RegistryChangesView v1.07
Copyright (c) 2017 - 2018 Nir Sofer
Web site: http://www.nirsoft.net
Description
===========
RegistryChangesView is a tool for Windows that allows you to take a
snapshot of Windows Registry and later compare it with another Registry
snapshots, with the current Registry or with Registry files stored in a
shadow copy created by Windows. When comparing 2 Registry snapshots, you
can see the exact changes made in the Registry between the 2 snapshots,
and optionally export the Registry changes into a standard .reg file of
RegEdit.
System Requirements
===================
This utility works on any version of Windows, starting from Windows XP
and up to Windows 10. Both 32-bit and 64-bit systems are supported.
Versions History
================
* Version 1.07:
o Fixed bug: RegistryChangesView exported REG_EXPAND_SZ values
incorrectly.
* Version 1.06:
o Fixed bug: The browse button on the 'Create Registry Snapshot'
window didn't work.
* Version 1.05:
o Added /CreateSnapshot command-line option for creating Registry
snapshot from command-line.
* Version 1.01:
o Fixed bug: Under certain conditions, RegistryChangesView skipped
half of subkeys or crashed while reading Registry key that had many
subkeys.
* Version 1.00 - First release.
Examples for useful things you can do with this tool
====================================================
* You can create a Registry snapshot before installing a new software
and then after the installation is completed, compare this Registry
snapshot with the current Registry and see all Registry changes made by
the installer (Be aware that you'll also see some changes made by
Windows or other programs in the same time). If there are Registry
changes that you don't like, you can generate a .reg file to revert
back the changes.
* If you make a change in Windows configuration from the GUI of Windows
and you want to see how to make this change in the Registry, simply
create a Registry snapshot before making the config change and then
after the configuration change, compare this Registry snapshot with the
current Registry and optionally generate a .reg file that makes this
configuration change.
* If there is unwanted change in the Registry of your system but you
don't have any previous snapshot, you can compare the current Registry
with a shadow copy created by Windows and try to locate the unwanted
Registry changes.
* You can also use this tool as a simple way to backup the Registry.
The snapshot created by RegistryChangesView simply contains Registry
hive files with the same name as the original one (ntuser.dat, SYSTEM,
SOFTWARE, and so on...)
Start Using RegistryChangesView
===============================
RegistryChangesView doesn't require any installation process or
additional DLL files. In order to start using it, simply run the
executable file - RegistryChangesView.exe
After running RegistryChangesView, the main options window is displayed,
which allows you to choose 2 Registry snapshots to compare. For every
snapshot , you can choose one of the following data sources: 'Current
Registry', 'Saved Registry Snapshot', and 'Shadow Copy'. You can choose
any combination you want, as long as 'Data Source 1' is not identical to
'Data Source 2'. For example: you can choose to compare the Registry of 2
different shadow copies, compare a shadow copy with current Registry,
compare a saved Registry snapshot with current Registry, compare a saved
Registry snapshot with another saved Registry snapshot, and so on...
If you want to generate a new Registry snapshot, simply choose 'Saved
Registry Snapshot' in the data source combo-box and then click the
'Create Registry Snapshot' button. In the 'Create Registry Snapshot'
window choose the folder to save the Registry Snapshot, click the 'Create
Snapshot' button, and wait a few seconds to create the snapshot. You can
also create a new Registry snapshot from the main window by pressing F8
(File -> Create Registry Snapshot).
After choosing the 2 Registry data sources to compare , you should also
set the following options:
* Direction: This field determines how the 2 Registry snapshots are
compared. For example: if the direction you choose is 'Registry Data
Source 1 => Registry Data Source 2', every Registry key or value that
exists on the second snapshot but doesn't exist on the first snapshot
will be displayed as 'Added Key' or 'Added Value'. But if you choose
the opposite direction ('Registry Data Source 2 => Registry Data Source
1'), every Registry key or value that exists on the second snapshot but
doesn't exist on the first snapshot will be displayed as 'Removed Key'
or 'Removed Value'.
The direction field also affects the way that .reg file is generated
('Export Selected Items To .Reg File' and 'Copy As .Reg File Format'
options). if the direction you choose is 'Registry Data Source 1 =>
Registry Data Source 2', the generated .reg file will make the changes
from snapshot 1 to snapshot 2. if the direction you choose is 'Registry
Data Source 2 => Registry Data Source 1', the generated .reg file will
make the changes from snapshot 2 to snapshot 1.
* Hives to compare: Allows you to choose which Registry hives to
compare. For example, If you only want to see the Registry changes on
HKEY_CURRENT_USER, you should select the 'HKEY_CURRENT_USER' and
'HKEY_CURRENT_USER\Software\Classes' hives and deselect all others.
After choosing all option, click the 'Ok' button. RegistryChangesView
will compare the 2 Registry data sources you chose and the result will be
displayed on the main window.
Some Important Remarks
======================
* By default, the SAM and SECURITY Registry hives are not selected for
comparison and for generating new Registry snapshots. You can choose
these 2 Registry hives if you need to compare them, but you should be
aware that there is a security risk: These Registry hives contain
encryption keys and password hashes of your system and if you leave a
Registry snapshot with SAM/SECURITY hives that can be accessed by a
non-admin user, hacker that finds these files on your system might be
able to use them for penetrating your system.
* When you choose 'Current Registry' as one of the data sources,
RegistryChangesView generates a temporary Registry snapshot on
%temp%\TempRegSnapshotX folder (X = numeric value) and deletes it after
the Registry comparison process is finished.
* The Registry snapshot created by RegistryChangesView is just a folder
that contains the Registry files with their original name. If you have
a copy of Registry hives and you want to use them as a snapshot, simply
copy them into a separated folder with their original filename (
Software, System, ntuser.dat, UsrClass.dat ) and choose this folder as
a Registry snapshot.
Columns Decsription
===================
* Registry Key: Full path of the Registry key.
* Change Type: Type of Registry change: Added Key, Removed Key, Added
Value, Removed Value, Modified Value.
* Value Name: Name of the Registry value (Relevant only when the
'Change Type' is 'Added Value', 'Removed Value', or 'Modified Value')
* Value Data: The content of Registry value (Relevant only when the
'Change Type' is 'Added Value', 'Removed Value', or 'Modified Value').
If the 'Change Type' is 'Modified Value' - this columns shows the
original value (before the change) and the 'Value Data Changed To'
column shows the value after the change.
* Value Type: Type of Registry value (REG_SZ, REG_DWORD, REG_BINARY,
and so on...). If the 'Change Type' is 'Modified Value' - this columns
shows the original value type (before the change) and the 'Value Type
Changed To' column shows the