Use REGMON :: Monitor Your Registry in Real-Time
RegMon is a Registry real-time monitoring utility that shows which applications are accessing your Registry, which are the keys accessed, and the Registry data that they are reading and writing. This utility takes you one step beyond what static Registry tools can do, by letting you see and understand how exactly the programs use the Registry. With static tools, you will be able to see what Registry values and keys are changed. But with Regmon, you can see how the values and keys are changed.
The Registry plays a key role in the configuration and control of Windows systems and is the repository for both system wide as well as per-user settings.
A high percentage of system and application crashes are usually a result of unstable registry data. When a system or a service faces issues in accessing various registry settings, it misbehaves by crashing, displaying a vague error message or even executing itself with limited functionality. As you know, it is virtually impossible for one to understand what registry keys or values are mis-configured, without understanding precisely how the crashing application accesses the registry.
A simple answer in this type of situation is REGMON, the tool provided by Sysinternals.
As mentioned previously, Regmon allows live monitoring of the registry activity. For each registry access, the Regmon displays processes that are performed, and the access time along with the type and result of the access.
Before coming up to practical side, let’s have a look at how Regmon operates.
- Here, the Application is executing a registry related system service call.
- In the second step, the System Service Dispatcher looks up for the corresponding system service function address in the System Service Array. By that time, Regmon would have replaced the address with its hook function.
- The Regmon hook function is then invoked.
- The Regmon hook function will then call the original function.
Now, let’s see an example that allows to determine, where in the registry, the system or the application stores particular settings. In this example, we will check the Notepad‘s settings using Regmon.
- Make Notepad save a setting that you can easily search for in a Regmon trace. You can do this by setting the font to Times New Roman.
- Run Regmon. Open the HIGHLIGHTING FILTER dialog box and enter notepad.exe in the INCLUDE FILTER. This will configure Regmon to log activities corresponding to Notepad.
- Now run Notepad again and stop Regmon event capturing process. This can be done by clicking Capture Events on the File menu.
- Scroll to the top line of resultant log and select it.
- Press CTRL+F to open the find dialog box and search for “times new“. Regmon should highlight a line.
- Double click the highlighted line and you can see the referenced registry value.
Now, the question is how this tool can be used to troubleshoot a registry-related issue. Basically there are two troubleshooting techniques.
By verifying the last thing that the application did before it failed, from the Regmon trace. This can help you trace out the problem for its failure.
By comparing Regmon‘s trace of the failing application with a trace from the working system.
In order to use the first approach, run Regmon first and then run the suspected application. When the failure occurs, go back to Regmon and stop logging. You can do this by using the shortcut, CTRL+E. Go to the end of the activity log and find the last operation that was performed by the application before it failed. From the last line you need to examine the registry keys it referenced. Many a time, this helps to resolve the problem.
The second approach can be used when the application fails on one system and works on another. Capture the Regmon trace of the application on the working and failing systems and save the output to a log file. After this, you need to open both the logs in Microsoft Excel. Please take care to delete the first 3 columns, if not the comparison will show all the lines. Now, compare the logs. You can do this by using “WinDiff” (It is included with the free support tools).
The entries in a Regmon trace, that have values of NOTFOUND or ACCESS DENIED in the result column are the ones that needs to be investigated. NOTFOUND is reported when an application attempts to read a registry value that does not exist. Similarly ACCESS DENIED occurs when an application does not have the permission to access the key.
An interesting result string that might appear is BUFEROVERFLOW. This does not indicate a buffer-overflow exploit in the application, instead it is used by the configuration manager to inform an application that the buffer that it has specified to store the registry value is too small to hold the value.
HOW TO LOG REGISTRY ACTIVITY DURING LOG ON / LOG OFF
If you are facing an issue related to account log on and log off, you can use Regmon to capture a trace of the phases of the log on session. You must be aware that the applications that are running in the local system account are not terminated when a user logs off. You can take advantage of this feature to have Regmon run through a log on and a subsequent log off. You can run Regmon in local system account by using PsExec (From Sysinternals).
psexec -i -s -d c:regmon.exe -i switch = It directs Psexec to have Regmon's window appear on the interactive console. -s switch= It allows PsExec to run Regmon in the local system account. -d switch = It allows PsExec to launch Regmon and exit without waiting for it to terminate.
The execution of this command allows Regmon to survive log off and re-appear on the screen when you log back on, by capturing the registry activities of both the actions.
There is another way to monitor registry activity during the log on, log off, boot or shut down processes using Regmon. This is by using Regmon‘s log boot feature. You can enable this by selecting LOG BOOT from the options menu. The next time you boot the system, Regmon logs the registry activities in the boot to \windows\Regmon.log.
We have now gone across the basic techniques that can be used to troubleshoot any issue that an application/service can face due to issues related to registry access.
Overall, this is a nice and easy to use application that helps to monitor the registry. It’s simplicity of use is helpful to the beginners and to the experienced users, Regmon can serve as an advanced application.
In short, RegMon is an ideal solution when it comes to real-time registry monitoring – A fast and affordable way to monitor and fix your registry.
About the Author :
Hari Vishnu, Software Engineer has been working with Bobcares for more than an year now. He has expertise in both Windows and Linux server Administration, and he is considered to be a master when it comes to Windows servers. Apart from the technical side, he has gained a reputation as a gifted stage performer too.