For managing applications and user environments it is very useful to know the way the application and the user behaves. And for application provisioning and user environment management it is necessary to know where the application and system stores the settings and personalizations options. We will need some form of application to use for capturing or monitoring the system for changes that the application or it’s settings are doing. For UEM for example we have the Application Profiler to use and create application configuration or predefined settings. But if you like to see where our Windows friend stores its changes, application profiler is not enough. We need other tools for the job. We can use Process monitor (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx) or SpyStudio (http://www.nektra.com/products/spystudio-api-monitor/) to name a few. Or regshot.
The main difference of regshot to, for example the mentioned Process monitor or SpyStudio, is that this tool does not require admin permissions like Process monitor or installation on the system like SpyStudio. You can just download and run in the user context. This is what is the strong point is of Regshot, low footprint and no changes to the system that could influence your capturing. As long as the changes you want to monitor are within the user context, but wasn’t this the point in the first place….
What does regshot do?
In short regshot takes a first and a second shot of the registry, and shows you the differences between these. Next to this regshot also allows you to scan dirs. For example save the registry and APPDATA after you have changed that minor customization. Isn’t that what you would want to see?
In short take a first shot before your change. Change the system and take a second shot. Press compare and see what has been changed. And use that output in for example UEM configurations.
First up the application is available in 32-bit and 64-bit, and in ANSI and Unicode encoding.
The difference here is the program architecture and how the character encoding is handled. If for example your language settings include non-latin characters, you may want to use the Unicode version of Regshot. Else it will not matter which one you take as long as the processor architecture is right.
Secondly with the shots you can do your shot, or do and save your shot. When saved you can later use this with the load option.
Third, want your output in HTML or text. HTML is friendlier on the eyes, however it will take some more time to output. Sometimes the external program connection to HTML is screwed.
Fourth is including a scandir. Default regshot will do registry, but a lot of application do save something in for example the AppData Local, ProgramData or other locations. I would recommend to include the scandirs where possible. To only downside is that you would need to know where an application stores its values, or put in the most likely suspects. Just going for all out C:\users is getting you a lot of background noises from other applications using the same space.
Fifth is setting an output path. Currently it is set to the administrators AppData profile path. If I am scanning dirs in that location it might be a better idea to redirect the output to another location not to mess up the output.
Do keep in mind not to let in a lot of cycles between the first and second shot. The system will continue to run and add up in changes between the shots. Do your required change and shoot again.
Where can I get Regshot?
RegShot is available on its Sourceforge project page at https://sourceforge.net/projects/regshot/. You can download Regshot as a compressed .7z file. You can open this with 7Zip or WinZip. Downpart of the 7z is that if you haven’t brought an additional zip application, native Windows can’t handle this. There goes my no changes to the system with using Regshot…..or just unzip it on another system 😉
Don’t mind if I do. First we are going to take our first shot. Just let the program count the keys and values, and the dirs and files, until the second shot button appears.
I don’t mind the time it takes, my testlab is a bit on the slow hand. And including the scandir takes an even longer time than just browsing the registry. But I’m there for the results not the speed.
Next up do a change to the system. For this example I changed Chrome browser settings to show the home and always show the bookmark bar. Done with the change? Take the 2nd shot. And wait until the compare button is available. Than press that one. In the output is for example:
Now it is up to you to analyse what is needed..
We see that Chrome wrote to the \Software\Google\Chrome\PreferenceMACs in the USER SID key. However SIDs we cannot capture with for example UEM. We do know that this is the same as HKCU and can be captured from the HKCU\Software\Google\Chrome\PreferenceMACs. Just add the HKCU\Software\Google\Chrome\PreferenceMACs or HKCU\Software\Google\Chrome to be included in the UEM Configuration.
Now it is up to you to analyse what is needed.
– Happy shooting at your users…ermmm user environment I mean!