9.13. Viewing Processes That Have a Registry Key Open


You want to view the processes that have a registry key open. If a process has a key open, you may not be able to modify or delete that key or its values.


Using a graphical user interface

Open the Sysinternals Registry Monitor (regmon.exe) tool. By default, the Registry Monitor shows all processes that have a handle to a registry key or value. You have two options for finding a specific key or value:

  • From the menu, select Edit Find. Enter the part of the registry key or value you want to search against. Make sure Direction is selected correctly (by default Down is selected, but if you want to, search Up).

  • The second option consists of filtering the output. Select Options Filter/Highlight from the menu. In the Include text box, enter the key or value you want to view. Click OK and then Yes to confirm.

You can also use the Sysinternals Process Explorer (procexp.exe) tool to search for registry handles.

Using a command-line interface

With the Sysinternals handle command, you can find a process that has a registry key open. Simply specify the -a switch and some part of the key path or value name you want to search on. Since the search is fuzzy, there is a chance it might match things other than registry access (e.g., an open file), but if your search string is specific enough, you should be able to narrow it down. For example, the following command finds all processes that have a handle to something containing RunOnce ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.