Modify the windows registry file trg. Making changes to the registry using the .reg file. Screenshots of RegFromApp
Sometimes you may want to track changes made by programs or settings in Windows registry... For example, for the subsequent cancellation of these changes or in order to find out how certain parameters (for example, design settings, OS updates) are written to the registry.
In this review - popular free programs that allow you to easily view changes in the Windows 10, 8 or Windows 7 registry and some additional information.
The free Registry Live Watch works in a slightly different way: not by comparing two samples of the Windows Registry, but by monitoring changes in real time. However, the program does not display the changes themselves, but only reports that such a change has occurred.
You can download the program from the official website of the developer http://leelusoft.altervista.org/registry-live-watch.html
WhatChanged
Another program that allows you to find out what has changed in the Windows 10, 8 or Windows 7 registry is WhatChanged. Its use is very similar to that in the first program of this review.
The program does not have its own official website, but it can be easily found on the Internet and does not require installation on a computer (just in case, check the program with virustotal.com before starting it, but keep in mind that there is one false detection in the original file).
Another way to compare two variants of the Windows registry without programs
Windows has a built-in tool for comparing the contents of files - fc.exe (File Compare), which, among other things, can be used to compare two variants of registry branches.
To do this, using the Windows Registry Editor, export the required registry branch (right-click on the section - export) before and after changes with different file names, for example, 1.reg and 2.reg.
Then use in command line a command like:
Fc c: \ 1.reg c: \ 2.reg> c: \ log.txt
Where first the paths to the two registry files are specified, and then the path to the text file of the comparison results.
Unfortunately, the method is not suitable for tracking significant changes (because visually it will not be possible to disassemble anything in the report), but only for some small registry key with a couple of parameters, where a change is supposed to be made, and rather to track the very fact of the change.
This article shows you the steps you can take to take ownership of a registry key and gain Full Control rights, and how to restore the original rights and restore the original owner.
Some sections of the Windows registry are not editable, even if your account belongs to the group "Administrators"... This usually happens due to the fact that the group "Administrators" you do not have the appropriate permissions (rights) to write to this registry key. There are several reasons why you cannot edit the registry key:
■ Group "Administrators" is the owner of the section, but does not have full rights to it. In this case, it is enough just to give the group "Administrators" full rights.
■ The owner of the section is system service TrustedInstaller... In this case, you must first become the owner of the section, and then give your group full rights, just in this article, such an example will be considered.
■ The partition owner is the system Account "System" TrustedInstaller.
The rest of this article will describe how to make changes to the registry without the appropriate permissions, as well as how to restore the original permissions, and why you need to do it. Before editing system registry, it is recommended
If you change any parameter in the registry, if you do not have enough rights, you will receive an error message.
Consider first example when the group "Administrators" is the owner of the section, but does not have full rights to it:
1
Permissions ...
2
... Select a group "Administrators":
If the checkbox is available Full access , install it and click OK... This may be sufficient if the group is the owner of the section.
If the checkbox is not available or you see an error message like in the screenshot below, then proceed to the second example.
In the window Group permissions press the button Additionally
In the next window, click the link Change enter local account name or address Email accounting Microsoft records, check the name and click OK
Check the box Replace owner of subcontainers and objects at the top of the window and click OK
Select a group "Administrators", check the box Full access, press the button OK
You now have full access to the registry key and can edit all of its parameters.
Third example when the partition is owned by the system account "System"... In this case, the actions will be the same as with TrustedInstaller.
Return of original rights and restoration of the owner
For the sake of system security, after editing the necessary parameters of the registry key, you need to return the original access rights and restore the system account as the owner of the partition. TrustedInstaller.
1
... Click right click mouse on the registry key and select the item from the menu Permissions ...
2 ... In the window Group permissions press the button Additionally
Click the button OK
5 ... In the window Group permissions highlight the group "Administrators", uncheck the box Full access, press the button OK
The original rights and the owner of the registry key are restored.
■ If the partition was owned by an account System(in English System), then instead of
NT Service \ TrustedInstaller enter System(in English System).
You can make changes to the registry by entering new values for the desired parameters in the registry editor itself or by importing. But there is also another way. You can prepare a file in advance in a specified format, and the necessary parameters will be automatically set in the registry. For these purposes, text files with the extension reg .
REG file format
This is what an example REG file looks like, which will create a section ( Test) with parameters ( "CatName").
; Set new parameters for the Test section
"CatName" = "reestr"
"CatAge" = dword: 00000008
REG file syntax
Let's take a look at the REG file format. First comes the file header
Windows Registry Editor Version 5.00
It should be noted that in earlier operating systems, Windows 98 and Windows NT 4.0, the title was used REGEDIT4... If you still have such old files, don't be alarmed. will understand this file and process the information correctly. But the reverse process will not be available - Windows 98 will not be able to recognize the new header and will give an error. One important detail - there is always an empty line after the title.
If you need to include a comment in the document, so as not to forget about the purpose of the parameter, then put at the beginning the symbol ";" (semicolon). The comment is for the convenience of the user himself and is not entered in the register.
Creating a REG file
Write REG file can be done in any text editor, such as Notepad. Create a new Text Document, type the above code (Fig. 1.1) and save the file with the REG extension. If you want to practice creating such files, it is easier to generate them by exporting from the Registry Editor, and then make changes in Notepad.
Rice. 1.1.
Making changes to the registry using the .reg file
Above, we have already examined the behavior of the system when you double-click on a file with the extension .reg... When you double click on REG file you start the registry editor, to which the file name is passed as a parameter.
ATTENTION
Before importing into the registry REG file be sure to do backup registry or system restore point! This method not very convenient for automating tasks. For example, we want to create a script automatic installation systems using REG-files. If there are too many such files, then the user will constantly have to press the button OK, which, you see, will not give him pleasure. You can suppress the dialog box by running the command with the parameter / S:
REGEDIT / S D: \ test.reg
This is the method used by programmers and system administrators when creating your programs and scripts using REG files... True, the account control service Windows entries will display a request to authorize the operation, but the monitoring service can be disabled for the duration of such actions, and then the user will not see anything. With help REG file you can also delete partitions. To do this, you must put a minus sign in front of the section name. Let's open our file in Notepad cat.reg and make the following changes:
Windows Registry Editor Version 5.00
: put a minus to delete a partition
[-HKEY_CURRENT_USER \ Software \ Test]
Now you need to double click on the .reg file to launch it and import the entries into the registry. Check in the registry editor that the specified key has been deleted.
ATTENTION
Please note that you can delete only those sections that do not contain subsections. Otherwise, it is necessary to sequentially delete all the subsections included in its composition and only then proceed to deleting the desired section.
You can also remove the parameter. To do this, put a minus sign (-) after the equal sign (=).
How to make Windows Registry snapshots to compare and track changes?
You can track registry changes different ways, manually or using special programs... In this article I will tell you how to do this using programs, which in my opinion is much more convenient.
As I promised, in the article "", with this publication we begin a series of articles devoted to the analysis malware... In these articles I will talk about tools that allow you to investigate viruses and their behavior.
Today's article will be useful not only for virus researchers, but also for ordinary users who want to become more advanced in using a computer. I'll show you how to use Regshot to take snapshots of the Windows registry to compare and track changes.
What is the Windows Registry?
The registry is one of the main parts operating system Microsoft Windows... Despite this, most users use the operating system and are unaware of the existence of the registry.
An inexperienced user does not even realize that when changing all the parameters: installing programs, changing Windows itself and the devices connected to it, all changes are made to the Windows registry.
In a word, the registry is, in a sense, the kernel of the operating system, in which all settings and changes are saved.
Why analyze the registry and track changes?
Suppose you are no longer just a passive user of a teapot computer and want to know what is happening behind the scenes during the installation of a new program or to analyze the behavior of a virus. In order to find out what changes all the software makes, and you need programs to track the registry. One of these tools is the RegShot program.
Registry snapshot using RegShot
RegShot Is a small free open source program that allows you to take snapshots of the registry and compare them. All changes that have occurred in the registry can be saved in a text file or html file.
Download RegShot
You can download the RegShot program for free using the direct link.
Installing RegShot
After the program has downloaded, unzip the archive and go to the folder with the files. There will be several files in the folder.
By choosing executable file pay attention to the bitness of your operating system.
Setting up and using RegShot
After starting, a small program window will appear, in which we immediately change the language of the skin to Russian. There is also the Ukrainian interface language.
Now let's get to work. Tracking registry changes begins with the first snapshot of the registry. Click on the snapshot button and in the drop-down window we see 3 options:
- Snapshot - Snapshot only
- Snapshot + Save - Snapshot and backup of the registry
- Open - Open an already taken snapshot of the registry
We choose the required option. In my case, for example, there is no need to backup the registry, so I click on the "Snapshot" button. The program will come to life and start creating the first snapshot of the registry. At the bottom of the window, you will see how the numbers change.
When the numbers stop and the program calms down, you can start working with third-party programs, installation and all that.
When finished, click on the "Second Image" button and after a few seconds you can click on the "Compare" button.
If at the beginning the "Text" field was checked, then you will see a window text editor Notepad, which will provide a complete record of registry changes.
I have not installed any programs, but only changed a few parameters in the panel Windows management... As you can see, the Regshot utility has committed all the changes.
During the installation of the software, the report will of course be larger.
If you need to re-analyze the registry, then click on the "Clear" button and start over.
As you can see, it is very easy to take a snapshot of the registry to track changes, especially when it is at hand correct program... This is very convenient if you need to find out what changes the program makes to the registry during installation. By the way, in this way you can find out which registry elements are responsible for a particular Windows setting.
Using Windows it would be nice to get to know it better. You can start with an article about the mystical file that you absolutely must know about!
That's all, friends. We will explore other tools in the future. And yes, I have not forgotten what I promised to do detailed instructions on how to make a reliable isolated laboratory on virtual machine to check software and viruses. So you are welcome to our publics
Windows registry
is perhaps the most dynamic component of the operating system. It reflects any, even the most insignificant changes made to the system by regular and third party programs... Experienced users can track such changes using special utilities for these purposes, one of which will be discussed today. It is called. This small portable utility from Nirsoft
allows you to monitor the operation of programs installed on the computer.
Or rather, to record all the changes that they make in the process of their work in the system registry, and, if necessary, compare the previously obtained results with later ones. Exceptions are universal Windows applications, connecting to their processes in most often fails.
Note: for tracking work 32-bit programs need to be used 32-bit version , even on 64-bit system.
The utility is quite simple to use. After launching it, you will be prompted to select a process to monitor and click OK ... You can also select the process manually from the main graphical menu of the program. After that, monitoring will be started in background... As soon as the monitored program makes any changes to the registry, they will immediately appear in the main window of the utility. Change data can be copied to the clipboard or saved to a file REG.
Display mode in two. By default, the utility shows only the last changed values, but it is also possible to set the display of the original values. There are no other significant settings in the program.