Monitoring the Registry

Monitoring the registry for changes is different than comparing snapshots in that you're watching registry access as it happens. Thus, you can change a setting in the user interface and then look at the monitor to see what value Windows XP wrote to the registry. I tend to monitor the registry instead of compare snapshots when I'm looking for a large number of settings. When doing this, it's helpful to keep the noise down to a minimum. I'll show you how to reduce the noise in the section "Filtering for Better Results," later in this chapter.

My favorite monitoring tool is Regmon from Winternals. You can download a freeware version of this tool from http://www.sysinternals.com. Regmon Enterprise Edition is available at http://www.winternals.com and is inexpensive. The difference between the two is that the enterprise edition enables you to monitor a remote registry, which makes the process a little easier if you can work on one computer and see the results on a different computer. Although the freeware version of Regmon contains all the enterprise edition's other features, I purchased and use Regmon Enterprise Edition for the convenience of remote monitoring.

Download either version of Regmon. The freeware version doesn't have a setup program, so you just run it from the directory in which you unzip it. Regmon Enterprise Edition comes with a setup program that adds a shortcut for Regmon to the Start menu. The following sections show you how to use this hot product.

Using Winternals Regmon

Figure 8-5 shows the freeware version of Regmon. Every time Windows XP or programs access the registry, Regmon adds a row to the window. The first two columns are a line number and time. The next column displays the name of the process that accessed the registry, which is usually the program's file name. Next you see the type of access, followed by the path and result. The last column gives you additional information, such as the contents of a value. The most interesting information here is the type of access, the path of the key, and the Other column. Any time a column is too narrow to display the entire contents of a row, you can point to the data, and Regmon displays its full contents in a balloon. Nifty.

Figure 8-5: Regmon's window quickly fills up with uninteresting information. This is Regmon's window seconds after starting it.

Two columns, Request and Other, need more attention. Request tells you what Windows XP or a program was trying to do. The requests you see in the Request column are different registry application programming interface (API) functions and are shown in Table 8-1. The most interesting type of request is SetValue, of course. The Other column contains a variety of information, depending on the type of request. Again, see Table 8-1. For example, if the request is QueryValue, the Other column contains the data in the value. If the request is OpenKey, the Other column contains the key's handle.

Filtering for Better Results

If you start Regmon and change some settings in the Windows XP user interface, you won't have a lot of luck sifting through Regmon's output to find the setting. For example, opening Windows Explorer accesses the registry about 5,000 times. Clicking Options on Windows Explorer's Tools menu accesses the registry a few hundred times. Sorting through all that output isn't practical. Your experience improves dramatically if you learn how to use filtering.

The first thing you can do, particularly if you're interested in finding the value in which Windows XP stores a setting, is filter out everything but write requests. On Regmon's Edit menu, click Filter/Highlight. Then clear all the check boxes except Log Successes and Log Writes. Regmon will report only successful writes to the registry. This alone significantly reduces the amount of output you see. Get more specific, though, and Regmon will all but hand you the setting for which you're looking. The asterisk (*) in the Include box is a wildcard that matches everything; this is the default filter.

To get more specific, limit Regmon to certain processes. For example, if you're searching for a setting in Windows Explorer, look only for registry access by the process explorer.exe. If you're searching for settings in Tweak UI, look only for registry access by the process Tweakui.exe. On Regmon's Edit menu, click Filter/Highlight. In the Include box, type the name of the process you want Regmon to display in the window. Include multiple processes separated by a semicolon. The easiest way to figure out the name of a process is to look in Windows Task Manager. Press Ctrl+Shift+Esc, and then look on the Processes tab. If in doubt, you can also look in Regmon's output for the process name, which is how I usually find it. You might see the process Rundll32.exe. This is a special program that executes APIs in Dynamic Link Libraries (DLL). Because you might have many different instances of this process running at any time, filtering this process is more difficult.

My last tip for how you can limit the output of Regmon is to filter for specific keys. If you have general knowledge of where Windows XP stores a setting in the registry, filter the output to display only lines that contain that key. For example, if you know that a setting is somewhere in HKLM\SOFTWARE\Microsoft, filter Regmon's output so it shows only SetValue requests on that key. You'll see very little output in Regmon's window when you change that value in the user interface, and one of the lines is likely to be the value for which you're searching.