying to do. The requests you see in the Request column are different registry application programming interface (API) functions and are shown in Table 10-1. The most interesting type of request is SetValue, of course. The Other column contains a variety of information, depending on the type of request. Again, see Table 10-1. For example, if the request is QueryValue, the Other column contains the data in the value. If the request is OpenKey, the Other column contains the key's handle.
Request Type | Data in the Other Column |
CloseKey | Handle of closed key |
CreateKey | Handle of new key |
CreateKeyEx | Handle of new key |
DeleteKey | None |
DeleteValue | None |
DeleteValueKey | None |
EnumerateKey | Name of next subkey |
EnumKeyEx | Name of next subkey |
EnumerateValue | None |
FlushKey | None |
OpenKey | Handle of open key |
OpenKeyEx | Handle of open key |
QueryKey | Name of key |
QueryValue | Value's data |
QueryValueEx | Value's data |
SetValue | Data stored in value |
SetValueEx | Data stored in value |
Filtering for Better Results
If you start Regmon and change some settings in the Windows user interface, you won't have a lot of luck sifting through Regmon's output to find the setting. For example, opening Windows Explorer accesses the registry approximately 5000 times. Clicking Options on Windows Explorer's Tools menu accesses the registry a few hundred times. Sorting through all that output isn't practical. Your experience improves dramatically if you learn how to use filtering.
The first step that you can take, particularly if you're interested in finding the value in which Windows stores a setting, is to filter out everything except write requests. On Regmon's Edit menu, click Filter/Highlight. Then clear all the check boxes except Log Successes and Log Writes. Regmon will report only successful writes to the registry. This alone significantly reduces the amount of output that you see. Get more specific, though, and Regmon will all but hand you the setting for which you're looking. The asterisk (*) in the Include box is a wildcard that matches everything; this is the default filter.
To get more specific, limit Regmon to certain processes. For example, if you're searching for a setting in Windows Explorer, look only for registry access by the process explorer.exe. If you're searching for settings in Tweak UI, look only for registry access by the process Tweakui.exe. On Regmon's Edit menu, click Filter/Highlight. In the Include box, type the name of the process that you want Regmon to display in the window. Include multiple processes separated by a semicolon. The easiest way to figure out the name of a process is to look in Windows Task Manager. Press CTRL+SHIFT+ESC, and then look at the Processes tab. If in doubt, you can also look in Regmon's output for the process name, which is how I usually find it. You might see the process Rundll32.exe. This is a special program that executes APIs in Dynamic Link Libraries (DLL). Because you might have many different instances of this process running at any time, filtering this process is more difficult.
My last tip for how you can limit the output of Regmon is to filter for specific keys. If you have general knowledge of where Windows stores a setting in the registry, filter the output to display only lines that contain that key. For example, if you know that a setting is somewhere in HKLM\SOFTWARE\Microsoft, filter Regmon's output so that it shows only SetValue requests on that key. You'll see very little output in Regmon's window when you change that value in the user interface, and one of the lines is likely to be the value for which you're searching.
TIP
You can combine subkeys and process names in your filter. Separate each with a semicolon. Regmon compares your criteria to all the columns you see in the window so that you can filter multiple columns at one time. You can filter results by process, request type, and key at the same time, for instance.