Monitor Windows Registry changes in real time
Observing Registry activity on your PC can be very useful when you’re troubleshooting odd problems. There are some great tools around to help. Sysinternals Process Monitor is probably the best: set it running and it’ll record exactly which Registry keys your processes are reading and writing (amongst other details), and browsing the report later will usually give you a much better idea of what’s going on.
Of course this approach really only works when you have some specific event you’d like to monitor, such as the launch of an application. If you’re experiencing some intermittent problem then what might be more useful is a program that tells you which Registry keys have changed in the last 5 minutes, say. And that’s where NirSoft’s RegScanner comes in.
If you’d like to find out more about recent Registry activity, then launch the program, and choose the areas of the Registry you’d like to be checked in the “Scan the following base keys” box.
Or, better still, clear that checkbox and select a base key closest to the one you’d like to monitor from the list at the top of the RegScanner window. If you’re just hoping to see general application-inspired Registry changes, for instance, HKCU\Software is a good place to start.
Next, ensure “Display only keys that their modified time is within the following range” is checked. By default this will look for Registry keys which have changed in the last hour, but that could produce a lengthy report, so it’s best to minimise this if you can. If your intermittent problem only happened five minutes ago, say, set the “From” time to perhaps ten minutes ago and that should be fine.
Now choose “Registry item contains any value” in the “Matching” box, to ensure that RegScanner displays everything it finds.
Finally, click OK, and RegScanner will examine your specified area of the Registry, checking each key in turn, and displaying any of those that have changed recently.
The final report can’t compete with the level of detail you’ll get from Process Monitor. You’re only seeing keys that have been altered, not accessed; you can’t tell which processes have altered them; and so there’s no way to see what a specific application has done.
Still, clicking the “Key Modified Time” column header will sort your keys in the order they were modified, which can help you figure out the sequence of events. And if you’re only interested in the changes made to a particular application’s Registry settings, say, they’ll be very obvious and you’ll immediately see what’s happened. On balance, then, RegScanner more than deserves its place in your troubleshooting toolkit: go download your copy immediately.