Details- using Process Monitor to track registry changes by installers?

[Cheryl_27]

I'm looking for the easiest method to track (& possibly undo) changes in Windows registry made specifically by software installers.

Find & list registry changes made by XYZ software (reg entry: creation, deletion, changes)

I've used Sysinternals Process Monitor a good while. But I'm not sure of the best way to use it (exact filters to set, etc.) to monitor ONLY recent changes, made by a single software installer. Then if I decide to uninstall it, possibly delete reg changes made by the installer.

Even some "portable" software may make registry changes. Most times they're harmless - sometimes not.

There may be other freeware with an excellent reputation, that's better at this one task than Proc Mon.

Thanks.

[+BudMan MVC]

Is this what your looking for

http://www.nirsoft.net/utils/reg_file_from_application.html

RegFromApp monitors the Registry changes made by the application that you selected, and creates a standard RegEdit registration file (.reg) that contains all the Registry changes made by the application.

[Cheryl_27]

Thanks BudMan.  I've used Nirsoft's apps for some time - didn't remember that one.

But, not sure if it'll monitor installation processes, or only existing, running processes.

I need something to log reg changes made during installation process.

 

Using RegFromApp

RegFromApp doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - RegFromApp.exe
After running it, select the process that you want to inspect, and click Ok. After clicking Ok, each time that the selected process writes a value into the Registry, the main window of RegFromApp will display the written value in Windows .reg file format. You can copy & paste the desired values to another Registry file, or alternatively, you can save the entire Registry changes into a .reg file by using the 'Save As' option.

 

I think the key here is, you must select a process from the RegFromApp UI.

The documentation mentions for Vista (I think), you must run RFA at the same authority level as the app to be monitored.  Since most installers in Vista run in Admin mode, that would mean running RFA in admin.

 

I got / ran the 32 bit RegFromApp (first got the 64 bit ver; says must have 32 bit RFA ver for monitoring 32 bit apps). 

Started it in NON admin mode, went to main menu, File > Start New Process, then browsed / selected a typical installer .exe file (not a running process).  It accepted that.

But it didn't log anything during the selected app's installation or at the app's launch.  That didn't surprise me, since it was mentioned RFA must run in same mode as apps to monitor.

 

But when starting RFA in Admin mode, the options are grayed out to Browse / select a new process (installer) that isn't yet running, to monitor for reg changes.

AFAIK, it is then impossible to select a process (installer) to monitor, that's not yet running.

Not sure if it's a bug, misinterpretation of what it can do or operator error.

 

 

[+BudMan MVC]

what are you trying to install and watch - so I can give it a test run.. Sure looks to be working here. Running the 32bit version as admin, then starting dropbox install. Gives a warning about running app as run as admin, etc. But sure looks to be catching the reg entries