Can monitor registry changes made by specific program.

可以监控特定程序所做的注册表更改。

https://www.nirsoft.net/utils/reg_file_from_application.html

https://www.nirsoft.net/utils/reg_file_from_application.html

UPDATE: Just download NirLauncher (which includes all applications from NirSoft). It is one of the best additions to your Windows toolbox. https://launcher.nirsoft.net/

更新：只需下载 NirLauncher（包括 NirSoft 的所有应用程序）。它是您的 Windows 工具箱的最佳补充之一。 https://launcher.nirsoft.net/

Process Monitorallows you to monitor file and registry activity of various processes.

进程监视器允许您监视各种进程的文件和注册表活动。

Regarding WMI and Registry:

关于 WMI 和注册表：

There are three WMI event classes concerning registry:

存在三个与注册表相关的 WMI 事件类：

• RegistryTreeChangeEvent
• RegistryKeyChangeEvent
• RegistryValueChangeEvent

• 注册表树更改事件
• 注册表键更改事件
• 注册表值更改事件

Registry Event Classes

注册表事件类

But you need to be aware of these limitations:

但是您需要了解这些限制：

• With RegistryTreeChangeEvent and RegistryKeyChangeEvent there is no way of directly telling which values or keys actually changed. To do this, you would need to save the registry state before the event and compare it to the state after the event.

• You can't use these classes with HKEY_CLASSES_ROOT or HKEY_CURRENT_USER hives. You can overcome this by creating a WMI class to represent the registry key to monitor:

• 使用 RegistryTreeChangeEvent 和 RegistryKeyChangeEvent 无法直接告诉实际更改了哪些值或键。为此，您需要保存事件之前的注册表状态并将其与事件之后的状态进行比较。

• 您不能将这些类与 HKEY_CLASSES_ROOT 或 HKEY_CURRENT_USER 配置单元一起使用。您可以通过创建 WMI 类来表示要监视的注册表项来克服此问题：

Defining a Registry Class With Qualifiers

使用限定符定义注册表类

and use it with __InstanceOperationEvent derived classes.

并将其与 __InstanceOperationEvent 派生类一起使用。

So using WMI to monitor the Registry is possible, but less then perfect. The advantage is that it is possible to monitor the changes in 'real time'. Another advantage could be WMI permanent event subscription:

因此，使用 WMI 来监视注册表是可能的，但还不够完美。优点是可以“实时”监控变化。另一个优势可能是 WMI 永久事件订阅：

Receiving Events at All Times

随时接收事件

a method to monitor the Registry 'at all times', ie. event if your application is not running.

一种“始终”监视注册表的方法，即。事件，如果您的应用程序未运行。

A straightforward way to do this with no extra tools is to export the registry to a text file before the install, then export it to another file after. Then, compare the two files.

无需额外工具即可完成此操作的一种直接方法是在安装之前将注册表导出到文本文件，然后在安装之后将其导出到另一个文件。然后，比较这两个文件。

Having said that, the Sysinternals tools are great for this.

话虽如此，Sysinternals 工具对此非常有用。

Regshotdeserves a mention here. It scans and takes a snapshot of all registry settings, then you run it again at a later time to compare with the original snapshot, and it shows you all the keys and values that have changed.

Regshot值得一提。它扫描并拍摄所有注册表设置的快照，然后您稍后再次运行它以与原始快照进行比较，并显示所有已更改的键和值。

There is a python-hids called sobek ( http://code.google.com/p/sobek-hids/) that is able to monitor some parts of the SO. It's working fine for my for monitoring file changes, and although the doc sais that it's able to monitor registry changes it does not work for me.

有一个名为 sobek ( http://code.google.com/p/sobek-hids/)的 python-hids能够监视 SO 的某些部分。它适用于我监视文件更改，虽然文档说它能够监视注册表更改，但它对我不起作用。

Good piece of software for easily deplay a python based hids.

一个很好的软件，可以轻松地展示基于 python 的隐藏。

There are a few different ways. If you want to do it yourself on the fly WMI is probably the way to go. RegistryKeyChangeEventand its relatives are the ones to look at. There might be a way to monitor it through __InstanceCreationEvent, __InstanceDeletionEventand __InstanceModificationEventclasses too.

有几种不同的方法。如果您想自己即时完成，WMI 可能是您要走的路。RegistryKeyChangeEvent它的亲戚是值得关注的。可能有一种方法可以通过__InstanceCreationEvent,__InstanceDeletionEvent和__InstanceModificationEvent类来监视它。

http://msdn.microsoft.com/en-us/library/aa393040(VS.85).aspx

http://msdn.microsoft.com/en-us/library/aa393040(VS.85).aspx

When using a VM, I use these steps to inspect changes to the registry:

使用 VM 时，我使用以下步骤检查对注册表的更改：

1. Using 7-Zip, open the vdi/vhd/vmdk file and extract the folder C:\Windows\System32\config
2. Run OfflineRegistryViewto convert the registry to plaintext
   • Set the 'Config Folder' to the folder you extracted
   • Set the 'Base Key' to HKLM\SYSTEMor HKLM\SOFTWARE
   • Set the 'Subkey Depth' to 'Unlimited'
   • Press the 'Go' button

1. 使用 7-Zip，打开 vdi/vhd/vmdk 文件并解压文件夹 C:\Windows\System32\config
2. 运行OfflineRegistryView将注册表转换为纯文本
   • 将“配置文件夹”设置为您提取的文件夹
   • 将“基本密钥”设置为HKLM\SYSTEM或HKLM\SOFTWARE
   • 将“子项深度”设置为“无限制”
   • 按“开始”按钮

Now use your favourite diff program to compare the 'before' and 'after' snapshots.

现在使用您最喜欢的 diff 程序来比较“之前”和“之后”的快照。

I concur with Franci, all Sysinternals utilities are worth taking a look (Autoruns is a must too), and Process Monitor, which replaces the good old Filemon and Regmon is precious.

我同意 Franci 的观点，所有 Sysinternals 实用程序都值得一看（Autoruns 也是必须的），而 Process Monitor，它取代了旧的 Filemon 和 Regmon，非常珍贵。

Beside the usage you want, it is very useful to see why a process fails (like trying to access a file or a registry key that doesn't exist), etc.

除了您想要的用法之外，查看进程失败的原因（例如尝试访问不存在的文件或注册表项）等非常有用。

PhiLho has mentioned AutoRunsin passing, but I think it deserves elaboration.

PhiLho 顺便提到了AutoRuns，但我认为它值得详细说明。

It doesn't scan the whole registry, just the parts containing references to things which get loaded automatically (EXEs, DLLs, drivers etc.) which is probably what you are interested in. It doesn't track changes but can export to a text file, so you can run it before and after installation and do a diff.

它不会扫描整个注册表，只会扫描包含对自动加载的事物（EXE、DLL、驱动程序等）的引用的部分，这可能是您感兴趣的内容。它不会跟踪更改但可以导出为文本文件，因此您可以在安装前后运行它并执行diff。