Regmon: tracking registry accesses

Regmon: tracking registry accesses

Regmon – a program from the company Sysinternals to monitor in real time the execution of appeals to the Windows system registry. The authors are Mark Russinovich and Bryce Cogswell.

After the acquisition of Sysinternals by Microsoft, the Microsoft TechNet section has a subsection Windows Sysinternals where you can find descriptions and links for downloading most of the Sysinternals software products. However, Regmon, as well as the Windows file system access monitoring program Filemon have been replaced by a single program Process Monitor, which, for all its advantages, is still less convenient for monitoring of registry accesses . In the Windows 2000/XP operating system environment, many users still prefer to use the Regmon utility. If you intend to monitor registry accesses in Windows Vista/Windows 7, you’d better go to the page describing the Process Monitor utility.

By its functionality, the latest versions of Regmon do not differ much from each other, at least externally. Here I have placed links for downloading versions of Regmon that I personally used.

Download Regmon 7.04 , 266 kb.

Download Regmon 6.06 , 86 kb.

There is no possibility to download the latest version of Regmon from the official site at the moment, and instead it is offered to download Process Monitor.
The older version of Regmon 6.06 works in Windows 2000/XP, and can even be run in 32-bit Windows Vista/Windows 7. However, in practice it turned out that the utility works unstable in these OSes and can cause the system to hang up.
Version 7.04 also works fine in Windows 2K/XP environment, but when you try to launch it in Windows Vista and older, you will get a message that the system is not supported and will be offered to use Process Monitor utility.

The program does not require installation, but must be run under an account with administrator rights. The archive also contains a documentation file in English regmon.hlp .

After starting the executable file regmon.exe, the window of settings for registry hijacking filters is displayed and after pressing Ok the program will start working. The settings of Regmon filters will be described in detail below.

Monitoring of registry calls with regmon
The program interface consists of 3 parts – menu bar, toolbar and output area in the form of a table, each line of which corresponds to the record of accessing the registry. To stop the interception process, click the button with the magnifying glass so that its image becomes a crossed out red line. Repeated clicking will return the interception mode.

Double-clicking on a separate line will launch the registry editor and move to the partition or key corresponding to the record. The order of the lines corresponds to the time of execution of operations. The information in the output window is divided into seven columns:

# – row number from the beginning of the session of capturing the registry calls .

Time – address time. The format of time (clock or stopwatch) can be set using menu Options-Clock Time . For clock format you can set accuracy of time display using – Options – Show Milliseconds .
Process – process name and identifier (PID), which called the registry. For example – svchost.exe:792 – the process svchost.exe, whose PID is 792, called the registry.

Request – request type. The types of requests are tracked by regmon:

OpenKey – process opens key for further operations on it.
CloseKey – The process closes the key. For any requests to the registry key, the key is always opened first and closed at the end of the work with it.
CreateKey – The process creates a new registry key.
DeleteKey – The process deletes the registry key.
DeleteValueKey – The process deletes the value from the registry key.
EnumerateKey – With this query the process determines the presence and names of connections of this key. The program cyclically executes the EnumerateKey query until all connections are read.
EnumerateValue – With this query the key values are determined. The program cyclically executes the EnumerateValue query until all key values are read.
SetValue – The process creates a new value of the key, or changes the data that contain the value along the specified path in the registry…
QueryKey – The process reads information about the key at the specified path.
QueryValue – The process reads the key data.
LoadKey – The process loads the registry bush (hiev).
UnloadKey – The process loads the registry bush.

Path – path to the registry key or the value of the key being processed.

Result – result of the action performed with the registry :

SUCCESS – executed successfully
NOTFOUND – Key or value not found. This result is encountered quite often and is usually not an error. Usually it is a sign of a process searching for specific data in the registry.
BUFOVRFLOW – Buffer overflow. The program has requested data in the registry that should be received in the buffer of a certain size, but the data are not placed in the buffer. In many cases, the size of data received from the registry is unknown in advance, so many applications initiate an overflow to the registry using a function, one of whose values is set to 0, and if the requested value exists, the function returns the required buffer size with the BUFOVRFLOW sign. Therefore, this result usually indicates not an error but an attempt by the application to determine the buffer size for storing data from the registry.
ACCDENIED – Access denied. This is usually due to a lack of authority to access the registry along the specified path.
NOMORE – The program needed to obtain a list of nested keys for the specified path and listed them one by one. When there were no keys or values left, the NOMORE result was generated.
Other – additional information.

Information that details a particular type of request and the result of its execution. It can be data obtained from the key value, access rights, found connectors.

Access – desired access rights. The most frequently used is Access:0x20019 – maximum allowed access.
SubKeys – after successful execution of QueryKeys query the number of connections for this key is specified.
“text” – text value. Usually data stored in string values (data of STRING type).
0xN – hexadecimal value. (DWORD type data)
Name: – text name of the key.
XX XX XX XX – hexadecimal numbers for binary values (BINARY type data).

General Regmon menu

Most items in the main menu of the Regmon utility are duplicated in the form of toolbar icons. The most frequently used actions can be performed using the key combinations specified in the item name. For example – “Capture Events : CTRL+E”. Pressing CTRL+E will change the capturing mode of events (it will turn on if it was turned off, or vice versa it will turn off if it was turned on).

Main menu items File.

Load – open previously saved report from file and view it
Save – save window contents to a report file .
Save As – choose another location and name for the report file.
Process Properties – properties of the process that initiated the registry call. (executable file, path, command line parameters, etc.)
Exit – end Regmon work
Capture Events – CTRL+E – enable/disable interception of registry calls.

Main menu items Edit.

Copy – copy the selected strings to the clipboard.

Delete – remove selected strings.
Include Process – add selected process to the group of tracked
Exclude Process – exclude the selected process from the group of traceable ones
Include Path – adds the path from the selected line to the list of trackers
Exclude Path – exclude the path from the selected line from the list of tracked. Find – search through all the contents of intercepted data buffer, string with specified text.

Regedit Jump – quickly navigate to Windows Regedit registry editor and open a key corresponding to the selected line in the Path column. If the path is invalid, then the transition will be performed only in the part of the path that exists.
Clear Display – clear the list of intercepted data. All strings recorded since the start of the capture are removed.

Main menu items Options.

Font – font selection for window
Highlight Colors – selection of color for background and text of records selected as illuminated (most interesting for analysis). You can set the background color (BG) and text color (FG) by selecting the desired color element and pressing Select button according to your preferences.
Filter/Highlight – definition of filters for records that should be enabled/excluded from intercepted data and backlit lines. More details about filters – below in text.
History Depth – maximum number of intercepted events. (0 – without limits).
Auto Scroll – enable/disable automatic scrolling of window contents so that you can always see the last record.
Clock Time – switch the time format (clock or stopwatch).
Show Milliseconds – additionally show milliseconds in time value.
Always On Top – the program window is always above all other windows.

Log Boot – tracks registry entries during the Windows boot process. After selecting this menu item, the program will display a message that Regmon is configured to write registry accesses to the log file during the next OS reboot:

Regmon - monitoring at boot process
After reboot, the Regmon.log file with the monitoring data will be created in the system root directory (C:\Windows). Logging mode will continue until Regmon.exe is started by a logged user and is performed for only one reboot. Regmon in Log Boot mode will be installed in the system and, after reboot, will run as a driver, so all registry entries that occurred before it started will not be tracked. You can view the monitoring log using File – Open menu.


Installation of Regmon. filters.

By default, the Regmon utility is configured to output information about Windows registry accesses made by all processes and applications, but the program provides the ability to filter the output. You can set filtering conditions immediately after starting the utility or by invoking the filter settings window ( Regmon Filters ) at any time using the program menu or the CTRL+L key combination.

Setting filters for Regmon
Filters allow you to limit the output of Regmon data based on process name, registry path, query type and results. You can use three text fields to configure the filters. The filters are separated from each other by the “semicolon” symbol. It is possible to use the symbol * (asterisk) as a template (wildcard).
Include – only registry processes and paths listed in this field will be displayed in Regmon output list.
Exclude – the processes and paths of the registry listed in this field will not be displayed in the Regmon output list.
The Highlight field specifies the filters by which the lines to be selected from the output list are determined.
There are several checkboxes ( checkboxes ) in the lower part of the window for filtering the list items by the type of actions being performed. If you clear all the checkboxes, no information will be displayed. Checking this box determines what operations will be displayed in the data window.
Log Opens – displays data about operations related to the opening or closing of keys.
Log Reads – output data about reading operations from the registry ( QueryKey and QueryValue ).
Log Writes – output data about the registry record operations ( SetValue ).
Log Errors – output data on operations that ended with an error . It should be taken into account that errors when accessing the registry do not always tell us about some problem with the registry but are most often caused by the logic of the process accessing the registry.
Log Successes – output data about operations executed successfully .

The program remembers the history of the input filters. At start the last specified filter is used. To reset the filtering criteria to the initial value, the Defaults button in the Regmon Filters window is used. In practice, to filter the output data, it is more convenient to use the menu called by the right mouse button on the selected line

Right button - filters for Regmon
Include Process and Include Path – add the process or path displayed in the current line to the Include field.
Exclude Process and Exclude Path – exclude from Regmon output the process or path displayed in the current line.


Exclude Regmon utility .

To learn how to work with Regmon, the easiest way to start is by intercepting registry hits from the program whose logic you know. For example – the Windows registry editor regedit.exe. To filter, you can take the following values:
Include – regedit
Exclude – leave blank
The Highlihgts field can also be left blank. If necessary, the highlighting and exclusion criteria can always be set during the work when registry hijacking starts.
Once the tracking starts, try opening the registry section to see what the sequence of hijackings looks like and what operations were performed during this action. What happens when individual values are read or written.

Once you’ve gained initial skills with Regmon, try to determine, for example, where and in what form the registry stores information about the Internet Explorer (IE) browser home page. For more information:

– it is desirable to define a process name for the Include-filter to reduce the amount of unnecessary information.
– The easiest way to find this setting is to manually change the IE home page to a value you know.
– It is better to enable Registry hijacking immediately before modifying the IE home page to reduce the amount of information that is not relevant to the problem you are looking for.

Well, if there is a problem, try setting the text in the HighLights filter to match the output value of the home page in your browser settings.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: