Thursday, November 11, 2010

Monitoring registry changes under Windows 2008 R2

I need to monitor registry changes in a brand new Windows 2008 R2 installation to track changes to registry keys when I deactivate TCPIPV6, QoS and other stuff on the server network card. This task is a tough one, more than I expected. Not so longtime ago we had regmon, which was so powerful. Today regmon is no more an option for recent Microsoft Operating Systems. I could use procmon, of course, but it  is so heavy and resource-consuming and, what's more, too many information is displayed which it takes a lot of energy to filter out.

I have therefore started trying Registry Live Watch...
but, altought it works and it tells that some registry key has changed, it does not tell you which one, as you can see in the following screenshot... And this is a real pity because the tool is very light, nothing to install and nothing to configure.

Registry Live Watch... but no results

Another solution is Systracer, but it has to be installed, which is not an option that I like because I do not want to modify the original OS deployement with additional and later unneeded packages.

So I have been looking for free solutions and between them I have found RegSnap and Regshot, but they have not been written or tested for Windows 2008.

After some research it has been clear to me that no free software is existing for the moment to perform Windows Registry monitoring and tracking. None but Systracer. So I have gone back to it, and, after forcing myself to make a full backup of the test server, I have installed it.

The program is pretty easy to use. Not all functions are available in the unregistered version, but Registry Monitor is. It is not a real-time registry tracking as I had expected, but a serial tool for analysis of consecutive registry snapshots: first you take one snaphot, then you modify your system settings, then you take another snapshot, then you compare them to find the differencies. Pretty cool.

Here's a sample output:

Snapshot is in progress

Modified registry keys and values

The final output of Systracer (above) is unfortunately more or less unreadable or unuseful, which is the same. to me. Maybe I should practice a bit, but, for some reason, I feel like these free tools are making me loose my time...

In the end, I have decided to go back to the good old procmon. I don't know which is your opinion nor if you have found a better tool (feel free to tell me if you have), but I am a little bit deceived today.


I hope you have found this post useful and, please, share your experience if you have already spent some time on effective Windows 2008 registry monitoring. I would be glad to hear that from you.


  1. Actually SysTracer can be used without installation.
    You should use the Compare button, instead of View differences, the results/differences will be easy to understand.

    1. Couldnt you have compared the snapshots on your workstation? =))


Related Posts Plugin for WordPress, Blogger...