How to Use Regshot To Monitor Your Registry

Quick Links

Regshot is a great utility that you can use to compare the amount of registry entries that have been changed during an installation or a change in your system settings. While most PC users will never really need to do this, it is a great tool for troubleshooting and monitoring your registry.

The Regshot Project

Regshot is an open-source (LGPL) project hosted on SourceForge. It was designed and registered in January of 2001 by M. Buecher, XhmikosR, and TiANWEi. Since its inception, it has since been modified and updated countless times to improve its functionality.

The purpose of this software is to compare your registry at two separate points by creating a snapshot of the registry before any system changes or when programs are added, removed, or modified and then taking a second snapshot after the modifications then comparing them.

Downloading and Using Regshot

There are several mirrors for downloading regshot but for the purposes of this article, we will download regshot from its original Sourceforge project page.

Once you've downloaded the archive and unzipped it, open the folder and find the files inside.  Because it is a standalone program, you don't need to go through any install process. Depending on whether you are using a 86 or 64 bit version of Windows, you will open the corresponding Unicode application.

It is best to open it as an administrator by right-clicking on the appropriate file and then selecting the "Run as administrator" option.

Using Regshot to Track System Changes

Now that you have installed regshot, you are ready to put it to the test. Once you have opened regshot, you will need to take your first snapshot which will serve as the "before" snapshot. Do this by clicking on the "1st shot" button and then clicking on "Shot." Note that the file is going to be saved as a TXT file in the "C:\Users\YOUR NAME\AppData\Local\Temp\" directory, but you can change this to any folder you want.

Now that you have taken your first shot, let's start making a change by opening Control Panel. In the "Appearance and Personalization" section, click on "Change desktop background" option.

Now we will just choose any background image and apply the changes by clicking "Save changes" on the bottom right of the screen.

Now that you have made a system change, it is time to take a second snapshot of your registry to see whether any changes have been made. Do this by going back to the regshot application and clicking on "2nd shot" and then clicking on "Shot."

After you have done this, you may notice that the numbers shown on the bottom of the application screen have changed. In this case, both the "Keys" and "Values" have changed. Now we will click on the "Compare" button to compare the before and after shots.

This will bring up a "Notepad" file with a summary of the changes.

If you continue to scroll down the document, you will see that it outlines several different aspects including the following. Remember that the numbers will vary based on your computer.

  • Keys added: 8
  • Values added: 36
  • Values modified: 25
  • Total changes: 69 (this appears at the bottom of the document)
  • In addition to listing the changes, it provides in-depth details about which keys were altered by changing your desktop background. This can be useful in case you want to manipulate those keys manually.

    Monitoring Installation Changes

    As a second example, we can install a program, so we will download Google Drive. Take your first snapshot before installing the program. If you haven't closed regshot, you will need to Clear All snapshots to start over again.

    Now that you have done that, take your first snapshot then install Google Drive.

    After you have successfully installed the program, go ahead and take your second snapshot.

    Now you can compare the before and after snapshots. Our results show that the following changes were made during the installation of Google Drive:

  • Keys deleted: 8
  • Keys added: 255
  • Values deleted: 1060
  • Values added: 399
  • Values modified: 93
  • Total changes: 1815
  • Of course the resulting text file would also contain a list of every single change so you can examine them more closely.

    Monitoring Uninstall Changes

    In order to see how the registry is affected when a program is uninstalled, we can clear our snapshot from regshot.  Take a first snapshot and then go to the Control Panel and uninstall Google Drive. After you have uninstalled Google Drive, take your second snapshot to see what changes were made.

  • Keys deleted: 141
  • Keys added: 9
  • Values deleted: 477
  • Values added: 25
  • Values modified: 422
  • Total changes: 1074
  • You will notice that the installation modified 1815 keys and values while the uninstallation only changed 1074. This is because not all registry keys are always edited or deleted.

    ncG1vNJzZmivp6x7qbvWraagnZWge6S7zGhocnBmbIZwtM6wZK2nXarApnnRnp6soJ%2BperW7jKamp6GkpL9uxc6uqWaqlZy2tMDRsmY%3D