Despite the fact that the Windows registry system is one of the most important components in the operating system, Windows doesn’t offer an appropriate useful tool to us to manage it efficiently. The lack of the tracking and monitoring capability to the registry repository has been one of my frustrations when it comes to computer troubleshooting. There are just so many occasions where being able to monitoring what’s been changed to the registry could make my life a lot easier.
Until Microsoft puts a nice tool that does the registry tracking or monitoring for us, here are a few ways we can do at the moment.
Regshot is an open-source registry comparing utility that allows you to quickly take a snapshot of your registry and the compare it with a second one after a system change or software installation.
Take the 1st shot when you know your computer is in good shape and save the result for 2nd shot to compare. The 1st shot result can be loaded later on at any time you run the utility again. Once the 2nd shot done, the Compare button will become available for comparison.
Regshot works on both 32-bit and 64-bit Windows and snapshots not only the registry but the Windows directories as well.
Similar to Regshot, WhatChanged also scans for modified files and registry entries. There are 2 steps for using the utility, first to take a snapshot as the baseline state and then take another one for comparing. The baseline snapshot is automatically saved in the same directory as the executable utility so you can close the utility and run it at anytime later on.
Reg and FC
The command Reg is the built-in command line from Windows for registry but you can’t use it directly for monitoring or tracking purpose. What you can do is to use it to export all the important keys you want to monitor to a text file when the system runs in good condition and export them again after a system change or software installation. And then compare them with the File Compare command line fc.exe.
fc 1st.reg 2nd.reg > result.txt
Running the above command will compare the 1st.reg with 2nd.reg and save the changes into the result.txt file in the same directory.
And of course, you can also export keys from Regedit as well and compare them using fc.exe command.
If you need to monitor the registry changes made by a specific running application, NirSoft’s RegFromApp is the one you are looking for. It monitors the changes and creates a standard RedEdit registry file that contains all the registry changes made by the selected application. It’s free and portable, works on all Windows platforms. There is a separated version for x64 applications.
Process Monitor by Sysinternals
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more.
If you are looking for a true real-time registry monitor, Process Monitor is your choice.