How to find what has changed in HKCU

There are times when you need to find out what has changed in a user’s registry hive, either during their session or, more often, when they have logged out. This may be to try and understand why an application isn’t behaving the way it should, or because you are trying to find specific settings to extract and put into a mandatory profile or an environment provisioning mechanism such as that provided by AppSense Environment Manager. Here we reveal how to do you this even if you weren’t actively monitoring the registry in the session.

The SysInternals, now Microsoft, Process Monitor tool is very, very good at this sort of analysis but not if the changes to the registry have already occurred. Check it out here anyway:

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

With traditional local and roaming profiles, you can load the ntuser.dat hive file containing the changes into regedit, but unfortunately regedit does not show the timestamps that are present on every registry key. This is where the free regrecent tool comes in as it allows you to search a registry key for changes made in a given time (and date) range. Note though that only registry keys have timestamps, not values, so a registry analysis performed this way won’t tell you what values have been modified, added or deleted unfortunately but the information can still be incredibly useful. Of course, if you have a copy of the hive file before the user logged in, either from a backup, the base mandatory profile or from the roaming profile location if the user is still logged on (HINT: take a copy of the original ntuser.dat at this point and work with this file) , then you can compare the changed registry key’s values in the two hives. It also does not require administrator privileges so can be used by the (test) user before they log off.

Download it here:

http://www.appsense.com/mstools

As an aside, when doing on-site troubleshooting in my consultancy days, I used to use regrecent to tell me what had changed 5 minutes after I left site to 5 minutes before arriving to see what had actually changed even though the customer would usually swear blind that they had not changed anything at all!