none
Question to only who is expert in Process monitor Tool? RRS feed

  • Question

  • No matter how hard i tried to see one of the software creating Registry Key But i am faild. 

    I guess that going to be RegCreate Pattern ? What type of pattern that's gong to be ? 

    Can you Please Give me an example How does it looks like on " Process Monitor " While Creating Some Registry key By an Application. 

    And can you give me a hint how can i filter only Registry Calls in Process monitor. or any other suggestion which will ease my life for a bit while haunting. 

    Thanks. 

    EDIT: DON BURN , Is this Going to only work with Regedit ? Or any other APP trying to access Registry suing API ? 
    Thursday, January 21, 2016 3:15 PM

Answers

  • 1.  Open Process Monitor

    2.  Select the filter box and choose the executable path to be C:\Windows\System32\regedt32.exe, add that with include to the filtering

    3.  Now run regedt32 you will only see actions from that program.

    4.   After the initial spew, choose a location, wait for the spew to end, then try creating a key or a value.

    5.  After your experiments delete the key or value.

    This will show you how to look at this stuff yourself.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, January 21, 2016 4:20 PM
  • Some useful content might help us answer this, what isn't working?  Are you see spew in Process Monitor after you start running regedt32?  Are you confused about something else or what?


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Thomas Hopes Thursday, January 21, 2016 6:58 PM
    Thursday, January 21, 2016 6:27 PM

All replies

  • 1.  Open Process Monitor

    2.  Select the filter box and choose the executable path to be C:\Windows\System32\regedt32.exe, add that with include to the filtering

    3.  Now run regedt32 you will only see actions from that program.

    4.   After the initial spew, choose a location, wait for the spew to end, then try creating a key or a value.

    5.  After your experiments delete the key or value.

    This will show you how to look at this stuff yourself.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, January 21, 2016 4:20 PM
  • Numbre #2 is ImagePath from drop down menu. 
    Thursday, January 21, 2016 6:09 PM
  • Some useful content might help us answer this, what isn't working?  Are you see spew in Process Monitor after you start running regedt32?  Are you confused about something else or what?


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Thomas Hopes Thursday, January 21, 2016 6:58 PM
    Thursday, January 21, 2016 6:27 PM
  • Some useful content might help us answer this, what isn't working?  Are you see spew in Process Monitor after you start running regedt32?  Are you confused about something else or what?


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    So far solved. Now my question is how can i Filter so i can only see Registry key and value and operation ? 
    Thursday, January 21, 2016 7:00 PM
  • 1.  Open Process Monitor

    2.  Select the filter box and choose the executable path to be C:\Windows\System32\regedt32.exe, add that with include to the filtering

    3.  Now run regedt32 you will only see actions from that program.

    4.   After the initial spew, choose a location, wait for the spew to end, then try creating a key or a value.

    5.  After your experiments delete the key or value.

    This will show you how to look at this stuff yourself.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    is this only going to work with Regedit.exe or Any application which handle Registry? 
    Friday, January 22, 2016 3:56 AM
  • If i am not  wrong this tactic is going to work on any valid windows application. 
    Friday, January 22, 2016 4:24 AM
  • This works for any application you set the imagepath to.  Note: it doesn't show all the registry operations for all applications just because you choose regedt32.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Friday, January 22, 2016 2:33 PM
  • This works for any application you set the imagepath to.  Note: it doesn't show all the registry operations for all applications just because you choose regedt32.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    What's the solution ?
    Friday, January 22, 2016 2:36 PM