Using Process Monitor to track registry changes

It seems many people like using Process Monitor to see what changes are being made to the registry during a process. So I downloaded it.

I want to see what changes are made in the registry by some config changes I'm making on my computer so I can write them into a vbs script to do them easily. Can someone tell me how to drive Process Monitor to capture the info? In the Help I don't see how to do it.

I'm using Windows 7 home Premium 64 bit.


In the directory where procmon.exe resides, there should also be a file called procmon.chm (if you extracted them to the same place). Right click on procmon.chm and properties. Then click "Unblock".

You are experiencing the issue described here.

Edit:

Now to address the actual question.

  1. Open up process monitor.

  2. The filters will probably show up. Press reset to reset the filters and click OK. Otherwise you can open them with ctrl-L and press reset.

  3. There is an icon on the top toolbar that looks like cross hairs with circles (8th from the left). Drag that to the (config) window who's activity you want to watch (if you want to filter on that process). You might otherwise clutter up your readings with activities from other processes.

  4. Clear the activity log (ctrl-x).

  5. Now make your config changes and watch the registry keys fly by.


CHM files (compiled html) are "blocked" by default as a security measure in Windows 7. Find the help file that belongs to Process Monitor, view it's properties, and click the unblock button.

As for Process Monitor itself, it collects a lot of data, so you'll want to try and filter what you're looking for. You can do this a couple of ways. You can just capture all of the data to a capture file, then open it to filter the data viewed - this still preserves all of your data. You can also configure your filters to capture only the data you want to see, and save that - less resource hungry, but you lose data that you may want to see later.

If you only downloaded Process Monitor, I suggest taking a look at the rest of tools available in the Sysinternals Suite. They're great for troubleshooting and better understanding how Windows works.