show registry access

Posted on 2006-06-07
Last Modified: 2008-02-01
Hello.  Can someone suggest a program that shows the regisitry entries that are accessed by a specific program?
Like, when i fire up one of my programs, i would like to see the registry entries that are accessed by the program.
does this exist?  wasn't sure if there was a free program that could show this.
Question by:linuxrox
    LVL 59

    Accepted Solution

    Try this free program:

    Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. This advanced utility takes you one step beyond what static Registry tools can do, to let you see and understand exactly how programs use the Registry. With static tools you might be able to see what Registry values and keys changed. With Regmon you'll see how the values and keys changed..
    Regmon works on NT/2000/XP/2003, Windows 95/98/Me and Windows 64-bit for Itanium and x64.
    Installation and Use  
    Install Regmon by copying the files to your hard drive, and start it by running Regmon.exe. Menu items and tool bar buttons can be used to toggle on and off monitoring, disable event capturing, control the scrolling of the listview, and save the listview contents to an ASCII file.
    Use the Filter dialog, which is accessed with a toolbar button or the Edit|Filter/Highlight menu selection, to select what data will be shown in the list view. The '*' wildcard matches arbitrary strings, and the filters are case-insensitive. Only matches shown in the include filter, but that are not excluded with the exclude filter, are displayed. Use ';' to separate multiple strings in a filter (e.g. "regmon;software").

    For example, if the include filter is HKLM", and the exclude filter is "HKLM\Software", all references to keys and values under HKLM, except to those under HKLM\Software will be monitored.

    Wildcards allow for complex pattern matching, making it possible to match specific Registry accesses by specific applications, for example. The include filter “Winword*Windows” would have Regmon only show accesses by Microsoft Word to keys and values that include the word “Windows”.

    Use the highlight filter specify output that you want to have highlighted in the listview output. Select highlighting colors with Edit|Highlight Colors.

    Regmon can either timestamp events or show the time elapsed from the last time you cleared the output window (or since you started Regmon). The Options menu and the clock toolbar button let you toggle between the two modes. The button on the toolbar shows the current mode with a clock or a stopwatch. When showing duration the Time field in the output shows the number of seconds it took for the underlying file system to service particular requests.

    Regmon v4.1 introduces a powerful new feature. When you see a Registry value or key in Regmon's output that you want to edit, simply double click on the line that includes the reference (or use the Regedit toolbar button) and Regmon will take you directly to the specific value using Regedit.

    Click here to learn about Regmon's boot monitoring capability, which is available on Windows NT.
    How Regmon Works  
    The heart of Regmon on Windows 9x is in the virtual device driver, Regvxd.vxd. It is dynamically loaded, and in its initialization it uses VxD service hooking (see our May 1996 Dr. Dobb's Journal article on VxD service hooking for more information) to insert itself onto the call chain of 16 registry access functions in the Windows 95 kernel (Virtual Machine Manager). All registry activity, be it from 16-bit programs, Win32 applications, or device drivers, are directed at these routines, so Regmon catches all registry activity taking place on a machine.
    On Windows NT the Regmon loads a device driver that uses a technique we pioneered for NT called system-call hooking. When a user-mode component makes a privileged system call, control is transfered to a software interrupt handler in NTOSKRNL.EXE (the core of the Windows NT operating system). This handler takes a system call number, which is passed in a machine register, and indexes into a system service table to find the address of the NT function that will handle the request. By replacing entries in this table with pointers to hooking functions, it is possible to intercept and replace, augment, or monitor NT system services. Regmon, which obviously hooks just the Registry-related services, is merely one example of this capability in action.

    When Regmon sees an open, create or close call, it updates an internal hash table that serves as the mapping between key handles and registry path names. Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a key opened before Regmon started, Regmon will fail to find the mapping in it hash table and will simply present the key's value instead.

    Information on accesses is dumped into an ASCII buffer that is periodically copied up to the GUI for it to print in its listbox.


    Author Comment

    that is pretty nice except what i'm looking for is something to filter just one specific program and not show all access attempts at the registry.  regmon is showing me every programs attempt but i just want it to show attempts from a single program.
    LVL 32

    Assisted Solution

    You can easily use the "Filter" icon from the Regmon toolbar to do that.

    Move your mouse over the icons and find the Filter icon and click on it.

    Then, in the "Include" filed, enter the name of your program (or a partial name) and click K

    Regmon will then monitor only accessed by that program.

    Author Comment

    ahh killer!!
    LVL 32

    Expert Comment

    Thanks. That is a great program.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
    For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now