Last
updated November 7, 2000 v4.32
|
|
   |
|
| Regmon is a Registry
monitoring utility that will show you which applications
are accessing your Registry, which keys they are
accessing, and the Registry data that they are reading
and writing - all in real-time. This advanced utility
takes you one step beyond what static Registry tools
can do, to let you see and understand exactly how
programs use the Registry. With static tools you
might be able to see what Registry values and keys
changed. With Regmon you'll see how the values
and keys changed..
Regmon works on NT 4.0, Win2K, Windows
95, Windows 98, Windows ME.
|
| |
| Install Regmon
by copying the files to your hard drive, and start
it by running Regmon.exe. Menu items and tool bar
buttons can be used to toggle on and off monitoring,
disable event capturing, control the scrolling of
the listview, and save the listview contents to
an ASCII file.
Use the Filter dialog, which is accessed with
a toolbar button or the Edit|Filter/Highlight
menu selection, to select what data will be shown
in the list view. The '*' wildcard matches arbitrary
strings, and the filters are case-insensitive.
Only matches shown in the include filter, but
that are not excluded with the exclude filter,
are displayed. Use ';' to separate multiple strings
in a filter (e.g. "regmon;software").
For example, if the include filter is HKLM",
and the exclude filter is "HKLM\Software",
all references to keys and values under HKLM,
except to those under HKLM\Software will be monitored.
Wildcards allow for complex pattern matching,
making it possible to match specific Registry
accesses by specific applications, for example.
The include filter “Winword*Windows”
would have Regmon only show accesses by
Microsoft Word to keys and values that include
the word “Windows”.
Use the highlight filter specify output that
you want to have highlighted in the listview output.
Select highlighting colors with Edit|Highlight
Colors.
Regmon can either timestamp events or
show the time elapsed from the last time you cleared
the output window (or since you started Regmon).
The Options menu and the clock toolbar button
let you toggle between the two modes. The button
on the toolbar shows the current mode with a clock
or a stopwatch. When showing duration the Time
field in the output shows the number of seconds
it took for the underlying file system to service
particular requests.
Regmon v4.1 introduces a powerful new
feature. When you see a Registry value or key
in Regmon's output that you want to edit,
simply double click on the line that includes
the reference (or use the Regedit toolbar button)
and Regmon will take you directly to the
specific value using Regedit.
Click here to learn about Regmon's boot
monitoring capability, which is available on Windows
NT.
|
| |
| The heart of Regmon
on Windows 9x is in the virtual device driver,
Regvxd.vxd. It is dynamically loaded, and in its
initialization it uses VxD service hooking (see
our May 1996 Dr. Dobb's Journal article on VxD service
hooking for more information) to insert itself onto
the call chain of 16 registry access functions in
the Windows 95 kernel (Virtual Machine Manager).
All registry activity, be it from 16-bit programs,
Win32 applications, or device drivers, are directed
at these routines, so Regmon catches all
registry activity taking place on a machine.
On Windows NT the Regmon loads a device
driver that uses a technique we pioneered for
NT called system-call hooking. When a
user-mode component makes a privileged system
call, control is transfered to a software interrupt
handler in NTOSKRNL.EXE (the core of the Windows
NT operating system). This handler takes a system
call number, which is passed in a machine register,
and indexes into a system service table to find
the address of the NT function that will handle
the request. By replacing entries in this table
with pointers to hooking functions, it is possible
to intercept and replace, augment, or monitor
NT system services. Regmon, which obviously
hooks just the Registry-related services, is merely
one example of this capability in action.
When Regmon sees an open, create or close
call, it updates an internal hash table that serves
as the mapping between key handles and registry
path names. Whenever it sees calls that are handle
based, it looks up the handle in the hash table
to obtain the full name for display. If a handle-based
access references a key opened before Regmon started,
Regmon will fail to find the mapping in it hash
table and will simply present the key's value
instead.
Information on accesses is dumped into an ASCII
buffer that is periodically copied up to the GUI
for it to print in its listbox.
For more detailed information on how Regmon
works on Windows NT, see:
- "Windows NT System Call Hooking,"
by Mark Russinovich and Bryce Cogswell, Dr.
Dobb's Journal, January 1997
- "Inside NT Utilities", Windows NT Magazine, February
1999.
|
| |
Here are some other
monitoring tools available at Sysinternals:
- Filemon - a file system activity monitor
- Tdimon
- a TCP/IP monitor
- Portmon
- a serial and parallel port monitor
- PMon-
a process and thread monitor (NT/Win2K)Diskmon
- a hard disk monitor (NT/Win2K)
- DebugView/EE
- a debug output monitor
|
| |
The following serve as
additional sources of information on the Windows
NT and 9x registries:
- Inside Windows
2000, 3rd Edition by David Solomon and Mark
Russinovich, 2000
- "Examining the Windows 95 Registry,"
by Mark Russinovich and Bryce Cogswell, Windows
Developer's Journal, October 1996
- "Inside the Windows
NT Registry," by Mark Russinovich,
Windows NT Magazine, April 1997
 "Inside
the Windows 95 Registry," by Ron Petrusha,
O'Reilly and Associates, 1996 - "Managing
the Windows NT Registry" by Paul Robichaux
and Robchauxg , O'Reilly and Associates, 1998
- "Windows
98 Registry For Dummies," by Glenn
Weadock, IDG Press, 1998
- "Using
the Windows 98 Registry," by Jerry
Honeycutt, Que, 1998
|
 |
| Regmon Enterprise
Edition, the commercial version of Regmon
available from Winternals
Software, extends the functionality of Regmon
with several powerful features, including the ability
to monitor remote systems and save output to a log
file as the output generates. |
|
In order to help us track its use, please
download through the link that represents the
operating system on
which you will use or mostly use Regmon.
Note that the zip files are identical, and Regmon
runs on either platform.
Download Regmon
(x86 - 63KB) - you plan on using Regmon on Win9x
Download Regmon
(x86 - 63KB) - you plan on using Regmon on WinNT
Download Regmon
(Alpha - 81KB)
Download Regmon
plus source (284KB)
Back to Top |
|
|
|
|
