Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Bigger doesn't imply better. Bigger often is a sign of obesity, of lost control, of overcomplexity, of cancerous cells

Registry snapshots

News See also Recommended Links Recommended Papers Microsoft Registry Tools Commercial tools with trial period
Snapshots Backups Monitoring  Tweaking Humor Etc

Some antispyware tools (for example HijackThis) can provide a snapshot of important parts of the registry and as such are useful in a wider context.  Unfortunately Hijackthis cannot be used in batch mode (or at least I do not know how to use it in a batch mode).

As for monitoring generally periodic snapshots are enough (it's a good practice to dump the content of important parts of your registry in the morning or at the end of the day; it can be a scheduled job), but there are specialized tools too.

The simplest way to save registry is  to use Registry Editor provided with Windows. First navigate to either the top of the branch that you wish to watch, or the "My Computer" icon for the entire registry. Right-click and choose export. Under "Save as type", select "Win9x/NT4 Registration Files (*.reg)" and pick somewhere to save the initial version. This will export a text file with the current contents of the registry.

Microsoft utility reg.exe and some antispyware tools (for example HijackThis) can also provide a snapshot of important parts of the registry and as such are useful in a wider context.  You can run reg.exe export for all major keys on bootup

REG EXPORT KeyName FileName

  Keyname    ROOTKEY\SubKey (local machine only)
    ROOTKEY  [ HKLM | HKCU | HKCR | HKU | HKCC ]
    SubKey   The full name of a registry key under the selected ROOTKEY
  FileName   The name of the disk file to export
For example
reg export  HKLM  C:\tmp\hklm_current.reg
reg export  HKCU  C:\tmp\hkcu_current.reg
reg export  HKCR  C:\tmp\hkcr_current.reg
reg export  HKU  C:\tmp\hku_current.reg
reg export  HKCC C:\tmp\hkcc_current.reg

The resulting snapshot is less then 300 MB and can be compared with previous for each major key

After that you can compare it with existing snapshot using diff command from Cygwin or any other file comparison tool, for example:

diff HKLM_old.txt HKLM_new.txt

Selected registry keys are available via Cygwin pseudo filesystem /proc/registry


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Sep 01, 2008 ] Capturing Win32 registry changes made by a software installation

I am trying to capture the registry changes made by a software installation but am not having much success. My thought was to capture the registry using Win32::TieRegistry before and after the install and compare them. Butthe code below says no changes were made to the registry during install (I verified that the reg keys were made).

According to the Win32::TieRegistry documentation, I can call the Flush() method to Flush "all cached information about the Registry key so that future uses will get fresh data from the Registry." But for some reason, my $LmRegAfter is the same as my $LmRegBefore. Any suggestions would be appreciated.

use strict;
use Win32::TieRegistry ( Delimiter=>"/", ArrayValues=>0 );
#snapshot registry before install
my $LmRegBefore = $Registry->{"LMachine/Software/"};

#Run the installation program - much harder in real life, but this is 
+a test script :)
my $install='path to install to run';
system($install);

#Flush the reg subkey
my $r=$Registry->{"LMachine/Software/"}->Flush();
print ("Flushing LMachine[$r]");

#snapshot registry after install
my $LmRegAfter = $Registry->{"LMachine/Software/"};

registryChanges($LmRegBefore,$LmRegAfter);

#############
sub registryChanges{
    my $regBefore=shift;
    my $regAfter=shift;
    foreach my $key (keys(%{$regAfter})){
        if(!defined $regBefore->{$key}){
            my $val=$regAfter->{$key};
            $change{$key}=$val;
            print "registryChanges[$key]=[$val]\n";
            }
        }
    }
}
Anonymous Monk on Sep 01, 2008
Basic debugging, print the data after first registry read. Then print the data after you flush.

I think whats happening is that $LmRegBefore and $LmRegAfter get flushed (because they're the same).

tye on Sep 01, 2008

You are assuming that simply opening $LmRegBefore will cause the entire contents of that subtree to be read and cached. That would be slow and hog memory, which is why the documentation doesn't say that that happens.

massa (Hermit) on Sep 01, 2008
I think you are storing a reference to that registry, and not a "deep copy" of the contents of the registry. Try this (I can't test b/c no Win here):
  
use strict;
use Storable q(dclone);
use Win32::TieRegistry ( Delimiter=>"/", ArrayValues=>0 );
#snapshot registry before install

my $LmRegBefore = dclone $Registry->{"LMachine/Software/"};

#Run the installation program - much harder in real life, but this is 
+a test script :)
my $install='path to install to run';
system($install);

#Flush the reg subkey
my $r=$Registry->{"LMachine/Software/"}->Flush();
print ("Flushing LMachine[$r]");

#snapshot registry after install
my $LmRegAfter = dclone $Registry->{"LMachine/Software/"};

registryChanges($LmRegBefore,$LmRegAfter);
slloyd (Hermit) on Sep 01, 2008
Great idea but it did not make any difference.

-------------------------------
Sign up now for a free monthly newsletter service!
http://www.bestgazette.com

BrowserUk (Pope)

Not a Perl solution, but I highly recommend you take a look at ProcessMonitor. It's free and can do this and much, much more.


Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

"Too many [] have been sedated by an oppressive environment of political correctness and risk aversion."

ldln (Pilgrim) on Sep 01, 2008
I would use the reg.exe tool to export required keys before and after install, then just do text line by line comparison of those two files with perl (trivial).
reg export HKLM\Software before.txt
--install program-- 
reg export HKLM\Software after.txt 

Also you might want to convert these files from utf-16 to utf-8 with iconv like this:
iconv -f utf-16 -t utf-8 before.txt > before_utf8.txt

(or do it with perl's Encode module)

GrandFather (Cardinal) on Sep 01, 2008
A sanity check on the registry operations is that on typical systems they should take significant time - registry tends to be big. If they aren't taking significant time (a few seconds at least I'd guess), then I suspect you need to manually make a deep copy of the registry structure and compare copies.

REG Command in Windows XP

Querying keys

REG query allows you to query a single key for a single value, or a range of keys for all their values. This provides you with a quick way to check whether a key has the value you think it does, or in fact whether it has any values associated with it at all:

REG QUERY KeyName [/v ValueName | /ve] [/s]

Example:

C:\WINDOWS>reg query \\srv1\hklm\software\symantec ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\software\symantec
HKEY_LOCAL_MACHINE\software\symantec\InstalledApps
HKEY_LOCAL_MACHINE\softwaresymantec\LiveUpdate
HKEY_LOCAL_MACHINE\software\symantec\NAVMSE
HKEY_LOCAL_MACHINE\software\symantec\Norton AntiVirus
HKEY_LOCAL_MACHINE\software\symantec\Norton AntiVirus NT
HKEY_LOCAL_MACHINE\software\symantec\Shared Technology
HKEY_LOCAL_MACHINE\software\symantec\SharedDefs
HKEY_LOCAL_MACHINE\software\symantec\SharedUsage
HKEY_LOCAL_MACHINE\software\symantec\Symevent

Managing the Windows Registry from the Command Prompt with Reg.exe

Managing the Windows Registry from the Command Prompt with Reg.exe

The command-line utility reg.exe is a powerful and versatile way to manage the Windows XP Registry. This article discusses Its features and application.

Many will be familiar with the graphical interface tool regedit.exe that is available for editing the Windows Registry. Less familiar, however, is the command-line utility reg.exe that also comes with Windows XP. This accessory will do anything that regedit.exe can do and has the additional facility of being directly usable in scripts. It is a common tool for system administrators with many computers to manage but can also be useful to the more experienced home PC user. I will discuss some aspects that may be of interest to this latter group. More details can be found at this Microsoft site. There is also information in the Windows XP Help and Support Center.

Registry editing is not for everybody but it is not as fearsome an operation as it is sometimes made out to be. Just be sure to follow the iron-clad rule to back up the Registry first before editing. There are many useful tweaks that involve a simple Registry edit and reg.exe provides a way that is simpler and safer in some ways than Regedit. It also provides a way to back up keys or entire hives of the Registry into files that can be stored off the main drive.

Like some other command-line utilities, the reg command is a shell or console that has its own set of sub-commands. An complete command will consist of reg subcommand variables Table I lists these subcommands and some are discussed in more detail in sections that follow. The commands can be carried out on remote networked computers as well as the local computer but I will confine the discussion to operations involving just the local computer.

Table I. Subcommands for reg.exe
Subcommand Function
add Adds a new subkey or entry to the registry
delete Deletes a subkey or entries from the registry
query Displays the data in a subkey or a value
compare Compares specified registry subkeys or entries
copy Copies a subkey to another subkey.
save Saves a copy of specified subkeys, entries, and values of the registry in hive (binary) format
restore Writes saved subkeys and entries in hive format back to the registry
load Writes saved subkeys and entries in hive format back to a different subkey
unload Removes a section of the registry that was loaded using reg load
export Creates a copy of specified subkeys, entries, and values into a file in REG (text) format
import Merges a REG file containing exported registry subkeys, entries, and values into the registry

Back to top

Track file and registry changes made by an application installation

Though there are several third-party utilities which can capture registry changes and utilities which can capture file system changes, System Mechanic from www.iolo.com is impressive. It's a complete system maintenance tool which includes a registry cleaner, duplicate files finder, Safe Installer (which we are going to discuss about) and much more tools.........

Safe Installer is a feature using which you can track the File and registry changes made by an application installation. First, it tracks the pre-installation snapshot of the registry and file system. Then launches the setup program that you specify. Once the installation is done, the post-setup snapshot is generated. Finally, the pre-setup and post-setup snapshots are compared automatically and output is generated as a TXT file, which you can open in Notepad.

Launch System Mechanic. From the System tab, click Safe Installer button

Type a Report description and then choose the setup file for the application which you want to install.

Choose Next and choose the drive-letters you wish to monitor. Click Next, Next and type the Report file name and location.

From the Snapshot tab, click Start. The current registry and the file structure are now stored in a pre-setup snapshot.

Once completed, run the setup program for the application which you want to install.

After installation is complete, click Done: Report button. This launches the post-setup snapshot. Final result is the comparison report which contains all the additional registry entries and files modified by the application installer.

Open the report in Notepad and view the contents, to know the list of changes made in your system.

Capturing Win32 registry changes made by a software installation

WhatChanged is a system utility that scans for modified files and registry entries. It is useful for checking program installations. There are two steps for using WhatChanged:

1) First, take a snapshot to get the current state of the computer; 2) Second, run it again to check the differences since the previous snapshot.

WhatChanged uses the "brute force method" to check files and the registry.

* v1.07 update includes speed enhancements for better performance.

Author: Vista Software, Inc.
Date: 2011-07-30
Size: 96 KB
License: Freeware
Requires: Win XP/2003/08/Vista/Windows7

Reg add

This command is used to add keys and values to the Registry. The syntax is given by REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f] Table II explains the entries.

Table II. Parameters in REG ADD command
Parameter Description
KeyName Complete Registry key name. Uses abbreviations HKCR, HKCU, HKLM, and HKU for root keys
/v ValueName Adds or changes a value
/ve Changes a key's default value
/t Type The type of value: REG_BINARY, REG_DWORD, REG_SZ, REG_MULTI_SZ, etc. The default is REG_SZ
/s Separator Specifies the character used to separate strings in REG_MULTI_SZ entries. The default is /0
/d Data The data to assign to a value
/f Forces overwriting of existing values with prompting

REG ADD provides a quick and simple method for adding new keys to the Registry or modifying old ones. As an example, let's look at how to add the sub- key "HackersAreUs" to the Local Machine Software key. The command would be REG ADD HKLM\Software\HackersAreUs Now let's add a value named "Stuff" and make it a binary entry with data "0001". The command would be REG ADD HKLM\Software\HackersAreUs /v Stuff /t REG_BINARY /d 0001 The two commands could have been executed as a single command but I have split them to make the process clearer. I have used upper case for REG ADD but that is for clarity and is not required.

Reg delete

Keys and values can be deleted in a similar but somewhat simpler fashion. The syntax is REG DELETE KeyName [/v ValueName | /ve | /va] [/f] Table III describes the parameters.

Table III. Parameters in REG DELETE command
Parameter Description
KeyName Complete Registry key name. Uses abbreviations HKCR, HKCU, HKLM, and HKU for root keys
/v ValueName Deletes a value
/ve Deletes a key's default value
/va Deletes all values from a key
/f Forces deletion with prompting



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: September, 12, 2017