Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Registry Monitoring

News See also Recommended Links Free Tools Commercial tools ResKit tools
Microsoft
Registry Tools
Registry Cleaning Tweaking Snapshots Backups Etc

For anyone who does not necessary wants a cute GUI tool to show you what changes on an box at any given time there are multiple tools of different quality. Many batch tools can do a decent job of monitoring if you run them at startup and shutdown scripts. As for on-the fly tools you need to be very careful: usually such tools are iether very talkative or have side effects or both.  Microsoft provides free tool that can monitor changes called ProcessMonitor that provides a log of registry activites.

Cygwin provides special filesystem that /proc/registry that can help you monitor changes

As the main reason to use them is to defend yourself from spyware Microsoft Antispyware tool (now Windows Defender) is probably one of more safe options.  I think Microsoft Security essentials also monitor changes to registry, but I am not sure. Both do not protect you from sophisticated spyware/malware but are adequate for simple threats. One thing that can help is to use regular user  account as in most cases you do not need to install programs or do other things that require admin privileges.

Also upgrade to IE9 or IE10 increases the chances to foil attempt to install spyware or direct you to the phishing sites. Running 64 bit IE on 64 bit Windows also help as most spyware is oriented on Windows XP 32 bit API. 

Free Tools

  1. Process Monitor (download link). Microsoft's free utility  Process Monitor allows you to monitor the registry for changes. For people familiar with RegMon and FileMon on older Windows platforms, Process Monitor replaces both these applications.  RegMon by Mark Russinovich and Bryce Cogswell was probably the most popular free tool for this class. Like its predecessor Process monitor is also useful in analyzing the behavior of Spyware and dubious programs like Adobe.  Newer version for Windows 7 is even better:

    Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

    Process Monitor runs on Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 SP1 and Windows Vista. 

  2. Registry Live Watch 1.0

    Leelu Soft Registry Live Watch is a free, lightweight and portable tool to monitor activity on a registry key.
    The tool can run minimized at the system tray (notification area) and monitor a registry key (also sub keys and values) for different kind of changes.

    Registry Live Watch is consuming a very small amount of resources.

    This program is not changing any registry settings, it is only a monitoring tool that watch the registry on a read only mode.

    Registry Live Watch is a tool for pc users that knows and understand the windows registry.

    Registry Live Watch was tested on Windows XP Pro and Windows 7 Ultimate but should run on other Windows versions.

  3. MJ Registry Watcher is using less than 2 Megabytes of computer memory when running minimized in the Windows system tray.

    The Windows Registry is one of the major attack locations for malicious software and should therefore be protected by security software to ensure that no settings get changed or added to it. One prime example is the addition of new startup items to the Windows operating system. The Windows Registry contains several locations where those new files can be placed so that they are loaded during system startup.

    Windows Registry Watcher is resource friendly portable software program for the Windows operating system that monitors thousands of values and Registry keys but also files and directory with the option to add, delete or edit any of the monitored locations easily. The Windows Registry monitoring application will update the information every 30 seconds by default. This value can be changed to another time in seconds between 0 and 9999.

    The software can be started right away in Windows XP while Windows Vista users need to run it with administrator privileges. Some of the more interesting options besides the wealth of information that it provides are the option to configure custom or pre-defined security settings that range from light to highest security. The security settings define for example the frequency in which the keys are analyzed for changes.

    windows registry

    The Windows Registry software can be used to backup and quarantine files. It supports audio notifications but can also be configured to send email notifications. The software can also be started from the command line using various parameters like starting the application with a specific security setting.

  4. Reg Organizer by Konstantin  Polyakov can take snapshots before and after application installs and eradicate ALL system changes made by an app like it was never installed. Besides, this feature can be used for displaying changes made by the application to each of the system components. Version 5.1 includes the updated program removal tool. There is  a possibility to track changes even for those programs that require rebooting the computer during the installation process.
     
  5. Microsoft Windows Defender does a semi-decent job of registry monitoring too.  This is actually true about any modern anti-virus/malware protection program.
     
  6. RegistryProt is a free, standalone, compact, low-level realtime registry monitor and protector, that adds another dimension to Windows security and intrusion detection. By monitoring important locations and keys in the Windows system registry,
  7. Active Registry Monitor - Free Download
  8. SpyMe Tools - Monitor Registry & File System Changes

    SpyMe Tools is very useful in detecting Registry and Disk changes. If any application installs spyware, adware, dlls, programs, files, or any other type of file, picture, or program, etc. or changes the Registry's content, you will be able to see exactly where the modification occurred so you can take measures. It seems like more and more programs are attempting to install spyware, advertisements, or other garbage without your knowledge, but with this software you will know everything that is added or removed.

    To detect Registry/Disk changes the program will create Dumps of the actual states of Registry/Disk. This means that at any time you can open the Dump file and view the contents of the Registry/Disk just as they were when you've scanned the Registry/Disk. The program can compare two different dump files so you'll see exactly what changed in the Registry/Disk between the two scans.

    You can also use the program to backup your Registry. The program can restore old states of Registry keys using the data in the Dump files.

    To prevent other persons from viewing your scanned files you may encrypt them so that a password will be required whenever someone tries to open them.

    SpyMe Tools also includes a Real time Disk/Registry monitor so you may spot the changes in real time.(Real time Disk monitor works only on NT platform, including Win2k and Win XP).

  9. InstallWatch version 2.5 is abandonware that is provided as a free download. Useful on Windows XP. Is not compatible with Windows 7

Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

Registry Watch - CNET Download.com

Monitor Live Change In Windows Registry Key

Freeware
Nov 22 2009

Registry Live Watch is a small utility that keeps watch on any registry key you define. You can minimize it to the system tray and it would immediately notify when a change is made to the key.

To begin, first select the root key and then enter the exact key name. You can choose to either watch for all changes, changes to the keys, values, or security only. Further you can choose the event action – Do nothing(just write to log), show a pop up notification, or execute a program. For the latter, there is an option to select the program that you wan to execute.

Once ready, hit the Start Monitor button. Clicking the Tray button will minimize it to the system tray.

[Jul 22, 2012] Igor Pechtchanski - Re Mount Windows registry into filesystem

On Mon, 7 Jul 2003, Brian Dessent wrote:

> Corinna Vinschen wrote:
> >
> > On Mon, Jul 07, 2003 at 09:19:57AM +0100, William S Fulton wrote:
> > > Is it possible to mount the registry into the filesystem?
> >
> > It is already.  Try `ls -l /proc/registry'
>
> Neat.  Is there any way to tell the type of the key's value using this
> interface?  For example if I wanted to modify a key's value through
> "echo foo > /prog/registry/.../Key", how do I tell Cygwin that I want
> the type to be REG_EXPAND_SZ, REG_DWORD, REG_MULTI_SZ, REG_SZ, etc?

You don't.  /proc/registry is read-only.  If you want to modify the registry, use regtool.

> Conversely is there a way to determine the type when reading?  It
> appears that Cygwin does what you expect (e.g. returning a \0 delimited
> list for REG_MULTI_SZ) but is there any way to ask it directly?

Not that I know of.  Look at fhandler_registry.cc for implementation
details.

> This is yet another really cool Cygwin feature that I had no idea about
> until now... :-)
> Brian

It pays to read the release notes... ;-)

Igor

http://www.ghacks.net/2009/03/20/windows-registry-watcher/

The Windows Registry is one of the major attack locations for malicious software and should therefor be protected by security software to ensure that no settings get changed or added to it. One prime example is the addition of new startup items to the Windows operating system. The Windows Registry contains several locations where those new files can be placed so that they are loaded during system startup.

Windows Registry Watcher is resource friendly portable software program for the Windows operating system that monitors thousands of values and Registry keys but also files and directory with the option to add, delete or edit any of the monitored locations easily. The Windows Registry monitoring application will update the information every 30 seconds by default. This value can be changed to another time in seconds between 0 and 9999.

The software can be started right away in Windows XP while Windows Vista users need to run it with administrator privileges. Some of the more interesting options besides the wealth of information that it provides are the option to configure custom or pre-defined security settings that range from light to highest security. The security settings define for example the frequency in which the keys are analyzed for changes.

windows registry

The Windows Registry software can be used to backup and quarantine files. It supports audio notifications but can also be configured to send email notifications. The software can also be started from the command line using various parameters like starting the application with a specific security setting. The Registry watcher is probably not the easiest to understand if you do not know what you are looking for or how to configure the alert process.

MJ Registry Watcher is using less than 2 Megabytes of computer memory when running minimized in the Windows system tray.

Commercial tools

http://www.devicelock.com/arm/

There are no functional limitations for an unregistered version and you may use ARM (during the evaluation period) as a fully registered program but only on one computer. An unregistered version of ARM displays nag screens.

About Active Registry Monitor

Active Registry Monitor (ARM) is an utility designed for analyzing the changes made to Windows Registry - by making the "snapshots" of it and keeping them in the browsable database. You can compare any two snapshots and get the list of keys/data which are new, deleted or just changed. ARM can do comparing not only in the entire Registry, but also in any key of the Registry. It is also possible to exclude any keys of the Registry from compare results. Moreover, you can create undo/redo files (for example, to rollback the changes). To view the current state of a key, or to modify it, you can use Jump to Regedit function. Contents of any key can be exported to *.reg file.

Very useful for detecting trojan viruses and elimination some problems caused by software and hardware install/uninstall.

Unlike Registry monitoring software (such as RegMon and Win-Expose Registry), and most uninstallers (CleenSweep, Uninstall, etc.), ARM compares full copies of the Registry made at different times, while the software mentioned above just monitors all accesses to the Registry in real time. So, our method allows to track all the changes, and doesn't affect the system performance.

Here is a brief list of ARM features:

http://www.devicelock.com/arm/faq.html

Make a Windows Registry Snapshot- Completely uninstall any software

Registry Watch monitors changes in the Windows Registry and the file system. Registry Watch can undo the changes for you in a flash. Compare one Registry and file system snapshot before the installation of a program to a new Registry and file system snapshot after the installation is complete. It can completely uninstall any program. 

Registry Watch also can automatically backup your Windows Registry and restore it when you need to, an any Windows platform; from Win 95 to Win XP, NT to Win 2003. Making it the perfect Registry backup tool for Windows NT, XP,2000, and 2003, even if you have NTFS.

You can do either a system file snapshot or a registry snapshot, or both; giving you more control. This not only allows you use Registry Watch as an uninstaller, but also for finding changes on your system when you are not tracking a software installation. Registry Watch is a 100% complete software uninstaller.

Registry Watch has two functions, the first function it can perform is to make backups of the Registry, yes even on Windows NT, 2000, and XP. With this backup you can restore your corrupt Registry using Registry Watch to undo all the changes since your last backup. The second function it can do is to tell you what changes were made to your Registry and file system; and if you wish you can undo all or some of the changes. You have the ability to select what files to uninstall and/or what Registry Keys to uninstall.

Registry Watch takes a snapshot of the Windows Registry and then you can review any changes made in the Registry at a later time by creating a second snapshot to compare. The user has the option of comparing the entire Registry or just a single hive. The snapshot choices are HKEY_USERS, HKEY_LOCAL_MACHINE or the complete Registry which consists of both hives.

Registry Watch has the ability to undo changes using a second snapshot. Once the user creates a snapshot and compares the changes, the user may undo the changes by creating a report for viewing or undoing the changes. The user may also choose to remove some of the changes from the report before saving it, so that these removed items will not be undone later. You can even take several comparison snapshots using the original snapshot. This will allow you to see what is changed in the Registry when installing a program, then see what other changes were made when running the program. Allowing you to see all the changes from the original snapshot. You can save both reports if you like.

If you wish, Registry Watch will take you to the Registry Key you have selected in the report for viewing. Just click on "Go To Key". You can also send any line of the report to the Clipboard if you wish to copy and paste it.

The whole process, making the first snapshot - making the second snapshot to compare with - creating a report and saving the changes should take less than 60 seconds.

Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended

Monitor Windows Regsitry Changes

http://www.jacobsm.com/mjsoft.htm  free MJ Registry Watcher - Version 1.2.6.9 - Last Update 26/6/2009

http://www.devicelock.com/arm/ commercial tool

Monitoring and Troubleshooting the Registry  by Darren  Mar-Elia


Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: February 19, 2014