Recipe9.13.Viewing Processes That Have a Registry Key Open

Recipe 9.13. Viewing Processes That Have a Registry Key Open

Problem

You want to view the processes that have a registry key open. If a process has a key open, you may not be able to modify or delete that key or its values.

Solution

Using a graphical user interface

Open the Sysinternals Registry Monitor (regmon.exe) tool. By default, the Registry Monitor shows all processes that have a handle to a registry key or value. You have two options for finding a specific key or value:

• From the menu, select Edit Direction is selected correctly (by default Down is selected, but if you want to, search Up).

• The second option consists of filtering the output. Select Options Include text box, enter the key or value you want to view. Click OK and then Yes to confirm.

You can also use the Sysinternals Process Explorer (procexp.exe) tool to search for registry handles.

Using a command-line interface

With the Sysinternals handle command, you can find a process that has a registry key open. Simply specify the -a switch and some part of the key path or value name you want to search on. Since the search is fuzzy, there is a chance it might match things other than registry access (e.g., an open file), but if your search string is specific enough, you should be able to narrow it down. For example, the following command finds all processes that have a handle to something containing RunOnce in the name (often a registry key):

> handle -a RunOnce

You can also use handle to view all processes that are accessing a key under HKLM\Software:

> handle -a HKLM\Software