[Tool] RegmonToRegfile - Record and playback registry changes

Monday, October 9, 2006

I just released a new utility: RegmonToRegfile.

It's easier to explain what you can do with RegmonToRegfile than to explain what it is. RegmonToRegfile works with Regmon (a free tool from SysInternals) to record and playback the registry changes that another program or installation makes. For example, I used it to create the registry files for the IE7 Standalone launcher I've been distributing. I recorded the registry entries when I installed, ran, and uninstalled IE7 and saved the logs, then ran RegmonToRegfile to convert then to regfiles.

Regmon is an excellent tool that monitors what other programs do with the Windows registry. It saves everything that happens to a log file, but doesn't include the option to export to a registry (.reg) file. RegmonToRegfile reads Regmon logs and translates them into .reg files.

STANDARD REGISTRY WARNING: Registry flies can do great damage to your computer. You should always review registry files before you merge them, but that is even more important in this case since the registry files are being generated by a new and unsupported application. I also recommend testing your registry changes on a Virtual PC or VMWare Windows image. This application and the registry files you produce with it are unsupported; use at your own risk.

USAGE: regmontoregfile -input [-output] [-path] [-process] [-keys] [-maxRecords] [-lookup]
Input: Filename of the RegMon log.
Output: Filename of the output registry file. Default: input filename with extension changed to .reg.
Path: Path to input and output file.
Process: Comma delimited list of processes to include. Default:all processes.
Keys: Regular expression of key(s) to include. Default:all keys.
MaxRecords: Maximum number of records (log entries) to process. Default:all records.
Lookup: If true, looks up truncated binary values in the registry. Default:false (do not lookup values, ommit them).

All parameters can be set via config files settings as well. If you specify the path parameter, input and output should not be qualified with a full path.

There are a few limitations:

Regmon only logs the first few bytes of binary values (REG_Binary) written to the registry, so RegmonToRegfile just skips writing these values. In most cases, that's not an issue since I haven't seen any binary values written by a program that would make sense to script anyways - they're usually things like crypto keys or keyboard scan codes. Version 1.0.2 adds the option of looking up truncated binary values in the local registry.
RegmonToRegfile has limited support for registry value types. It handles STRING and DWORD values and can try to lookup BINARY values in your local registry. It does not handle other types, such as EXPAND_SZ, and MULTI_SZ types. This hasn't been a problem in practical use, since most registry entries are either STRING or DWORD type.

Source is included under BSD license.

Update: I forgot to mention that I used the FileHelpers library to do the grunt work of parsing the log files, which freed me up to concentrate on mapping the fields to regfile syntax. FileHelpers is very easy to use, and works really well. If you're parsing any kind of delimited text file without using FileHelpers, you're working too hard. Thanks for pointing that out, Greg!

"Tivo for your Registry" LOL... Damn, I wish I thought of that description, cause it SO fits. ;)

Anyway, very cool tool Jon...

Greg - Monday, October 9, 2006 12:20:18 PM

brilliant stuff. very groovy.

and i argee with everything Kurbli said too.

lb - Tuesday, October 10, 2006 2:26:19 AM

The comments
and the download
on tools.veloc-it.com

is for "OpenPlsInWmp2Setup.exe" ?????

Where can i download "RegmonToRegfile" please?

Oh, i try with FireFox, now i try with iE.

Stefan - Thursday, February 22, 2007 4:18:55 AM

@Stefan - I fixed the link. Thanks for letting me know!

Jon Galloway - Thursday, February 22, 2007 8:57:38 AM

Will this work with procmon log files? (.pml files). I've dumped regmon and filemon and just use procmon now.

Richard - Wednesday, March 28, 2007 1:56:14 AM

Could you help me plz? I have an error (0x0000135)
Thanks

tom - Monday, April 16, 2007 11:05:14 AM

Can this tool be used to record files and logs of employees in the company? Is this capable of monitoring logs of working agents in a certain company so as to determine their online activities during working hours?

oil painting portraits - Tuesday, December 4, 2007 11:15:58 PM

Hi, I think the link is broken again :(

Nigel! - Wednesday, July 2, 2008 12:43:27 PM

Indeed, link seems to be broken, or at least in my PC what I get is a page with the error: "Index was outside the bounds of the array."

Nestor - Tuesday, July 15, 2008 4:29:34 PM

I also would love to see this utility, but the whole site it's hosted on seems to be down.

Gomer - Friday, August 22, 2008 11:42:32 AM

The link to download RegmontoRegfile is giving an error of Bad Request (invalid hostname). The whole site appears to be down. Is there another download site?

Mike - Friday, September 5, 2008 9:14:02 AM

I am unable to download the utility. I am prompted for a username and password. Does anyone know how I can register for the site?

TIA

spadge007 - Monday, November 10, 2008 6:13:47 AM

I loved this tool in the past unfortunately RegMon won't run in Windows 7 (vista as well I think). It's been replaced by procmon. Any chance of an updated version or alternative?

I took a look at procmon logs thinking I could make the source modifications easily enough and they don't seem to output the value the registry key is actually changed to unfortunately so probably can' be done.

Pete - Friday, March 26, 2010 7:47:34 AM

13 Comments