Registry Finder adds 'search keys by modified date'

Open source Registry editor Registry Finder has added the ability to find Registry keys modified within a date range.

This has many computer forensic applications, such as seeing the keys modified when a program was installed, or getting clues about what another user did on your PC last Wednesday.

The feature is an addition to the regular Find dialog. Right-click a target like HKEY_LOCAL_MACHINE, click Find, and there are now "From" and "To" date pickers for selecting your date range.

Windows and individual applications are updating the Registry all the time, of course, so it’s likely that searches will contain a lot of not-very-interesting data (we scanned HKEY_CURRENT_USER for changes in the last 24 hours and got 3,500 results).

Fortunately you’re able to sort your results by key, helping you skim over irrelevant clusters of Explorer or system-related junk and zoom in on anything more unusual and interesting.

There’s also an option to sort the keys by the date and time modified, and that’s maybe the most interesting of all. Even if you don’t know what you’re looking for, scrolling down the list shows you when Registry changes cluster together, highlights changes that happen all on their own, and generally give you a better understanding of what’s happening in the background of your PC.

The only issue we noticed is "modified date" information is still only displayed in search results, and not the main Registry view. This is going to make for a very clumsy workflow -- you have to search the key you’re already viewing to get the information you need -- but hopefully it’ll be fixed soon.

Registry Finder is an open source application for Windows XP and later.