[Tool] RegmonToRegfile - Record and playback registry changes
I just released a new utility: RegmonToRegfile.
It's easier to explain what you can do with RegmonToRegfile than to explain what it is. RegmonToRegfile works with Regmon (a free tool from SysInternals) to record and playback the registry changes that another program or installation makes. For example, I used it to create the registry files for the IE7 Standalone launcher I've been distributing. I recorded the registry entries when I installed, ran, and uninstalled IE7 and saved the logs, then ran RegmonToRegfile to convert then to regfiles.
Regmon is an excellent tool that monitors what other programs do with the Windows registry. It saves everything that happens to a log file, but doesn't include the option to export to a registry (.reg) file. RegmonToRegfile reads Regmon logs and translates them into .reg files.
STANDARD REGISTRY WARNING: Registry flies can do great damage to your computer. You should always review registry files before you merge them, but that is even more important in this case since the registry files are being generated by a new and unsupported application. I also recommend testing your registry changes on a Virtual PC or VMWare Windows image. This application and the registry files you produce with it are unsupported; use at your own risk.
USAGE: regmontoregfile -input [-output] [-path] [-process] [-keys] [-maxRecords] [-lookup]
Input: Filename of the RegMon log.
Output: Filename of the output registry file. Default: input filename with extension changed to .reg.
Path: Path to input and output file.
Process: Comma delimited list of processes to include. Default:all processes.
Keys: Regular expression of key(s) to include. Default:all keys.
MaxRecords: Maximum number of records (log entries) to process. Default:all records.
Lookup: If true, looks up truncated binary values in the registry. Default:false (do not lookup values, ommit them).
All parameters can be set via config files settings as well. If you specify the path parameter, input and output should not be qualified with a full path.
There are a few limitations:
- Regmon only logs the first few bytes of binary values (REG_Binary) written to the registry, so RegmonToRegfile just skips writing these values. In most cases, that's not an issue since I haven't seen any binary values written by a program that would make sense to script anyways - they're usually things like crypto keys or keyboard scan codes. Version 1.0.2 adds the option of looking up truncated binary values in the local registry.
- RegmonToRegfile has limited support for registry value types. It handles STRING and DWORD values and can try to lookup BINARY values in your local registry. It does not handle other types, such as EXPAND_SZ, and MULTI_SZ types. This hasn't been a problem in practical use, since most registry entries are either STRING or DWORD type.
Source is included under BSD license.
Update: I forgot to mention that I used the FileHelpers library to do the grunt work of parsing the log files, which freed me up to concentrate on mapping the fields to regfile syntax. FileHelpers is very easy to use, and works really well. If you're parsing any kind of delimited text file without using FileHelpers, you're working too hard. Thanks for pointing that out, Greg!