Menneisyys
06-28-2005, 05:53 PM
It's always asked how registry change tracking can be done and what is the easiest way of finding changes.
First, there are no automated, always-running tools that just sit in the memory and report any registry change. However, as registry change times can be very well predicted - for example, a given program can only change the registry when it's run; a given system-wise setting (for example, the current font size or some system color) can only be written to the registry when actually setting it etc. - you can safely rely on offline tools that make the comparison for you.
There're several ways of doing this. The preferred way I myself do this is using the following combination: Tascal / PHM / Resco Registry Editor / Total Commander 2.0 and a desktop-based, free tool like WinDiffin Microsoft Platform SDK. These are all free, except for Resco Registry Editor; you won't really need the latter for this purpose. You can download, for example, the Tascal Reg. Editor from http://www2r.biglobe.ne.jp/~tascal/download/pocketpc/tre_e.htm , the PHM Registry Editor from http://www.phm.lu/Products/PocketPC/RegEdit/ and Total Commander 2.0 from http://www.ghisler.com/ce.htm and WinDiff from http://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5&displaylang=en#filelist (click the PSDK-x86.exe link at the bottom). Please also read http://pocketpcmag.com/forum/topic.asp?TOPIC_ID=16508 on alternative, registry export-capable registry editors. Please note that, much as PHM Registry Editor can't import, it can export registry files; therefore, it's also sufficient for this purpose.
There're a lot of other tools to do this, but IMHO they are not as usable/pretty as the above-mentioned two, especially if there're a lot of changed registry entries. For example, SK Software ( http://www.geocities.com/s_k_s_k_s_kru/util.html ) has several tools that do the same, even on the Pocket PC. If you're not afraid of evaluating registry differences on your Pocket PC (and don't need the much prettier and easier-to-use GUI of WinDiff), iDiffCE is a perfect program for this. (Incidentally, the S_K people have another application worth mentioning: ssnap, also available for free on their homepage. It's also able to export the registry in a format readable by iDiffCE.) And, you can use the 'traditional' Diff programs on your desktop computer too; see for example http://gnuwin32.sourceforge.net/packages/diffutils.htm on them. I've used them extensively; they're the exact replica of their Unix originals.
You (as like me) may find the combined use of a traditional registry editor and WinDiff easier, though; this is why I'm discussing just them in here.
1, install the registry editor of your choice. Start it.
2, tap-and-hold 'My Device' (in PHM) / 'My Registry' (in Resco) the and choose 'Export...'. In Tascal, just highlight the uppermost '\' and choose File/Export Registry. Do this, for example, before and after running a program or setting a system property you want to track down.
http://www.winmobiletech.com/062005RegDiff/ExportRegistryInPHM.gif
3, start the program / do something that (may) result(s) in a registry change. For example, let's assume you want to find out where the global font size of your system is stored in the Registry. Do a snapshot of the registry in the way I've described above and change the font size at Settings/System/Screen/Text Size (this will only work on WM2003SE devices). Here, we just move the slider to a different position from its default center position:
http://www.winmobiletech.com/062005RegDiff/SettingFontSize.gif
4, do another registry snapshot as descibed in step 2.
5, transfer the two registry snapshots to your desktop computer by using, say, Total Commander with the WinCE FS plug-in (see http://pocketpcmag.com/forum/topic.asp?TOPIC_ID=15577 on setting it up and using) and issue the following command:
"c:\Program Files\Microsoft Platform SDK\Bin\WinDiff.Exe" 1.reg 2.reg
(I assume in this example that 1.reg is the "before" and 2.reg is the "after" snapshot).
You'll be presented something like the following screen, if you did this all over an ActiveSync conection (with, say, Pocket Controller):
http://www.winmobiletech.com/062005RegDiff/WinDiff1.png
As you can see, you'll be taken straight to the first difference between the two registry files.
This is a perfect example of how removed, not-existing-anymore (red) and newly included, wasn't-present-in-the-first-snapshot (yellow) values are shown. If you know the standard Diff format, you may also reconize the standard > and < marks at the beginning of each affected row too - based on this, you will always know what red and yellow mean.
In the example, the key LastActiveSyncTime had the value 1B013980 in the old snapshot and 6831DB00 in the new.
If you then press F8 to be taken straight to the next change (you can move backwards with F7 and, of course, traditionally with the mouse), you'll see something like this:
http://www.winmobiletech.com/062005RegDiff/WinDiff2.png
This is what we wanted to find (the previous change was because of ActiveSync). The all-yellow color shows that this registry key wasn't at all present in the previous snapshot and was introduced to the system when we altered the font size.
That's all - pretty easy, isn't it?
If you're interested in hardcore Windows Mobile hacking (I've written tons of articles on the Pocket PC Registry), you may want to check out my article collection at http://www.winmobiletech.com/ .
Please don't hesitate to ask questions.
First, there are no automated, always-running tools that just sit in the memory and report any registry change. However, as registry change times can be very well predicted - for example, a given program can only change the registry when it's run; a given system-wise setting (for example, the current font size or some system color) can only be written to the registry when actually setting it etc. - you can safely rely on offline tools that make the comparison for you.
There're several ways of doing this. The preferred way I myself do this is using the following combination: Tascal / PHM / Resco Registry Editor / Total Commander 2.0 and a desktop-based, free tool like WinDiffin Microsoft Platform SDK. These are all free, except for Resco Registry Editor; you won't really need the latter for this purpose. You can download, for example, the Tascal Reg. Editor from http://www2r.biglobe.ne.jp/~tascal/download/pocketpc/tre_e.htm , the PHM Registry Editor from http://www.phm.lu/Products/PocketPC/RegEdit/ and Total Commander 2.0 from http://www.ghisler.com/ce.htm and WinDiff from http://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5&displaylang=en#filelist (click the PSDK-x86.exe link at the bottom). Please also read http://pocketpcmag.com/forum/topic.asp?TOPIC_ID=16508 on alternative, registry export-capable registry editors. Please note that, much as PHM Registry Editor can't import, it can export registry files; therefore, it's also sufficient for this purpose.
There're a lot of other tools to do this, but IMHO they are not as usable/pretty as the above-mentioned two, especially if there're a lot of changed registry entries. For example, SK Software ( http://www.geocities.com/s_k_s_k_s_kru/util.html ) has several tools that do the same, even on the Pocket PC. If you're not afraid of evaluating registry differences on your Pocket PC (and don't need the much prettier and easier-to-use GUI of WinDiff), iDiffCE is a perfect program for this. (Incidentally, the S_K people have another application worth mentioning: ssnap, also available for free on their homepage. It's also able to export the registry in a format readable by iDiffCE.) And, you can use the 'traditional' Diff programs on your desktop computer too; see for example http://gnuwin32.sourceforge.net/packages/diffutils.htm on them. I've used them extensively; they're the exact replica of their Unix originals.
You (as like me) may find the combined use of a traditional registry editor and WinDiff easier, though; this is why I'm discussing just them in here.
1, install the registry editor of your choice. Start it.
2, tap-and-hold 'My Device' (in PHM) / 'My Registry' (in Resco) the and choose 'Export...'. In Tascal, just highlight the uppermost '\' and choose File/Export Registry. Do this, for example, before and after running a program or setting a system property you want to track down.
http://www.winmobiletech.com/062005RegDiff/ExportRegistryInPHM.gif
3, start the program / do something that (may) result(s) in a registry change. For example, let's assume you want to find out where the global font size of your system is stored in the Registry. Do a snapshot of the registry in the way I've described above and change the font size at Settings/System/Screen/Text Size (this will only work on WM2003SE devices). Here, we just move the slider to a different position from its default center position:
http://www.winmobiletech.com/062005RegDiff/SettingFontSize.gif
4, do another registry snapshot as descibed in step 2.
5, transfer the two registry snapshots to your desktop computer by using, say, Total Commander with the WinCE FS plug-in (see http://pocketpcmag.com/forum/topic.asp?TOPIC_ID=15577 on setting it up and using) and issue the following command:
"c:\Program Files\Microsoft Platform SDK\Bin\WinDiff.Exe" 1.reg 2.reg
(I assume in this example that 1.reg is the "before" and 2.reg is the "after" snapshot).
You'll be presented something like the following screen, if you did this all over an ActiveSync conection (with, say, Pocket Controller):
http://www.winmobiletech.com/062005RegDiff/WinDiff1.png
As you can see, you'll be taken straight to the first difference between the two registry files.
This is a perfect example of how removed, not-existing-anymore (red) and newly included, wasn't-present-in-the-first-snapshot (yellow) values are shown. If you know the standard Diff format, you may also reconize the standard > and < marks at the beginning of each affected row too - based on this, you will always know what red and yellow mean.
In the example, the key LastActiveSyncTime had the value 1B013980 in the old snapshot and 6831DB00 in the new.
If you then press F8 to be taken straight to the next change (you can move backwards with F7 and, of course, traditionally with the mouse), you'll see something like this:
http://www.winmobiletech.com/062005RegDiff/WinDiff2.png
This is what we wanted to find (the previous change was because of ActiveSync). The all-yellow color shows that this registry key wasn't at all present in the previous snapshot and was introduced to the system when we altered the font size.
That's all - pretty easy, isn't it?
If you're interested in hardcore Windows Mobile hacking (I've written tons of articles on the Pocket PC Registry), you may want to check out my article collection at http://www.winmobiletech.com/ .
Please don't hesitate to ask questions.