O'Reilly logo

Managing The Windows 2000 Registry by Paul Robichaux

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Spying on the Registry with RegMon

Ask a private investigator what the best way to gather evidence is, and you’re likely to get a simple answer: watch and wait. Unfortunately, trying to use RegEdt32 or RegEdit to watch the Registry as it changes is a difficult and unrewarding way to work. Unless you know ahead of time exactly which keys or values you want to watch, it’s difficult to monitor individual changes, and there’s no easy way to tell which application, process, or driver changed the setting you’re trying to watch.

Mark Russinovich and Bryce Cogswell have solved this problem, to the delight of administrators and programmers everywhere. They wrote a utility called RegMon (available with source code from http://www.sysinternals.com) that lets you spy on every Registry access made anywhere in the system. It can monitor reads, writes, and queries and record them in a log that you can peruse at will; it can also limit the Registry accesses it records based on filtering criteria you supply. RegMon makes short work of figuring out who modified a particular key or value, and it’s a great resource for watching what the system’s doing with Registry data.

The RegMon main interface

Figure 9-9. The RegMon main interface

RegMon works by installing a small device driver when you run the application; this driver installs hooks to all the Registry API routines, so it can see what parameters callers pass in and what ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required