In this article I want to show you how you can use the Process Monitor from the Sysinternals of Microsoft to monitor the changes made to Registry Keys.

Also I use the Process Explorer, wich is a more powerfull Taskmanager ist. However the Taskmanager will do as well.

When you start the Process Monitor (procmon.exe) you will be presented with a filter pop-up. Thank you, very intrusive of you.

Here you can filter what sort of activity you want to monitor. Lets take a look of the installation process of WinRAR.

Start the installation and check for the PID (Process ID).

Select in the head of the

Wählt dann in der Kopfzeile des Filterdialoges PID is <PID> then include aus.

As in this filter options you also define what sort of events you do NOT want to see we will have to disable the filter for RegKeys.

Double negative and stuff.

After about 30 Seconds of software installation later procmon has filtered 2.5 million events and is displaying about 2600 that might be interresting to us.

Good but not good enaugh. At this point I save (Strg + S) the results to a CSV file.

Then I open them in Excel to have a closer look at them. Then I import the same data from the CSV again. Because.

Just leave all values on default, meaning that Excel expects values seperated by a comma from a CSV (Comma Seperated Value) file.

Now I can filter for single Registry Events.

Lets take a look at the most interresting Events. RegCreateKey RegSetInfoKey

That narrows it down to four.

Start the Windows Run dialog using Windows + R and enter RegEdit.

This way you can edit the Windows Registry.

If you want to learn more about the Windows Registry check out this techconsumerguide article on the subject.

Internet Explorer\BrowserEmulation does not sound that interresting.

Lets look at Software\WinRAR SFX an. This RegKey holds the path to the WinRAR.exe.

Lets look at SyncRootManager.

Not all that impressive but I think you get the point.

Cheers, Ori