How do I track registry changes? - a tutorial

Discussion in 'Windows Phone' started by Menneisyys, Jun 28, 2005.

Thread Status:
Not open for further replies.
  1. Menneisyys

    Menneisyys Mobile Deity

    Messages:
    2,588
    Likes Received:
    3
    Trophy Points:
    198
    It's always asked how registry change tracking can be done and what is the easiest way of finding changes.

    First, there are no automated, always-running tools that just sit in the memory and report any registry change. However, as registry change times can be very well predicted - for example, a given program can only change the registry when it's run; a given system-wise setting (for example, the current font size or some system color) can only be written to the registry when actually setting it etc. - you can safely rely on offline tools that make the comparison for you.

    There're several ways of doing this. The preferred way I myself do this is using the following combination: Tascal / PHM / Resco Registry Editor / Total Commander 2.0 and a desktop-based, free tool like WinDiffin Microsoft Platform SDK. These are all free, except for Resco Registry Editor; you won't really need the latter for this purpose. You can download, for example, the Tascal Reg. Editor from http://www2r.biglobe.ne.jp/~tascal/download/pocketpc/tre_e.htm , the PHM Registry Editor from http://www.phm.lu/Products/PocketPC/RegEdit/ and Total Commander 2.0 from http://www.ghisler.com/ce.htm and WinDiff from http://www.microsoft.com/downloads/...EA3-A93E-40C0EC4F68E5&displaylang=en#filelist (click the PSDK-x86.exe link at the bottom). Please also read http://pocketpcmag.com/forum/topic.asp?TOPIC_ID=16508 on alternative, registry export-capable registry editors. Please note that, much as PHM Registry Editor can't import, it can export registry files; therefore, it's also sufficient for this purpose.
    There're a lot of other tools to do this, but IMHO they are not as usable/pretty as the above-mentioned two, especially if there're a lot of changed registry entries. For example, SK Software ( http://www.geocities.com/s_k_s_k_s_kru/util.html ) has several tools that do the same, even on the Pocket PC. If you're not afraid of evaluating registry differences on your Pocket PC (and don't need the much prettier and easier-to-use GUI of WinDiff), iDiffCE is a perfect program for this. (Incidentally, the S_K people have another application worth mentioning: ssnap, also available for free on their homepage. It's also able to export the registry in a format readable by iDiffCE.) And, you can use the 'traditional' Diff programs on your desktop computer too; see for example http://gnuwin32.sourceforge.net/packages/diffutils.htm on them. I've used them extensively; they're the exact replica of their Unix originals.
    You (as like me) may find the combined use of a traditional registry editor and WinDiff easier, though; this is why I'm discussing just them in here.

    1, install the registry editor of your choice. Start it.

    2, tap-and-hold 'My Device' (in PHM) / 'My Registry' (in Resco) the and choose 'Export...'. In Tascal, just highlight the uppermost '\' and choose File/Export Registry. Do this, for example, before and after running a program or setting a system property you want to track down.

    [​IMG]

    3, start the program / do something that (may) result(s) in a registry change. For example, let's assume you want to find out where the global font size of your system is stored in the Registry. Do a snapshot of the registry in the way I've described above and change the font size at Settings/System/Screen/Text Size (this will only work on WM2003SE devices). Here, we just move the slider to a different position from its default center position:

    [​IMG]

    4, do another registry snapshot as descibed in step 2.

    5, transfer the two registry snapshots to your desktop computer by using, say, Total Commander with the WinCE FS plug-in (see http://pocketpcmag.com/forum/topic.asp?TOPIC_ID=15577 on setting it up and using) and issue the following command:

    "c:\Program Files\Microsoft Platform SDK\Bin\WinDiff.Exe" 1.reg 2.reg

    (I assume in this example that 1.reg is the "before" and 2.reg is the "after" snapshot).

    You'll be presented something like the following screen, if you did this all over an ActiveSync conection (with, say, Pocket Controller):

    [​IMG]

    As you can see, you'll be taken straight to the first difference between the two registry files.

    This is a perfect example of how removed, not-existing-anymore (red) and newly included, wasn't-present-in-the-first-snapshot (yellow) values are shown. If you know the standard Diff format, you may also reconize the standard > and < marks at the beginning of each affected row too - based on this, you will always know what red and yellow mean.

    In the example, the key LastActiveSyncTime had the value 1B013980 in the old snapshot and 6831DB00 in the new.

    If you then press F8 to be taken straight to the next change (you can move backwards with F7 and, of course, traditionally with the mouse), you'll see something like this:

    [​IMG]

    This is what we wanted to find (the previous change was because of ActiveSync). The all-yellow color shows that this registry key wasn't at all present in the previous snapshot and was introduced to the system when we altered the font size.

    That's all - pretty easy, isn't it?

    If you're interested in hardcore Windows Mobile hacking (I've written tons of articles on the Pocket PC Registry), you may want to check out my article collection at http://www.winmobiletech.com/ .

    Please don't hesitate to ask questions.
     
  2. imported_gmerin

    imported_gmerin Mobile Deity

    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    21
    or you can use just one tool:

    SKTracker will audit your PPC, save the results in a snapshot file and diff between saved snapshots indicating what has changed. Results can be exported to a textfile.
     
  3. ctitanic

    ctitanic Mobile Deity

    Messages:
    7,491
    Likes Received:
    0
    Trophy Points:
    188
    Sounds easy :D and I like the article ... but... I really don't think that the average user will know what they are looking for knowing that from a copy of your registry before a soft reset compared with another copy created just after the soft reset you can find not a few changes. If you have todays addins you will get even more changes. But off course, this is the way that an expert will use to find out what was changed in the registry because the guy knows the registry and what every key does. ;)


    Again, bravo! A very good article.
     
  4. ctitanic

    ctitanic Mobile Deity

    Messages:
    7,491
    Likes Received:
    0
    Trophy Points:
    188
    Menneisyys, I have found some broken links in your site (mainly in the articles that I would like to read :(
     
  5. Menneisyys

    Menneisyys Mobile Deity

    Messages:
    2,588
    Likes Received:
    3
    Trophy Points:
    198
    Yes, I' very busy and haven't even had the time to upload my old(er) articles to my new homepage/site. They (the local articles, not those posted to PPC boards) are still available at my old homepage at http://menneisyys.freeweb.hu
     
  6. ctitanic

    ctitanic Mobile Deity

    Messages:
    7,491
    Likes Received:
    0
    Trophy Points:
    188
    keep going! that's all that matters ;)
     
  7. ctitanic

    ctitanic Mobile Deity

    Messages:
    7,491
    Likes Received:
    0
    Trophy Points:
    188
    BTW, I'm having problems installing the SDK (I wanted to test the Windiff). It aborts the installation saying that sort kind of amd cab file is not present.
     
  8. Menneisyys

    Menneisyys Mobile Deity

    Messages:
    2,588
    Likes Received:
    3
    Trophy Points:
    198
    I've tested with another, clean Win XP. It works. Are you sure you've downloaded the right PSDK-x86.exe? It's 1.324.256 bytes.
     
  9. ctitanic

    ctitanic Mobile Deity

    Messages:
    7,491
    Likes Received:
    0
    Trophy Points:
    188
    yeah, but my guess looking at the name of the file that the problem is because I'm trying to install it in a AMD machine.
     
  10. Menneisyys

    Menneisyys Mobile Deity

    Messages:
    2,588
    Likes Received:
    3
    Trophy Points:
    198
    On an Athlon 64? Maybe that's the problem. I've tested this on Intel devices, under plain Win XP.
     
Thread Status:
Not open for further replies.

Share This Page