Monday, March 02, 2009

File and Registry Change Watchers

Another quick post.

Inspired by’s blog post Tracking Registry and Files Changes When Installing Software in Windows I figured I needed to list some of his new finds and some of my old-standbys.  I refer readers and the curious to that post for more in-depth reviews and details of some of these programs.

These tools are very useful when monitoring a system’s registry and file structure for changes created by captured malware droppers and/or legitimate installer programs.

RegShot 2.0 (translated version) - (freeware) – Take a system “snapshot” run the installer, then take a followup “snapshot” and let it compare the results.

SpyMe Tools - Monitor Registry & File System Changes - (freeware) – Supports both real-time monitoring of system changes as well as capture dump comparisons.  I like this one as it provides a directory view of changed files.

SystemSherlock Lite - (freeware) – CLI based tool.  Run a dump. Run another dump. Compare the dumps.  Lots more CLI goodness but that’s the basics.  See also the SystemSherlock GUI developed by Martin Zugec for all you CLI-adverse freaks.

WhatChanged v1.06 - (freeware) – scroll to the bottom of the page to find it.  Same concept.  Take a snapshot, do your business, take another snapshot and compare.

InstallWatch Pro v2.5c - (freeware) – long time favorite of portable software fans, I’ve used this many time in the past to look for any special files written to system32 folder(s) that I need to copy when making a “portable” version.  Not updated for a while. reg-runner - (freeware) – Reg-runner watches a system for registry changes made by a program.  Provides additional tools and helps for searching out just what they are.  Neat little project.

Change Analysis Diagnostic tool for Windows XP – Microsoft tool.

The Change Analysis Diagnostic tool scans the computer and displays recent changes to the following areas:

  • Software programs: The software programs that are listed in the Add or Remove Programs item in Control Panel.
  • Operating system components: Hotfixes and downloads from Windows Update.
  • Browser Helper Objects (BHOs): COM components that Internet Explorer loads when it starts. BHOs can intercept browser events, access Internet Explorer controls, create windows, and install add-ins that monitor messages and actions.
  • Drivers: Kernel-mode device drivers and file system drivers.
  • ActiveX controls: COM controls that have been downloaded by Internet Explorer or that are used in some Web pages.
  • Other Auto-Start Extensibility Points (ASEPs): ASEPs let programs start without action from the user. An ASEP may accept one or more ASEP hooks, each of which is associated with a program.

The tool also displays changes to loaded applications and startup objects.
The Change Analysis Diagnostic tool queries the System Restore data for the number of days that the user selects. The tool finds the changes to the registry and to the file system that are relevant to these categories. Then, the tool presents the changes together with contextual information. Finally, the tool lists the changes in an XML file that can be sent to a support professional.

RegFromApp - (freeware) – Nice NirSoft application so you know it’s good!  Fire it up, run it, select a process to monitor, halt when done, view the report.  Great way to capture/log live changes to the registry.  Lots more features.  Quick and easy to use.

Process Monitor - (freeware) – Microsoft Sysinternals tool that will capture all registry and file calls while running.  Launch it before things get started, then stop it when the dust has settled.  You will have to be skilled in created filters to hide all the non-related system activity during your monitoring period, but with a bit of work you can drill down to the installer process as well as create events and start analyzing the data.

WinPatrol 2008 Free and WinPatrolToGo Portable Edition both seem to help in the monitoring/alerting/logging of changes made to the file system and registry, though they may be a bit more limited it feature than some of the other task-specific tools noted here.  Also, as cdman83 has pointed out in this post the mechanisms used sometimes take a while to be picked up and registered with the program.

--Claus V.

1 comment:

Bozo said...

Also remember that Spybot Search and Destroy has a real-time registry monitor (Teatimer) and (in advanced mode) tools that list out BHOs, ActiveX, startup objects and so on.