RegMon

     I just downloaded RegMon, newest version, 4.0, from:
     http://www.sysinternals.com/Regmon.htm
 


 

     Following is a short essay on USING our tool RegMon.
     notes by jeff
     3-1-99

This is very basic essay covering How to:

1.Identify the name of the program you are loading

2.Setting up a 'filter' to block out all other programs from loading into the Regmon window & to load only the one you wish to view.
 

Wow! Has anyone downloaded the newest version of RegMon...I just did...perhaps the other versions had this feature and I did not notice;  but this version has a feature in it in the "OPTIONS" drop down menu called..."Jump to Regedit"...it works COOL!
 

....snipped from RegMon help file.......... Jumping to a Key or Value in Regedit

If you come across a key or value name in the output that you want to modify or view in Regedit, you can do so simply by double-clicking on the line containing the name or pressing the Regedit toolbar button. Regmon will launch Regedit (if it hasn’t been launched already) and navigate directly to the value or key. Note that if you select a non-existent value or key Regmon will take Regedit to a position as close as possible to where the value or key would be located.

Referenced from: http://www.sysinternals.com/Regmon.htm

Introduction

Regmon is a Registry spying utility that watches and displays information on system-wide registry accesses as they are occurring. This makes it a uniquely powerful tool for learning how Windows works or tracking down problems due to misconfigured Registry settings.

Version 4.0 unifies previous NT and Win9x-specific versions of Regmon into a common interface. Enhancments to the device drivers, and the addition of UI features (always-on-top, listview tool-tips)  also mark this major version update.

Regmon works on NT 3.51, 4.0, 5.0 (Win2K), Windows 95 and Windows 98.

ADDITIONAL info. on this tool  can be read at RegMons URL listed above....
 


 
     Okay to the USE guide:

We can pretty much use and set this tool up much as we would set up Regmon...

(Notice how I am writting up some of the easier tools to explain>>>? HEY! YOU SNOOZE...YOU
     LOSE!...Now you get to write up some of the more tougher ones...hehehe:) :)

I usually set up some of my more important 'used' tools in a shortcut down in my symantec navigator toolbar for quick access:

When we first OPEN RegMon it immediately begins to load all running activity that is taking place to our registry...

The nice thing about this tool vs Filemon is there seems to be much less activity which will enable you to 'view' any changes easier...
 

Now lets take the same 'target' program, MS Calculator, as we used in FileMon essay, and Open it up...  now  look to the coloumn named "Process"... Scroll til you see what NAME VALUE has been assigned to this calulator program...  Once again, in this case, it is named...Calc...(DOH!)
  So, now,  click on the OPTIONS menu and in the drop down box click on "filter"

Here you will see four input boxes (in this newest 4.0 version) named:

     Process includes: ..........
     Process excludes:.........
     Path include:......
     Path exclude:......

I do not know how to use the "Path include, exclude" boxes; (Perhaps this would be a good place for someone who does know their use and value to explain and insert it into this essay here...

In the Process box however we can type in the name of the program we noted in the "Process" column, in this case,  it is the name value of "Calc"  having typed this into the "Process" input box it will now  create a filter...  a filter will act to screen out all other running programs and load only our target program.

 hummmmm; I accidentaly typed it in as "Calc"....note, the Upper case "C" and it DOES work in this version...  Good ! we don't have to watch for case sensitivty on this one...have not tried it on earlier versions...so watch it...earlier versions     perhaps need to be all typed in lower case; I don't remember...
 
 

Okay; to clarify...

type in the word "calc", or "Calc" (no quotes)
click apply button

Make sure in the Options drop down box that the option "Capture Events" is checked also
  Now ; in the  Options menu, and in dropdown box, click on "Clear Display"

This will clear your window and now you can open Calculator again and the only program that will be listed and running in the  RegMon window when you run Ms calculator will be....Calculator...and its various activities ....
 

    Set-Up is Done
 


 
If you see mistakes, inconsistancies; know an easier approach; ect. ect feel free to work on it and improve it.... Would anyone care to explain any other options, tricks, knowledge...?

Write it up and we'll change this one or add & credit your comments to it...ect

This essay was more on HOW TO SET UP RegMon ; The next essay on RegMon could be :
Why Do We Use RegMon & Where Do we Look FOR these Answers...
 
          Why do we Use this tool at all?; ect.....
     ********************************************************
 


 
 Hope this essay spurs on others to write essays for our other valuable tools and How and Why to use them....
   

 
Many thanks to The Sandman for providing such great teachings and a home for reversers.....

greetz and thanks to Eternal Bliss and Gracefully Savage for help & contributions.....

     Thanks
     Regards
     Jeff