Scripting Solutions with WSH and COM: Use Regmon to Monitor Registry Activity


A tool that you should have in your scripting toolbox is Regmon. This tool lets you monitor registry activity when you test or run scripts or perform other tasks. Regmon displays in realtime the registry keys and subkeys being accessed and the data being written to and read from those keys and subkeys.

Regmon runs on Windows 2000, Windows NT, Windows Me, and Windows 9x. You can download this freeware from The best way to explain how to use Regmon and its helpful features is through a real-world example.

Using Regmon
To start Regmon, you double-click its icon in Windows Explorer. At that point, the tool immediately starts monitoring calls to the registry and logs them in the Registry Monitor window, which Figure 1 shows. Every second, the OS makes many registry calls; if you start opening applications or performing other tasks, even more calls are made to the registry. Thus, Regmon ends up capturing huge amounts of information. To limit the amount of data that Regmon collects, you can press Ctrl+E to tell Regmon to stop capturing data. To restart the data collection, you again press Ctrl+E. You can delete captured data by pressing Ctrl+X.

When you use Regmon to monitor the registry calls associated with a specific task, you should press Ctrl+E followed by Ctrl+X right after you start Regmon. That way, the Registry Monitor window is empty. Then, when you're about to perform the task, press Ctrl+E to start capturing data. When the task finishes, press Ctrl+E to stop the data collection.

For example, I wanted to monitor calls to the registry when I ran the script ListRegisteredApps.vbs, which Listing 1 shows. I was trying to debug this Windows Script Host (WSH) script, which I wrote to display information about applications installed with Windows Installer. First, I launched Regmon, pressed Ctrl+E to stop the data collection, then pressed Ctrl+X to clear all captured data. I wanted to be able to launch ListRegisteredApps.vbs quickly, so I created a shortcut for the script and placed it on my desktop. Next, I pressed Ctrl+E to start collecting the data and launched ListRegisteredApps.vbs from the desktop icon. After the script executed and I received the dialog box that Figure 2, page 12, shows, I closed the dialog box. I quickly switched back to Regmon and pressed Ctrl+E to stop the data collection.

In the short time I collected data, Regmon captured 3376 entries, which gives you an idea of the power of this tool. Of those 3376 entries, 906 occurred before I even launched the script.

Figure 1 includes a few of the entries that Regmon captured during the script's execution. For each entry, Regmon documents

  • an entry number
  • a timestamp that specifies when the call occurred
  • the process that generated the call
  • the call's request (e.g., calls to open, query, or close a registry key or subkey)
  • the registry key or subkey that's being accessed
  • whether the request was successful
  • the value of the registry key or subkey, if applicable

When I was reviewing the captured entries, I noticed a peculiarity in the subkeys listed in the Path column for entries 3275 and 3279. In entry 3275, WScript (the WSH interpreter engine that ran ListRegisteredApps.vbs) used one globally unique ID (GUID) to query the ProductName subkey in the HKEY_CURRENT_USER subtree. In entry 3279, WScript used another GUID to query the InstallSource subkey in the HKEY_LOCAL_MACHINE subtree.

Entries 3275 and 3279 revealed that WScript had to access different parts of the registry to obtain the data for each application. So, I used Regmon again to monitor the results of several tests in which I read from and wrote to the relevant registry subkeys. I quickly discovered that when I wrote an InstallSource value to a registry subkey, the system updated a different subkey than the subkey from which the system read the InstallSource value. Reading and writing to different registry subkeys can lead to problems if you use scripts to change or read Windows Installer source paths.

If you regularly read my column, this example might sound familiar—and for good reason. I've just described the process I used to discover the Windows Installer problem I discussed in "Scripting Solutions with WSH and COM: Customizing Windows Installer Applications," April 2001. Although Microsoft has yet to release a solution for this problem, this example demonstrates how you can use Regmon to quickly and easily identify problems.

Helpful Features
Because Regmon captures so many registry calls, it provides several helpful features that you can use to search for entries in which you're interested. Using the Regmon Filter dialog box, which Figure 3 shows, you can filter or highlight entries. You access this dialog box by pressing Ctrl+L or by selecting Filter/Highlight from the Edit menu.

The Regmon Filter dialog box provides Include and Exclude options to filter entries. You specify the string you want Regmon to search for. (The searches are case-sensitive.) When Regmon finds an entry that contains the specified string, it either includes or excludes that entry in the Registry Monitor window, depending on the option you chose. In my case, I wanted Regmon to display every entry, so I specified the default Include string, which is the asterisk (*) wildcard character.

You can search for multiple strings by placing a semicolon (;) between them. For example, if you want to capture all calls made to the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_CURRENT_USER\Software keys, you might opt to specify HKLM\SOFTWARE;HKCU\Software as the Include option's search string. Note that you don't include any spaces before or after the semicolon.

As I mentioned earlier, the asterisk is a wildcard character. You can use this wildcard character for complex pattern matching. For example, you can specify HKLM*F:\ to find all keys and subkeys from the HKEY_LOCAL_MACHINE subtree that have a value of F:\.

The series of check boxes at the bottom of the Regmon Filter dialog box provides an additional way to filter entries. These check boxes let you target specific call types. You use these check boxes to specify whether you want to include calls in which

  • keys, subkeys, or data were successfully accessed (Log Successes)
  • keys, subkeys, or data were unsuccessfully accessed (Log Errors)
  • data was read (Log Reads)
  • data was written (Log Writes)
  • other events occurred, such as a key not being found (Log Other)

Selecting a check box signals that you want to include the specified call type.

Another helpful feature in the Regmon Filter dialog box is the Highlight option. You specify the string you want Regmon to search for; when Regmon finds an entry that contains the specified string, it highlights that entry. You can set the foreground and background colors of the highlighted text by selecting Highlight Colors from the Edit menu. As Figure 3 shows, I chose to highlight any entry that contains the string InstallSource. As a result, entries 3279 and 3288 in Figure 2 are highlighted. (Entry 3275 isn't highlighted; it's just selected.)

The highlighting and filtering options let you hone in on the entries you want to view. Because Regmon captures thousands of entries in just a short time, any search feature that you can use to simplify finding data is helpful.

In addition to the search features, Regmon has a feature that lets you quickly access any registry key, subkey, or value logged in the Registry Monitor window. You just double-click the entry in which you're interested. Regmon then opens regedit and has regedit display that key or subkey and its value so that you can investigate or change the key, subkey, or value.

Download Regmon Today
Regmon is a valuable tool. It lets you closely monitor registry activities and, in times of trouble, helps you identify problems. If the solution to a problem involves changing a registry value, you can even use Regmon to change that value.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.