How to know which program has modified the registry on Windows?

1

On Windows Server 2016 Technical Preview 4, multiple entries are getting created for cost estimation of MSI.

Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{ProductCode}, EstimatedSize entry is getting created during MSI execution, but after some time another entry "sEstimatedSize2" getting automatically created. The issue is, during uninstall the {ProductCode} hive remains with that sEstimatedSize2 registry.

Is there a way to find out who modified the registry? I am able find out when that key got created using regscanner.

vikram

Posted 2016-01-08T05:15:45.193

Reputation: 41

There exist 'uninstaller' tools that watch every modification to the registry and disk, so that they can revert these... – Jan Doggen – 2016-01-08T11:09:13.340

Answers

1

I'd recommend using ProcMon - this will show you what processes are creating, reading and modifying files, folders and registry entries. You can filter it down to registry entries matching a specific mask (you'll have to do this, as it very quickly spams with all of the things going on on your machine).

Hopefully this will help you work out where your problem lies.

Jonno

Posted 2016-01-08T05:15:45.193

Reputation: 18 756

Is there a way to use ProcMon to display results in particular date range because I am unable to replicate the above mentioned issue now? – vikram – 2016-01-08T06:14:26.903

Sorry, your question made it sound like you could recreate the issue. I am not aware of this information being logged anywhere. – Jonno – 2016-01-08T06:23:29.323

It may be reproduced because I don't when it will be created. First time it got created after 4 days from when I installed my product and it is getting created for all products installed on the machine. For my product, I have removed that left over registry entry and then installed my product again but till now that key has not been created. – vikram – 2016-01-08T06:40:19.660

If you know what process might be creating the key then you can include it in the filter and keep ProcMon running. – spherical_dog – 2016-01-08T06:47:03.623

Or add a filter for the key name you want to look for (sEstimatedSize2) whilst it's running. – Jonno – 2016-01-08T06:48:49.890

Yes, that would be much better since ProcMon uses too much virtual memory if you have too many entries logged. – spherical_dog – 2016-01-08T06:55:37.417

Will do that and let you know if I find any information. – vikram – 2016-01-08T07:19:11.563

According to this link, the stack trace in Process Monitor shows that the "sEstimatedSize2" Registry value was created by StorSvc.dll during an incoming RPC. I don't think it is related to Windows Installer. StorSvc.dll implements the "Storage Service" service but I have not tested whether disabling this service would prevent the value from being created. Windows Installer doesn't delete the Registry value when uninstalling

– vikram – 2016-01-11T04:50:02.387

Asked: 2016-01-08T05:15:45.193

Viewed: 807 times

Active: 2016-01-08T11:06:22.620