How to do Windows registry snapshots to compare and track changes?
You can track registry changes different ways, manually or using special programs. In this article I will tell you how to do this using programs, which in my opinion is much more convenient.
As I promised, in the article “”, with this publication we begin a series of articles devoted to the analysis malware. In these articles I will talk about tools that allow you to study viruses and their behavior.
Today's article will be useful not only to virus researchers, but also to simply ordinary users who want to become more advanced in using a computer. I'll tell you how to use the Regshot program to take snapshots of the Windows registry to compare and track changes.
What is the Windows Registry?
The registry is one of the main parts operating system Microsoft Windows. Despite this, most users use the operating system and are unaware of the existence of the registry.
An inexperienced user does not even realize that when changing all the parameters: installing programs, changing Windows itself and the devices connected to it, all changes are made to the Windows registry.
In a word, the registry is, in a sense, the core of the operating system, in which all settings and changes are saved.
Why analyze the registry and track changes?
Let’s say you are no longer just a passive computer user and want to know what’s going on behind the scenes during installation new program or to analyze the behavior of the virus. In order to find out what changes all the software makes, you need programs to track the registry. One such tool is RegShot.
Registry snapshot using RegShot
RegShot- small free with open source code a program that allows you to take snapshots of the registry and compare them. All changes that have occurred in the registry can be saved in a text file or html file.
Download RegShot
You can download the RegShot program for free using a direct link.
Installing RegShot
After the program has downloaded, unzip the archive and go to the folder with the files. There will be several files in the folder.
When choosing an executable file, pay attention to the bitness of your operating system.
Setting up and using RegShot
After launch, a small program window will appear in which we immediately change the language of the skin to Russian. There is also a Ukrainian interface language.
Now let's get to work. Tracking registry changes begins with taking the first snapshot of the registry. Click on the snapshot button and in the drop-down window we see 3 options:
- Snapshot - Snapshot only
- Snapshot + Save - Snapshot and backup of the registry
- Open - Open an already taken snapshot of the registry
Select the required option. In my example case, there is no need to backup the registry, so I click on the “Snapshot” button. The program will come to life and begin creating the first snapshot of the registry. At the bottom of the window you will see how the numbers change.
When the numbers stop and the program calms down, you can start working with third-party programs, installation and all that.
After finishing, click on the “Second Image” button and after a few seconds you can click on the “Compare” button.
If the “Text” field was checked at the beginning, you will see a window text editor Notepad, which will provide a full report of registry changes.
I didn't install any programs, just changed a few parameters in the panel Windows management. As you can see, the Regshot utility recorded all the changes.
During installation of the software, the report will of course be larger.
If you need to re-analyze the registry, then click on the “Clear” button and start over.
As you can see, taking a snapshot of the registry to track changes is very easy, especially when you have the right program at hand. This is very convenient if you need to find out what changes the program makes to the registry during installation. By the way, in this way you can find out which registry elements are responsible for a particular Windows setting.
Using Windows OS it would be a good idea to get to know it better. You can start with an article about a mystical file that you simply must know about!
That's all, friends. We will explore other tools in the future. And yes, I didn’t forget about what I promised to do detailed instructions on how to make a reliable isolated laboratory on virtual machine to check software and viruses. So you are welcome to our public pages
This article shows you the steps to take ownership of a registry key and gain full control rights, and how to return the original rights and restore the original owner.
Some sections of the Windows registry are not available for editing, even if your account belongs to the group "Administrators". This usually happens because the group "Administrators" There are no appropriate permissions (rights) to write to this registry key. There are several reasons why you cannot edit a registry key:
■ Group "Administrators" is the owner of the section, but does not have full rights to it. In this case, it is enough to simply issue to the group "Administrators" full rights.
■ The partition owner is a system service TrustedInstaller. In this case, you must first become the owner of the section, and then give your group full rights, just such an example will be considered in this article.
■ The owner of the partition is the system Account "System" TrustedInstaller.
The rest of the article will describe how to make changes to the registry if you do not have the appropriate permissions, as well as how to restore the original permissions and why you need to do this. Before you edit system registry, recommended
When you change any parameter in the registry, if you do not have enough rights, you will receive an error message.
Let's consider first example when the group "Administrators" is the owner of the section, but does not have full rights to it:
1
Permissions...
2
. Select a group "Administrators":
If the checkbox is available Full access, install it and click the button OK. This may be sufficient if the group is the owner of the section.
If the checkbox is not available or you see an error message like in the screenshot below, then move on to the second example.
In the window Group Permissions click the button Additionally
In the next window, click the link Change enter your local account name or address Email accounting Microsoft records, check the name and click the button OK
Check the box Replace owner of subcontainers and objects at the top of the window and click the button OK
Select a group "Administrators", check the box Full access, press the button OK
You now have full access to the registry key and can edit all of its settings.
Third example when the partition owner is the system account "System". In this case, the actions will be the same as with TrustedInstaller.
Returning original rights and restoring ownership
For system security reasons, after editing required parameters registry key, you need to return the original access rights and restore the system account as the owner of the section TrustedInstaller.
1
. Click right click mouse on the registry key and select from the menu Permissions...
2 . In the window Group Permissions click the button Additionally
Click the button OK
5 . In the window Group Permissions select a group "Administrators", uncheck Full access, press the button OK
The original rights and owner of the registry key have been restored.
■ If the owner of the section was an account System(in English version System), then instead
NT Service\TrustedInstaller enter System(in English version System).
From time to time, users and system administrators It may be necessary to look at changes in Windows registry for a certain period. This may be due to the desire to see what changes are being made specific program or user actions.
You can view changes made to the Windows registry using tools built into the operating system or using third-party software. Let's start with the first ones.
In addition, let us also mention that it all comes down to two methods: comparing two “snapshots” of the registry taken at different times, or monitoring changes in real time.
Most affordable way see what changes have been made to the registry, this is using the built-in Windows utilities fc.exe. The advantage of this method is that there is no need to look for additional software. In general, the fc.exe utility is used not only to view registry changes, but to compare two files or sets of files in general. Thus, it becomes clear that we need two “snapshots” of the registry.
We first export the entire registry or only the branch we need. Let's say we have two files: 1.reg and 2.reg, which we put on drive C. Then we can use the command to compare them
fc c:\1.reg c:\2.reg > c:\log.txtIN in this case We output the result of the command to a text file. But I would recommend using a more advanced format and/or a stronger editor than Notepad to avoid problems with .
Above I used MS Word and .doc format.
The problem with using fc.exe is that the result of its work is unreadable. The screenshot above suggests that in the thread parameter has been added Primer. But it is unlikely that you will be able to understand this if you do not know about it in advance. fc.exe cannot be called a full-fledged analysis tool. This utility is best suited when you make changes to the registry yourself and want to verify that they have been made (but do not want to wander through the registry branches in regedit).
Therefore, let's move on to another utility, which, unfortunately, is no longer part of modern Windows versions, but can be added. It's called WinDiff. You can add it through installation Microsoft packages Windows SDK. Unfortunately, after Windows 7, WinDiff was excluded from these packages, but you can download it separately, for example, .
To use the WinDiff utility from the command line Windows strings, put it in the directory %WINDIR%\System32. Now to compare the two registry files from the example, we just need to enter the command
windiff C:\1.reg C:\2.reg
Will open GUI utility, which can be seen in the screenshot above. Let's figure out how to read the output of the WinDiff program.
- Lines on a white background mean the contents of the files match;
- The lines with a red background show the contents of the first (left) file that are not in the second (right);
- The lines with a yellow background show the contents of the second (right) file that are not in the first (left).
We have a yellow line with content "Primer"="". This indicates that the parameter appeared in the second file Primer with an empty value. And he is in HKEY_LOCAL_MACHINE\SOFTWARE\Test. Since the second file was saved later than the first, we can conclude that this parameter was added and not removed.
Let's move on to third-party registry monitoring utilities.
A popular free solution is the program Regshot. The program also works with registry snapshots, and makes them itself, rather than analyzing pre-saved files. This is its minus. And the plus is that it is very simple.
First you need to take the first snapshot of the registry.
After which they can be compared.
After the comparison process is completed, the program will automatically open a file with the results of the work. Another advantage of Regshot is that this file is easy to read. However, it is worth noting that it will contain a bunch of registry changes, which may seem like a kind of Morse code. In my case, both pictures were taken less than a minute apart. My only action was to remove the Primer parameter. As you can see, the program recorded this. And also recorded many other changes. There's always something going on under the hood of the operating system, and most of it is hidden from our eyes.
More unnecessary pictures can be deleted by pressing the button Clear in the program interface. You can download the Regshot program.
The last Windows registry monitoring tool discussed in this article will be the program Registry Live Watch. Perhaps, already from the name you can understand that this program is able to monitor registry changes in real time.
The program is also extremely simple and, in fact, doesn’t even have much settings. You just specify the registry branch that you want to monitor and start monitoring with the button Start Monitor.
However, the program has a serious drawback, which, for the most part, neutralizes the very idea of monitoring. It only displays messages about changes in the observed registry branch, but does not write exactly what changes were made. The second disadvantage is that Registry Live Watch cannot monitor the entire registry. You can download the program.
At the end of the article, we’ll talk about how to automate the collection of information about the registry without resorting to third-party software. This can be done using a script containing the reg export command, the syntax of which is discussed. By running this script on a schedule, you will receive a number of registry snapshots that can be compared if necessary.
To some registry sections Windows changes Even an administrator working in the registry editor, which is running with full rights, cannot add it. This occurs because the Administrators group does not have write access to this registry key. There may be two reasons for this:
- The Administrators group is the owner of the section, but does not have full rights to it. In this case, it is enough to simply give the Administrators group full rights.
- The owner of the partition is the system account System or TrustedInstaller(The second serves as part of a complex to strengthen the security of the operating system, but for those who like to “pick” the registry, it represents an annoying obstacle on the way to the goal). In this case, you can first become the owner of the section and then give your group full rights. But there are more interesting alternatives - utilities for launching executable files on behalf of these accounts.
On this page
On Windows 8 slightly The graphical interface for changing the owner has changed, which has become an insurmountable obstacle for a number of readers, judging by the comments. I hate it when almost identical instructions are duplicated on one page, but other options are even worse. Therefore, choose instructions for your OS. I assume that you already have the required registry key open in Registry Editor.
Obtaining full rights and changing ownership
As you go along, you will see who owns the registry key. If this System or TrustedInstaller, you can use the appropriate utility ↓
Windows 8 and later
- Right-click on the registry key and select from the menu Permissions.
- Select the “Administrators” group:
Windows 7
Now nothing prevents writing to this registry key. However, I recommend restoring the rights when you finish editing the section.
Returning original rights and restoring ownership
After making changes to the registry, I advise you to return the original rights and restore the owner so as not to reduce the security of the system. In addition, people have repeatedly turned to the forum for help when the correct operation of the system was disrupted after the system account TrustedInstaller possession was taken away.
Windows 8 and later
Windows 7
The original rights and owner of the registry key have been restored.
Making changes to the registry on behalf of the “System” account
If the owner of the registry key is the special account "System", there is a way to make changes to the key without changing the owner and permissions. To do this, use the PsExec utility, which is part of Mark Russinovich’s PsTools set of utilities. The essence of the method is to launch the registry editor on behalf of the system.
- Download the PsTools suite and extract the PsExec utility into Windows folder, so as not to specify the path to it in command line.
- Open a command prompt as an administrator and run the command: psexec -i -s regedit
The registry editor will start, and on behalf of the system, which is specified by the parameter -s(parameter -i provides interactive launch of the application).
Sometimes you may want to track changes made by programs or settings in the Windows registry. For example, to subsequently undo these changes or to find out how certain parameters (for example, design settings, OS updates) are written to the registry.
In this review - popular free programs, which allow you to easily view changes to the Windows 10, 8 or Windows 7 registry and some additional information.
The free Registry Live Watch works on a slightly different principle: not by comparing two Windows registry samples, but by monitoring changes in real time. However, the program does not display the changes themselves, but only reports that such a change has occurred.
You can download the program from the official website of the developer http://leelusoft.altervista.org/registry-live-watch.html
WhatChanged
Another program that allows you to find out what has changed in the registry of Windows 10, 8 or Windows 7 is WhatChanged. Its use is very similar to that in the first program of this review.
The program does not have its own official website, but it is easily found on the Internet and does not require installation on your computer (just in case, before starting, check the program using virustotal.com, and keep in mind that original file there is one false detection).
Another way to compare two Windows registry options without programs
Windows has a built-in tool for comparing the contents of files - fc.exe (File Compare), which, among other things, can be used to compare two variants of registry branches.
To do this, using the Windows Registry Editor, export the required registry branch (right click on the section - export) before and after changes with different file names, for example, 1.reg and 2.reg.
Then use a command like:
Fc c:\1.reg c:\2.reg > c:\log.txt
Where the paths to the two registry files are indicated first, and then the path to text file comparison results.
Unfortunately, the method is not suitable for tracking significant changes (because you won’t be able to make out anything visually in the report), but only for some small registry section with a couple of parameters where a change is expected and, rather, for tracking the fact of the change itself.