|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
| News | See also | Recommended Links | Recommended Papers | Microsoft Registry Tools | Commercial tools with trial period |
| Snapshots | Backups | Monitoring | Tweaking | Humor | Etc |
|
|
Some antispyware tools (for example HijackThis) can provide a snapshot of important parts of the registry and as such are useful in a wider context. Unfortunately Hijackthis cannot be used in batch mode (or at least I do not know how to use it in a batch mode).
|
|
As for monitoring generally periodic snapshots are enough (it's a good practice to dump the content of important parts of your registry in the morning or at the end of the day; it can be a scheduled job), but there are specialized tools too.
The simplest way to save registry is to use Registry Editor provided with Windows. First navigate to either the top of the branch that you wish to watch, or the "My Computer" icon for the entire registry. Right-click and choose export. Under "Save as type", select "Win9x/NT4 Registration Files (*.reg)" and pick somewhere to save the initial version. This will export a text file with the current contents of the registry.
Microsoft utility reg.exe and some antispyware tools (for example HijackThis) can also provide a snapshot of important parts of the registry and as such are useful in a wider context. You can run reg.exe export for all major keys on bootup
REG EXPORT KeyName FileName
Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
For example
reg export HKLM C:\tmp\hklm_current.reg reg export HKCU C:\tmp\hkcu_current.reg reg export HKCR C:\tmp\hkcr_current.reg reg export HKU C:\tmp\hku_current.reg reg export HKCC C:\tmp\hkcc_current.reg
The resulting snapshot is less then 300 MB and can be compared with previous for each major key
After that you can compare it with existing snapshot using diff command from Cygwin or any other file comparison tool, for example:
diff HKLM_old.txt HKLM_new.txt
Selected registry keys are available via Cygwin pseudo filesystem /proc/registry
|
|
Switchboard | ||||
| Latest | |||||
| Past week | |||||
| Past month | |||||
 |
 |
 |
I am trying to capture the registry changes made by a software installation but am not having much success. My thought was to capture the registry using Win32::TieRegistry before and after the install and compare them. Butthe code below says no changes were made to the registry during install (I verified that the reg keys were made).According to the Win32::TieRegistry documentation, I can call the Flush() method to Flush "all cached information about the Registry key so that future uses will get fresh data from the Registry." But for some reason, my $LmRegAfter is the same as my $LmRegBefore. Any suggestions would be appreciated.
use strict; use Win32::TieRegistry ( Delimiter=>"/", ArrayValues=>0 ); #snapshot registry before install my $LmRegBefore = $Registry->{"LMachine/Software/"}; #Run the installation program - much harder in real life, but this is +a test script :) my $install='path to install to run'; system($install); #Flush the reg subkey my $r=$Registry->{"LMachine/Software/"}->Flush(); print ("Flushing LMachine[$r]"); #snapshot registry after install my $LmRegAfter = $Registry->{"LMachine/Software/"}; registryChanges($LmRegBefore,$LmRegAfter); ############# sub registryChanges{ my $regBefore=shift; my $regAfter=shift; foreach my $key (keys(%{$regAfter})){ if(!defined $regBefore->{$key}){ my $val=$regAfter->{$key}; $change{$key}=$val; print "registryChanges[$key]=[$val]\n"; } } } }Anonymous Monk on Sep 01, 2008Basic debugging, print the data after first registry read. Then print the data after you flush.tye on Sep 01, 2008I think whats happening is that $LmRegBefore and $LmRegAfter get flushed (because they're the same).
You are assuming that simply opening $LmRegBefore will cause the entire contents of that subtree to be read and cached. That would be slow and hog memory, which is why the documentation doesn't say that that happens.
massa (Hermit) on Sep 01, 2008I think you are storing a reference to that registry, and not a "deep copy" of the contents of the registry. Try this (I can't test b/c no Win here):slloyd (Hermit) on Sep 01, 2008use strict; use Storable q(dclone); use Win32::TieRegistry ( Delimiter=>"/", ArrayValues=>0 ); #snapshot registry before install my $LmRegBefore = dclone $Registry->{"LMachine/Software/"}; #Run the installation program - much harder in real life, but this is +a test script :) my $install='path to install to run'; system($install); #Flush the reg subkey my $r=$Registry->{"LMachine/Software/"}->Flush(); print ("Flushing LMachine[$r]"); #snapshot registry after install my $LmRegAfter = dclone $Registry->{"LMachine/Software/"}; registryChanges($LmRegBefore,$LmRegAfter);Great idea but it did not make any difference.BrowserUk (Pope)-------------------------------
Sign up now for a free monthly newsletter service!
http://www.bestgazette.com
ldln (Pilgrim) on Sep 01, 2008Not a Perl solution, but I highly recommend you take a look at ProcessMonitor. It's free and can do this and much, much more.
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error."Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.I would use the reg.exe tool to export required keys before and after install, then just do text line by line comparison of those two files with perl (trivial).GrandFather (Cardinal) on Sep 01, 2008reg export HKLM\Software before.txt --install program-- reg export HKLM\Software after.txtAlso you might want to convert these files from utf-16 to utf-8 with iconv like this:
iconv -f utf-16 -t utf-8 before.txt > before_utf8.txt(or do it with perl's Encode module)
A sanity check on the registry operations is that on typical systems they should take significant time - registry tends to be big. If they aren't taking significant time (a few seconds at least I'd guess), then I suspect you need to manually make a deep copy of the registry structure and compare copies.
|
|
|
Querying keys
REG query allows you to query a single key for a single value, or a range of keys for all their values. This provides you with a quick way to check whether a key has the value you think it does, or in fact whether it has any values associated with it at all:
REG QUERY KeyName [/v ValueName | /ve] [/s]
- KeyName [\\Machine\]FullKey
Machine - Name of remote machine, omitting defaults to the current machine (Note: the REG.EXE help syntax is wrong. You should use \\ and NOT \ as written!)
Only HKLM and HKU are available on remote machines
FullKey - in the form of ROOTKEY\SubKey name
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey - The full name of a registry key under the selected ROOTKEY
- /v query for a specific registry key
ValueName - The name, under the selected Key, to query
if omitted, all values under the Key are queried
- /ve query for the default value or empty value name <no name>
- /s queries all subkeys and values
Example:
C:\WINDOWS>reg query \\srv1\hklm\software\symantec ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\software\symantec HKEY_LOCAL_MACHINE\software\symantec\InstalledApps HKEY_LOCAL_MACHINE\softwaresymantec\LiveUpdate HKEY_LOCAL_MACHINE\software\symantec\NAVMSE HKEY_LOCAL_MACHINE\software\symantec\Norton AntiVirus HKEY_LOCAL_MACHINE\software\symantec\Norton AntiVirus NT HKEY_LOCAL_MACHINE\software\symantec\Shared Technology HKEY_LOCAL_MACHINE\software\symantec\SharedDefs HKEY_LOCAL_MACHINE\software\symantec\SharedUsage HKEY_LOCAL_MACHINE\software\symantec\Symevent
|
|
|
Managing the Windows Registry from the Command Prompt with Reg.exeThe command-line utility reg.exe is a powerful and versatile way to manage the Windows XP Registry. This article discusses Its features and application.
Many will be familiar with the graphical interface tool regedit.exe that is available for editing the Windows Registry. Less familiar, however, is the command-line utility reg.exe that also comes with Windows XP. This accessory will do anything that regedit.exe can do and has the additional facility of being directly usable in scripts. It is a common tool for system administrators with many computers to manage but can also be useful to the more experienced home PC user. I will discuss some aspects that may be of interest to this latter group. More details can be found at this Microsoft site. There is also information in the Windows XP Help and Support Center.
Registry editing is not for everybody but it is not as fearsome an operation as it is sometimes made out to be. Just be sure to follow the iron-clad rule to back up the Registry first before editing. There are many useful tweaks that involve a simple Registry edit and reg.exe provides a way that is simpler and safer in some ways than Regedit. It also provides a way to back up keys or entire hives of the Registry into files that can be stored off the main drive.
Like some other command-line utilities, the reg command is a shell or console that has its own set of sub-commands. An complete command will consist of
reg subcommand variablesTable I lists these subcommands and some are discussed in more detail in sections that follow. The commands can be carried out on remote networked computers as well as the local computer but I will confine the discussion to operations involving just the local computer.
Table I. Subcommands for reg.exe Subcommand Function add Adds a new subkey or entry to the registry delete Deletes a subkey or entries from the registry query Displays the data in a subkey or a value compare Compares specified registry subkeys or entries copy Copies a subkey to another subkey. save Saves a copy of specified subkeys, entries, and values of the registry in hive (binary) format restore Writes saved subkeys and entries in hive format back to the registry load Writes saved subkeys and entries in hive format back to a different subkey unload Removes a section of the registry that was loaded using reg load export Creates a copy of specified subkeys, entries, and values into a file in REG (text) format import Merges a REG file containing exported registry subkeys, entries, and values into the registry
Track file and registry changes made by an application installation
Though there are several third-party utilities which can capture registry changes and utilities which can capture file system changes, System Mechanic from www.iolo.com is impressive. It's a complete system maintenance tool which includes a registry cleaner, duplicate files finder, Safe Installer (which we are going to discuss about) and much more tools.........
Safe Installer is a feature using which you can track the File and registry changes made by an application installation. First, it tracks the pre-installation snapshot of the registry and file system. Then launches the setup program that you specify. Once the installation is done, the post-setup snapshot is generated. Finally, the pre-setup and post-setup snapshots are compared automatically and output is generated as a TXT file, which you can open in Notepad.
Launch System Mechanic. From the System tab, click Safe Installer button
Type a Report description and then choose the setup file for the application which you want to install.
Choose Next and choose the drive-letters you wish to monitor. Click Next, Next and type the Report file name and location.
From the Snapshot tab, click Start. The current registry and the file structure are now stored in a pre-setup snapshot.
Once completed, run the setup program for the application which you want to install.
After installation is complete, click Done: Report button. This launches the post-setup snapshot. Final result is the comparison report which contains all the additional registry entries and files modified by the application installer.
Open the report in Notepad and view the contents, to know the list of changes made in your system.
Capturing Win32 registry changes made by a software installation
WhatChanged is a system utility that scans for modified files and registry entries. It is useful for checking program installations. There are two steps for using WhatChanged:
1) First, take a snapshot to get the current state of the computer; 2) Second, run it again to check the differences since the previous snapshot.
WhatChanged uses the "brute force method" to check files and the registry.
* v1.07 update includes speed enhancements for better performance.
Author: Vista Software, Inc.
Date: 2011-07-30
Size: 96 KB
License: Freeware
Requires: Win XP/2003/08/Vista/Windows7Reg add
This command is used to add keys and values to the Registry. The syntax is given by
REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f]Table II explains the entries.
Table II. Parameters in REG ADD command Parameter Description KeyName Complete Registry key name. Uses abbreviations HKCR, HKCU, HKLM, and HKU for root keys /v ValueName Adds or changes a value /ve Changes a key's default value /t Type The type of value: REG_BINARY, REG_DWORD, REG_SZ, REG_MULTI_SZ, etc. The default is REG_SZ /s Separator Specifies the character used to separate strings in REG_MULTI_SZ entries. The default is /0 /d Data The data to assign to a value /f Forces overwriting of existing values with prompting REG ADD provides a quick and simple method for adding new keys to the Registry or modifying old ones. As an example, let's look at how to add the sub- key "HackersAreUs" to the Local Machine Software key. The command would be
REG ADD HKLM\Software\HackersAreUsNow let's add a value named "Stuff" and make it a binary entry with data "0001". The command would beREG ADD HKLM\Software\HackersAreUs /v Stuff /t REG_BINARY /d 0001The two commands could have been executed as a single command but I have split them to make the process clearer. I have used upper case for REG ADD but that is for clarity and is not required.Reg delete
Keys and values can be deleted in a similar but somewhat simpler fashion. The syntax is
REG DELETE KeyName [/v ValueName | /ve | /va] [/f]Table III describes the parameters.
Table III. Parameters in REG DELETE command Parameter Description KeyName Complete Registry key name. Uses abbreviations HKCR, HKCU, HKLM, and HKU for root keys /v ValueName Deletes a value /ve Deletes a key's default value /va Deletes all values from a key /f Forces deletion with prompting
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March, 12, 2019
