All I want to do is: make a copy of the registry, install a program, make
another copy of the registry, and compare to see the changes.
Monitoring what happens in the registry can sometimes be a very useful
I think that in general, you’ll be very surprised at how much activity
happens in the registry, particularly for an install.
There are a couple of ways to do what you’re suggesting: comparing before
and after snapshots of the registry and monitoring the changes as they
I’ll discuss both.
Become a Patron of Ask Leo! and go ad-free!
Comparing Registry Snapshots
Before you run the installation program, run the Registry Editor. Use the
Run item on the Start menu, or press the Windows key plus the letter R, and
then type in “regedit” and click OK.
Make sure that the top-level item – “Computer” – is selected as shown
above.. Just click it once.
Now click File, and then Export…
In this Save As dialog box, give the file a name. In the example above,
I’ve named it “before” and the file saved will be “before.reg.”
This will export the entire registry.
Leave the Registry Editor open.
Run your install.
Once the install has completed, repeat the File,
Export…, but this time, give the export file a new name.
Perhaps “after.reg” might be appropriate.
You can now compare the two (Unicode text) files. There are various
file-difference tools available. I’m partial to the free, open source
Using WinMerge, you can view the before and after registry dumps side by
side to see exactly what’s changed:
The registry is large and complex, so expect to spend some time here if
you really want to review all of the differences. As I said, I expect you’ll be
surprised by how many changes there are as a result of the install.
Also, be aware that other registry activity may have occurred during the
install. Naturally, you’ll want to have as little software running as
possible when you do this, but even then, Windows itself may sneak in an
unrelated change or two.
Monitoring registry activity
Download the program Process Monitor from Microsoft (do not confuse this with Process
Explorer, a different program).
Run Process Monitor (procmon). It will begin monitoring right away.
Run your install.
As soon as your installation is done, switch back to Process Monitor and
type Ctrl+E to stop monitoring.
Click the Filter menu and then the
Filter… menu item.
Process Monitor has a default filter that excludes things, such as
displaying events related to itself. We’re going to add a filter to narrow
down the information that it displays.
In this example, I’ve selected Operation, “begins with,” and “Reg.” All
registry related operations begin with the letters “Reg,” so this will
display only registry related operations.
Click Add to add the filter, and then OK
to update the display.
What you’ll find is … well, a lot of registry operations. The registry
is constantly in use even when you’re doing nothing. In the few minutes that it
took for me to start Process Monitor, run the install, and type Ctrl+E to stop
monitoring, almost 400,000 registry events were collected.
There are ways to narrow this down some more, but each has its drawbacks,
depending on your situation.
Rather than looking for all registry events, you can set the filter to
look only at specific events – perhaps specific registry events like
RegCreateKey, which is used to create new registry entries. However, not
knowing exactly how the setup program operates, you’ll need to
include all Registry operations in your filter that might possibly affect the
contents of the registry. I count seven such operations (RegCreateKey,
RegDeleteKey, RegDeleteValue, RegRenameKey, RegSetInfoKey, RegSetKeySecurity,
RegSetVale). There are probably things I’ve overlooked. Even narrowing the
scope to only registry altering operations, you still will see activity from
other applications and Windows, even though not directly involved in the
You could only look at activity from a specific process. In my case (I was
installing the FTP program “CyberDuck”), the installer process was
Cyberduck-installer-4.2.1.exe. The risk here is that many installers hand
off their work to other processes – some their own and often Windows own
installer misexec.exe. You’ll need to watch for that and include that in
your filter as well.
You can combine the two approaches, looking for specific registry events
from specific programs.
You can use something else. Process Monitor has something like 26
different “things” that it can look for (“Operation” is just one) and each can be
restricts to different values in various ways.
I’m not including specific examples for these cases because, as I said,
what’s needed really varies dramatically on what you’re installing and how it
And, to be completely honest, this approach to using Process Monitor is
somewhat technical and best experimented with on your own if you are
Particularly since, as it turns out, the information that you’ll be
looking at is going to require some level of skill to understand as well.
3 comments on “How do I monitor what changes in my registry?”
I use Win Patrol, it does a good job of detecting any registry changes, and gives you the opportunity to allow them or not.
I use Tiny Watcher on Windows XP from http://kubicle.dcmembers.com/watcher/, which as far as I can tell will work all the way through Vista. I found conflicting reports about its use in Windows 7, and have no idea how Windows 8 maintains a registry. I run the Logon command each time I reboot, and the Quick after each install. I like the log so I can go back and look at changes over time. I also run the Deep scan once a week just for S&G’s. I loaded them into batch files and rename the log with a timestamp after each scan so the log does not get so long and unwieldy. I like Tiny Watcher because it does not have to run all the time, but due to this, it will not flag changes in real time, only after the fact like a registry comparison. It also monitors C:\, C:\Windows, and C:\Windows\system32\ and can monitor custom folders.
I often used WhatChanged on XP. Have yet to try it on Win7. You’ll find it on this page : http://www.vtaskstudio.com/support.php
To minimize unwanted recording of changes ,close all running programs and other back ground services not involved in running your system ,including AV etc.
I usually disconnect from the internet while taking the snapshots before and after the (test)program’s install.
I’ve also used it to detect what malware does when it’s installed ,but for this I use a minimal setup of the OS and run it in a VM.