Track changes made to the registry key

0

Some application constantly overrides a specific registry key I am interested in keeping unchanged. Is there a way to track which application it is?

The best answer from here https://stackoverflow.com/questions/144468/tracking-changes-in-windows-registry covers the case when the application is known. My problem is that I do know the changes but I don't know the application (an opposite problem).

SwietNoiko

Posted 2017-02-06T09:37:10.460

Reputation: 21

Question was closed 2017-02-06T11:10:33.653

Did you try one of the not accepted solutions? They're not all targeted at a single, known application. Especially the processor monitor solution works on a system scope. – Seth – 2017-02-06T09:40:54.757

I don't know when the change happens. Will PM be useful in that case? Of course I will give it a try, Thanks. – SwietNoiko – 2017-02-06T09:41:57.420

Answers

0

In the answer to which you linked, there are several solutions that let you monitor changes made by a certain app. Download and run one of those solutions. Then, run each and every one of your apps one by one and see what Registry entries each app changes. You will find the culprit very soon.

user477799

Posted 2017-02-06T09:37:10.460

Reputation:

I don't think this is going to be that easy. I don't know what application it is (it might be a background process etc...) and when the change happens. – SwietNoiko – 2017-02-06T10:01:23.717

@SwietNoiko Yes. But when you run one app at a time, it is obvious which app did it. (That one app.) – None – 2017-02-06T10:02:53.520

I suspect it is not an application that I do run manually. – SwietNoiko – 2017-02-06T10:04:06.957

@SwietNoiko Why do you think so? – None – 2017-02-06T10:05:49.587

Because the change happens without me running any application. It is some background process. I need to identify it. – SwietNoiko – 2017-02-06T10:06:21.040

Then use Process Monitor. Download and run it. Define a filter that lets you only see events corresponding to your Registry key. (Test the filter by deliberately changing that key.) Let it run for a while. Then come back and see which process has changed the key. – None – 2017-02-06T10:12:33.133

0

Process Monitor highly recommended.

  1. Remove all clauses from filter.
  2. Add "Event Class" "is" "Registry".
  3. Add "Path" "contains" your_registry_path.

KonstantinL

Posted 2017-02-06T09:37:10.460

Reputation: 111

Asked: 2017-02-06T09:37:10.460

Viewed: 1 245 times

Active: 2017-02-06T10:19:24.563