Microsoft PowerShell lets you monitor Windows Registry changes

A useful tip has been shared on-line this week displaying you the way you should utilize PowerShell to trace modifications to the Home windows Registry over time.

As a result of Home windows updates, utility installations, settings modifications, and malware are continuously making modifications to the Home windows registry, this mode lets you shortly detect what has been modified, diagnose issues, take away malicious entries, and see what settings have been modified.

Fashionable safety and know-how Twitter account this week SwiftOnSecuritytweeted how a lot they want to see a Home windows Registry Editor mod that shows all registry entries that aren’t created by default.

In response to Swift’s tweet, Lee Holmes, Chief Safety Architect for Microsoft’s Azure Safety, tweeted an instance of how you can do one thing comparable in PowerShell.

Holmes’ instance reveals how you should utilize PowerShell to record all accessible Home windows Registry keys and retailer them in a $snapshot variable. Then, at a later time, you create a snapshot of the present Registry keys and retailer them within the $present variable.

The instance then compares the contents of those variables to find out which Registry keys have been added because you took the primary snapshot.

Whereas this is not precisely what Swift is on the lookout for, it does level us in the precise course on how one can monitor Registry modifications ranging from a contemporary Home windows set up, or at the very least from a time limit in your present Home windows set up.

Additionally, since Holmes’ instance makes use of variables that will probably be eliminated when a tool is rebooted, it is higher to maintain your Registry snapshots in recordsdata for later comparability, beneath we clarify the way to do it.

Evaluating Registry snapshots utilizing PowerShell

Utilizing Holmes’ instance, BleepingComputer tinkered with different methods to avoid wasting Home windows Registry snapshots and located that modifying Holmes’ instance to avoid wasting snapshots to a file offers the best versatility.

Utilizing recordsdata, you’ll be able to create snapshots at varied deadlines for comparability with later snapshots. With recordsdata, it’s also possible to evaluate them with Registry snapshots created on different units.

To get began, you could create a fundamental snapshot of current HKLM and HKCU Registry keys, which you’ll evaluate with future snapshots. Ideally, however not obligatory, you’ll create these fundamental snapshots proper after you put in Home windows.

To create fundamental Home windows Registry snapshots, you execute the next PowerShell instructions at a Home windows PowerShell (Admin) immediate to make sure you have entry to all registry keys:

dir -rec -erroraction ignore HKLM: | % identify > Base-HKLM.txt
dir -rec -erroraction ignore HKCU: | % identify > Base-HKCU.txt

These instructions will create the Base-HKLM.txt and Base-HKCU.txt snapshot recordsdata within the present folder.

In BleepingComputer’s exams on newly put in variations of Home windows 11 and Home windows 10, the sizes of those snapshots are as follows:

Home windows 11 Registry snapshots:

Back1 of 2

Leave a Comment