Using Winternals Regmon in .NET framework

Creating Data Matrix ECC200 in .NET framework Using Winternals Regmon

Figure 8 5 shows the freeware version of Regmon. Every time Windows XP or programs access the registry, Regmon adds a row to the window. The first two columns are a line number and time. 189

The next column displays the name of the process that accessed the registry, which is usually the program's file name. Next you see the type of access, followed by the path and result. The last column gives you additional information, such as the contents of a value. The most interesting information here is the type of access, the path of the key, and the Other column. Any time a column is too narrow to display the entire contents of a row, you can point to the data, and Regmon displays its full contents in a balloon. Nifty.

Figure 8 5: Regmon's window quickly fills up with uninteresting information. This is Regmon's window seconds after starting it. Two columns, Request and Other, need more attention. Request tells you what Windows XP or a program was trying to do. The requests you see in the Request column are different registry application programming interface (API) functions and are shown in Table 8 1. The most interesting type of request is SetValue, of course. The Other column contains a variety of information, depending on the type of request. Again, see Table 8 1. For example, if the request is QueryValue, the Other column contains the data in the value. If the request is OpenKey, the Other column contains the key's handle. Table 8 1: Regmon Request Types and Data Request type CloseKey CreateKey CreateKeyEx DeleteKey DeleteValue DeleteValueKey EnumerateKey EnumKeyEx Data in the Other column Handle of closed key Handle of new key Handle of new key None None None Name of next subkey Name of next subkey 190

None None Handle of open key Handle of open key Name of key Value's data Value's data Data stored in value Data stored in value

If you start Regmon and change some settings in the Windows XP user interface, you won't have a lot of luck sifting through Regmon's output to find the setting. For example, opening Windows Explorer accesses the registry about 5,000 times. Clicking Options on Windows Explorer's Tools menu accesses the registry a few hundred times. Sorting through all that output isn't practical. Your experience improves dramatically if you learn how to use filtering. The first thing you can do, particularly if you're interested in finding the value in which Windows XP stores a setting, is filter out everything but write requests. On Regmon's Edit menu, click Filter/Highlight. Then clear all the check boxes except Log Successes and Log Writes. Regmon will report only successful writes to the registry. This alone significantly reduces the amount of output you see. Get more specific, though, and Regmon will all but hand you the setting for which you're looking. The asterisk (*) in the Include box is a wildcard that matches everything; this is the default filter. To get more specific, limit Regmon to certain processes. For example, if you're searching for a setting in Windows Explorer, look only for registry access by the process explorer.exe. If you're searching for settings in Tweak UI, look only for registry access by the process Tweakui.exe. On Regmon's Edit menu, click Filter/Highlight. In the Include box, type the name of the process you want Regmon to display in the window. Include multiple processes separated by a semicolon. The easiest way to figure out the name of a process is to look in Windows Task Manager. Press Ctrl+Shift+Esc, and then look on the Processes tab. If in doubt, you can also look in Regmon's output for the process name, which is how I usually find it. You might see the process Rundll32.exe. This is a special program that executes APIs in Dynamic Link Libraries (DLL). Because you might have many different instances of this process running at any time, filtering this process is more difficult. My last tip for how you can limit the output of Regmon is to filter for specific keys. If you have general knowledge of where Windows XP stores a setting in the registry, filter the output to display only lines that contain that key. For example, if you know that a setting is somewhere in HKLM\SOFTWARE\Microsoft, filter Regmon's output so it shows only SetValue requests on that key. You'll see very little output in Regmon's window when you change that value in the user interface, and one of the lines is likely to be the value for which you're searching. Tip You can combine subkeys and process names in your filter. Separate each with a semicolon. Regmon compares your criteria to all the columns you see in the window, so you can filter multiple columns at one time. You can filter results by process, request type, and key at the same time, for instance.