Using process monitor to track registry changes

I'd like to learn how to effectively use Process Monitor to track changes to the registry as they're happening. Specifically, I need to find the registry values that change when the "Override Automatic Cookie Handling" and "Always Allow Session Cookies" settings are changed. Thanks to an expert on this site I now know which values are changed, but I'd like to know how he arrived at this.

I poked around in Process Monitor a little today and was able to get so far but I need a little further explanation. I configured two filters to filter by process name and the other to filter by operation. The process name I'm filtering is iexplore.exe and the operation is RegSetValue. With these two filters, I'm able to narrow down the results down to a manageable level, but there still seems to be some extra output.

The required registry values are all under "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" and are the following:

1A10
"{AEBA21FA-782A-4A90-978D-B72164C80120}"
"{A8A88C49-5EB2-4990-A1A2-0876022C854F}"

However, if you view the attached file you'll see the extra registry values (some are even listed twice, which I don't understand). My question is how to eliminate the extraneous results and narrow it down to what's needed?
ProcMon.JPG
mcpp661Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RaqueroCommented:
Try filtering on just the path value for the desired registry key. You may see multiple entries if the same key is queried or written to more than once during the monitoring window.
0
RobSampsonCommented:
Hi, here are the steps I took to figure this out.

1.  Looking at this article:
http://support.microsoft.com/?kbid=182569
you can see that the per session cookies settings are applied under the following key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

2. Fire up Process Monitor, and apply the following filters:
 ProcMon Filter
3. Open Internet Explorer, and click Tools --> Internet Options, and click the Privacy tab.  Then click the Advanced button.  If your settings are *not* shown as below, set them as shown, and click OK, then OK again, to apply the changes:
Cookie settings unchecked
If you needed to change the settings, follow the above steps to click back into the Advanced screen.

4. In Process Monitor, if it not currently capturing events, click the Capture button:
ProcMon Capture Button
If it is currently capturing events, click the Clear Display button:
ProcMon Clear Display Button
5. Now in the IE Advanced Privacy Settings box, select the options as below, and click OK, then OK again.
Privacy Settings Checked
6. Switch back to Process Monitor, and you see the following:
ProcMon Output
So now you can see which values are being modified, and set up a .reg file accordingly to import those settings automatically.

Regards,

Rob.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.