Monitor Windows Registry Changes

There are many occasions when you may want to monitor changes that are occurring to the Windows registry.

In this article we will focus on two popular methods used to do just this.

Comparing the Registry Using WinDiff.exe

The most popular way to compare a copy of the Registry against another copy is using the Microsoft utility WinDiff available as part of the Windows 2003 support tools (32bit only) It is available for download here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

You will need to:

1) Use the Registry editor (regedit.exe) to Export a copy of the entire Registry (or a particular branch of it) to your hard drive and name it before.reg Then, after any changes have been made to the Registry (perhaps by installing some new software), export a new copy of the Registry named after.reg to that same location.

2) Now use the WinDiff utility to load and compare both versions. If you you used the default installation for the Windows 2003 support tools pack, windiff.exe will be in: C:\Program Files\Support Tools\  

Note: This utility is not officially supported under Windows Vista and Windows 7, but does appear to work OK according to many support forum postings.

WinDiff is a technical utility and it can be a little difficult for the novice to interpret the results. You could always use Microsoft Word BUT make sure you turn off grammar/spelling and open after.reg FIRST.

You could also use an inexpensive 3rd party utility like RegSnap (Windows XP only).

Reg.exe

Another support tool for Windows XP/Vista/7 users is the Reg.exe command line utility. It comes with the following built in functions: QUERY / ADD / DELETE / COPY / SAVE / LOAD / UNLOAD / RESTORE / COMPARE / EXPORT / IMPORT

Using the COMPARE option does have one limitation however, and that is it can only compare Registry keys/sub keys and not the entire registry or a copy. That said every Windows support technician should be aware of this Windows Registry utility!

The correct order order of syntax when using this command line utility is:    REG COMPARE KeyName1 KeyName2 [/v ValueName | /ve] [Output] [/s]      ...and the following are the various parameters and switches that can be used:

KeyName Specifies the full path of the subkey. For remote computers, include the computer name before the path of the subkey in the \\ComputerName\PathtoSubkey format. Omitting ComputerName causes the operation to default to the local computer. Start the path with the appropriate subtree. The valid subtrees are HKLM, HKCU, HKCR, HKU, and HKCC. If a remote computer is specified, you can use the HKLM and HKU subtrees only.
SubKey The full name of a registry key under the selected ROOTKEY
ValueName The value name, under the selected Key, to compare (When omitted, all values under the Key are compared)

/ve   compare the value of empty value name
/s   compare all subkeys and values

Output [/oa | /od | /os | /on] (When omitted, output only differences)

/oa  Specifies that all differences and matches are displayed. By default, only the differences are listed.
/od  Specifies that only differences are displayed. This is the default behaviour.
/os  Specifies that only matches are displayed. By default, only the differences will be listed.
/on  Specifies that nothing is displayed. By default, only the differences will be listed.

Return Code:

0 - Successful, the result compared is identical
1 - Failed
2 - Successful, the result compared is different

So, for example:

1) To compare all subkeys and values under HKLM\Software\MyCo on the computer named PC2 with all subkeys and values under HKLM\Software\MyCo on the local computer, type:

REG COMPARE \\PC2\HKLM\Software\MyCo \\. /s

2) On a local machine to compare all values under the key MyApp with all values under the key SaveMyApp, type:

REG COMPARE HKLM\Software\MyCo\MyApp HKLM\Software\MyCo\SaveMyApp

If you are not used to using the command line, then this may seem confusing at first.

Monitor Registry Changes As They Happen

The utility Registry Live Watch is a free, lightweight and portable tool to monitor activity on a particular registry key you choose. You can run this tool from the system tray (called the notification area in Windows 7) and monitor a chosen registry key for any changes. It is important to note that the application does not change the Registry in any way, it only monitors the Registry in read only mode.  You can see a video of the utility in action here: http://www.youtube.com/watch?v=sI9ALHfe2_4

Speed Up Your PC: Scan & Fix your Registry automatically in 3 Mins.


Home | Contact us | Privacy Policy | Technical Support | Terms of Use | ©2007-2012 Registry on Windows - All rights reserved.
We investigate and prosecute all attempts at copying out work with out consent.