none
which tool should use to see modification of Reg? RRS feed

  • Question

  • Which software / tool should i use to see that change of Reg or Change of File In raw disk after installing Certain software

    I am interested to see the Modification. 

    Thanks. 

    Wednesday, January 20, 2016 11:07 AM

Answers

  • IRP Requests are I/O.  IRP CREATE is the equivalent of an OpenFile or a CreateFile, if you search the IRP type you can easily translate this back to an operation.  Remember that most Windows file operations require a HANDLE to the file, so an OpenFile is executed, because of the nature of things like Windows explorer you will see a lot of  IRP CREATE, IRP XXX, IRP CLEANUP, IRP CLOSE sequences, this is really just an operation to do XXX.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Thomas Hopes Wednesday, January 20, 2016 3:51 PM
    Wednesday, January 20, 2016 1:39 PM

All replies

  • Process Monitor from Sysinternals shows you the actions as they occur, there is no tool that will show you the changes after that.

    If you think you are going to miss them create a system restore point, run process monitor creating a log, do the software install, then restore the system if need be to do it again.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Wednesday, January 20, 2016 12:39 PM
  • Process Monitor from Sysinternals shows you the actions as they occur, there is no tool that will show you the changes after that.

    If you think you are going to miss them create a system restore point, run process monitor creating a log, do the software install, then restore the system if need be to do it again.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Can you give me an example how that would like when some thing modifies ? 

    I See lots of Registry Key query and so on.

    Can you help me understand a little bit. so i get rid of this problem ? 

    Wednesday, January 20, 2016 12:48 PM
  • And it also create lots of major IRP request. Who are Creating those request ? 

    and for that. to access a file from raw disk ? 

    Wednesday, January 20, 2016 12:52 PM
  • IRP Requests are I/O.  IRP CREATE is the equivalent of an OpenFile or a CreateFile, if you search the IRP type you can easily translate this back to an operation.  Remember that most Windows file operations require a HANDLE to the file, so an OpenFile is executed, because of the nature of things like Windows explorer you will see a lot of  IRP CREATE, IRP XXX, IRP CLEANUP, IRP CLOSE sequences, this is really just an operation to do XXX.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Thomas Hopes Wednesday, January 20, 2016 3:51 PM
    Wednesday, January 20, 2016 1:39 PM
  • The registry operations are reflecting the calls described at https://msdn.microsoft.com/en-us/library/windows/hardware/ff560903(v=vs.85).aspx  The items you are looking for are Create Key and Set Value, since Create Key creates a new key, and Set Value creates or changes a value.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Wednesday, January 20, 2016 1:42 PM
  • IRP Requests are I/O.  IRP CREATE is the equivalent of an OpenFile or a CreateFile, if you search the IRP type you can easily translate this back to an operation.  Remember that most Windows file operations require a HANDLE to the file, so an OpenFile is executed, because of the nature of things like Windows explorer you will see a lot of  IRP CREATE, IRP XXX, IRP CLEANUP, IRP CLOSE sequences, this is really just an operation to do XXX.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    yes, Your answer does make sense!

    When a user opens a file in from user space and and it end up being and IRP to the disk driver that some of the content wants to read to write. that's what it is. There are lots or IRP request request because it's contactly retriving files from disk so there is lots of IRP request. 

    Thanks a lot. 

    Wednesday, January 20, 2016 3:51 PM
  • The registry operations are reflecting the calls described at https://msdn.microsoft.com/en-us/library/windows/hardware/ff560903(v=vs.85).aspx  The items you are looking for are Create Key and Set Value, since Create Key creates a new key, and Set Value creates or changes a value.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    I am not sure what are you taking about. Can you be a little be more Specific? 
    Wednesday, January 20, 2016 3:56 PM
  • IRP Requests are I/O.  IRP CREATE is the equivalent of an OpenFile or a CreateFile, if you search the IRP type you can easily translate this back to an operation.  Remember that most Windows file operations require a HANDLE to the file, so an OpenFile is executed, because of the nature of things like Windows explorer you will see a lot of  IRP CREATE, IRP XXX, IRP CLEANUP, IRP CLOSE sequences, this is really just an operation to do XXX.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com


    Wednesday, January 20, 2016 4:03 PM
  • Just like file system calls there are Registry Calls, in particular RegCreateKey and RegSetValueKey are actual modifications to the registry. 


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Wednesday, January 20, 2016 4:16 PM
  • Just like file system calls there are Registry Calls, in particular RegCreateKey and RegSetValueKey are actual modifications to the registry. 


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com


    Wednesday, January 20, 2016 4:23 PM
  • What's it's Querying  and why its Querying ?
    Wednesday, January 20, 2016 4:27 PM
  • RegQueryKey is like getting information on a file, see https://msdn.microsoft.com/en-us/library/windows/desktop/ms724902(v=vs.85).aspx


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Wednesday, January 20, 2016 4:35 PM
  • RegQueryKey is like getting information on a file, see https://msdn.microsoft.com/en-us/library/windows/desktop/ms724902(v=vs.85).aspx


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Is this like is based one ? 

    Your querying a Reg Key value and then setting a value ? 

    Wednesday, January 20, 2016 4:42 PM
  • is that right ? MR.Don Burn ? 
    Wednesday, January 20, 2016 5:16 PM
  • What is initialing this Registry Calls ? 
    • Edited by Thomas Hopes Wednesday, January 20, 2016 5:16 PM
    Wednesday, January 20, 2016 5:16 PM
  • The PID of the process is in the display, you should be able to find the process, worst case use Process Explorer https://technet.microsoft.com/en-us/library/processexplorer.aspx


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Thomas Hopes Thursday, January 21, 2016 12:47 AM
    • Unmarked as answer by Thomas Hopes Thursday, January 21, 2016 2:55 AM
    Wednesday, January 20, 2016 5:21 PM