Reputation: 27703
How to find what registry values changed?
I'm trying to find what changes are made to the registry or what processes started. For example: If I change the view of windows-explorer to show hidden files and folders - I want to see which registry entry changed by that.
It has been suggested to use Process monitor, but a) there are too many registry accesses, and b) I couldn't find any change to the registry there. (Though I remember reading it is a change to the registry that controls that)
I'm doing this because I then want my program to do the same things.
An answer in C# would be fine.
Upvotes: 1
Views: 4585
Answers (3)
Reputation: 3431
RegNotifyChangeKeyValue() is the system function you need to call. I've never seen anybody try to use it from C#, but getting to it should require no more trouble than calling any other unmanaged code. Basically, you call it, it returns after the first change is made, you call it again and wait for the next chande.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724892%28v=vs.85%29.aspx
has a fairly good description of its use.
Upvotes: 1
Reputation: 7713
Yeah, wow, this could get really tricky since the registry can be huge. In times past I would export a branch of the registry, say HKEY_LOCAL_MACHINE\SOFTWARE\InnaTech, then run some program that i suspected was editing something in that branch, then export it again to a different file. If the branch wasn't to large, then I could eyeball it for differences, otherwise i'd use a normal diff program ala WinDiff to find any changes.
Upvotes: 1
Reputation: 46008
http://www.mydigitallife.info/trick-to-enable-show-hidden-files-and-folders-in-windows/
Go to Start Menu and click on Run (Windows Vista and Windows 7 uses Start Search instead). Type RegEdit and press Enter to run Registry Editor. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
In the right pane, verify that the CheckedValue value data is REG_DWORD type. If it’s not (such as belongs to REG_SZ), then delete the CheckedValue value data. If CheckedValue has been delete, create a new DWORD (32-bit) Value and name it as CheckedValue. Double click on CheckedValue and change its value data to 1 (virus may change it to 0 or 2). Within the same registry key, verify that the Type value data is of REG_SZ type, and has the value data radio. If not, set it to radio. Virus may change it to blank. Set the system to reveal or show all hidden files, folders and drives, and then check if hidden files and folders are show.
Upvotes: 0
Related Questions
- Tracking changes in Windows registry
- Edited the registry with C# but cannot find the change with regedit
- C#: Cannot see the changes in the windows registry
- Get which Registry value changed when RegNotifyChangeKeyValue triggered in c#
- Is there a way to monitor registry changes?
- Monitoring Registry Changes
- how to determine that user or operating system has changed registry key?
- Intercepting Registry changes
- Finding out what Registry keys have been changed C#
- Tracing registry operations in C#