Ask a private investigator what the best way to gather evidence is, and you’re likely to get a simple answer: watch and wait. Unfortunately, trying to use RegEdt32 or RegEdit to watch the Registry as it changes is a difficult and unrewarding way to work. Unless you know ahead of time exactly which keys or values you want to watch, it’s difficult to monitor individual changes, and there’s no easy way to tell which application, process, or driver changed the setting you’re trying to watch.
Mark Russinovich and Bryce Cogswell have solved this problem, to the delight of administrators and programmers everywhere. They wrote a utility called RegMon (available with source code from http://www.sysinternals.com) that lets you spy on every Registry access made anywhere in the system. It can monitor reads, writes, and queries and record them in a log that you can peruse at will; it can also limit the Registry accesses it records based on filtering criteria you supply. RegMon makes short work of figuring out who modified a particular key or value, and it’s a great resource for watching what the system’s doing with Registry data.
Figure 9-9. The RegMon main interface
RegMon works by installing a small device driver when you run the application; this driver installs hooks to all the Registry API routines, so it can see what parameters callers pass in and what ...