Hey guys :)

Have been watching these forums for quiet a long time and finally I think I might contribute with a little Script:

It's monitoring what happens in the Registry!

$wmiSink = ObjCreate("WbemScripting.SWbemSink")
ObjEvent($wmiSink , "SINK_")
$strQuery = 'Select * FROM RegistryTreeChangeEvent WHERE Hive="' & $regPath & '" AND RootPath=""'

Dim $Obj_WMIService = ObjGet('winmgmts:\\' & @ComputerName & '\root\default')

    If Not @error Then
        $obj_WMIService.ExecNotificationQueryAsync($wmiSink, $strQuery, Default, Default, Default)
        ConsoleWrite("Ready and waiting for changes")

While 1

Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext)
EndFunc   ;==>SINK_OnObjectReady

I hope this will be usefull for some of you :)

(Could be used to prevent Viruses to write into the Registry or even to communicate between 2 scripts)


Cool script, is there a way to block it from making registry changes, and then ask your permision, if so, then allow it to write, if not, don't?


Nice script XxXFanta... I've been trying to do something like this b4 but don't know where to start !:)

Not sure, but you could actually remove the change, ask if the user will really make the change and then either create the same registryentry or not :)

How do you know what the registry was changed from so that you can remove the change?
You might want to take a different approach for this.

Something along the lines of doing a registry snapshot before an installation and then again after. Compare the two to get the changed values.


I did come across an AutoIt app that has the option to monitor registry changes and revert it, if any changes occur(there's an option of whether to revert the changes or not to, it doesn't revert automatically).

Sounds good. Where is it?
i get this error using v3.2.10.0

>Running:(\Program Files\AutoIt3\autoit3.exe "H:\scripts\registry change monitor.au3"

H:\scripts\registry change monitor.au3 (9) : ==> The requested action with this object has failed.:

$obj_WMIService.ExecNotificationQueryAsync($wmiSink, $strQuery, Default, Default, Default)

$obj_WMIService.ExecNotificationQueryAsync($wmiSink, $strQuery, Default, Default, Default)^ ERROR

->03:37:16 AutoIT3.exe ended.rc:1

+>03:37:17 AutoIt3Wrapper Finished

>Exit code: 1 Time: 5.216


Sry..I thought it was just a bug, but after searching at msdn I found out that it will never display the rootpath and what has been changed :)

Sry :(

That's a crying shame! I was just digging through msdn at 12:22 pm at night trying to find a way to see what was being changed. muttley

Sorry for resurrecting a dead thread, but I was interested in how to do this in AutoIt3 and got the following so far. It kind of seems to work and performance isn't horrible.

#cs ----------------------------------------------------------------------------
    AutoIt Version:
    Author:         Michael Sunwoo
    Script Function:
    Registry monitoring script.
#ce ----------------------------------------------------------------------------
; Script Start
#include <Array.au3>
HotKeySet("^!+{Esc}", "ExitScript")
Local $wmiSink = ObjCreate("WbemScripting.SWbemSink")
ObjEvent($wmiSink, "SINK_")
Local $regPath = "HKEY_USERS", $regRoot = "HKCU\Software"
Local $strQuery = 'Select * FROM RegistryTreeChangeEvent WHERE (Hive="' & $regPath & '" AND RootPath="")'
Local $lastValue = 0
Local $saveLoc = @AppDataDir & "\StudiosQA\" & StringTrimRight(@ScriptName, 4) & "\"

RegQuery($regRoot, "RegValues.txt")

Dim $obj_WMIService = ObjGet('winmgmts:\\' & @ComputerName & '\root\default')

If Not @error Then
    $obj_WMIService.ExecNotificationQueryAsync($wmiSink, $strQuery, Default, Default, Default)
    ConsoleWrite("Ready and waiting for changes." & @CRLF)

;Idle loop
While 1

Func RegQuery($regPath, $fileWrite)
    ;Blah("$regPath: " & $regPath)
    If $regPath = "HKCU\Software\Microsoft" Or _
        $regPath = "HKCU\Software\Adobe" Or _
        $regPath = "HKCU\Software\RealWorld" Or _
        $regPath = "HKCU\Software\Google" Then 
        Return 1
    Local $i = 1
    While 1
        Local $regQueryResult = RegEnumKey($regPath, $i)
        If @error Then
            ;If $lastValue >= UBound($arrayReg) Then
            ;   ExitLoop
                ;$arrayReg[$lastValue][0] = $regPath & "\" & $regQueryResult
                FileWriteLine($saveLoc & $fileWrite, $regPath & "\" & $regQueryResult)
                $lastValue += 1
                ;Get all values inside $regPath
                RegQueryValues($regPath, $fileWrite)
                If Mod($lastValue, 1000) = 0 Then
                    Blah("Mod($lastValue, 1000) = 0, $lastValue = " & $lastValue)
                If RegQuery($regPath & "\" & $regQueryResult, $fileWrite) Then
                    $i += 1
                    Return 0
    Return 1
EndFunc ;==>RegQuery
Func RegQueryValues($regPath, $fileWrite)
    Local $j = 1
    While 1
        ;Blah("$regPath: " & $regPath)
        Local $regQueryValueResult = RegEnumVal($regPath, $j)
        If @error Then
            $regQueryValueResultExtended = @extended
            $regResult = RegRead($regPath, $regQueryValueResult)
            Switch @error
                Case 0
                Case 1
                    Blah("Error RegRead 1 [" & @ScriptLineNumber & "]: Unable to open requested key.")
                Case 2
                    Blah("Error RegRead 2 [" & @ScriptLineNumber & "]: Unable to open requested main key.")
                Case 3
                    Blah("Error RegRead 3 [" & @ScriptLineNumber & "]: Unable to remote connect to the registry.")
                Case -1
                    Blah("Error RegRead -1 [" & @ScriptLineNumber & "]: Unable to retrieve requested value name (value instance out of range).")
            FileWriteLine($saveLoc & $fileWrite, _
                $regPath & "\" & $regQueryValueResult & @TAB & _
                $regQueryValueResultExtended & @TAB & _
            $lastValue += 1
            If Mod($lastValue, 1000) = 0 Then
                Blah("Mod($lastValue, 1000) = 0, $lastValue = " & $lastValue)
            $j += 1
EndFunc ;==>RegQueryValues
Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext)
    ConsoleWrite(@CRLF & @MON & "/" & @MDAY & "/" & @YEAR & " " & @HOUR & ":" & @MIN & ":" & @SEC & ": Change detected.")
    ;Local $arrayOld = $arrayReg
    If FileExists($saveLoc & "RegValues.txt") Then
        If Not FileMove($saveLoc & "RegValues.txt", $saveLoc & "RegValues_Old.txt", 9) Then
            Blah("Error with FileCopy at line " & @ScriptLineNumber & ".")
        Blah("Error line " & @ScriptLineNumber & ": " & "FileMove haz problems with: " & $saveLoc & "RegValues.txt")

    $lastValue = 0
    RegQuery($regRoot, "RegValues.txt")
    Local $exists
    If FileExists($saveLoc & "RegValues.txt") Then
        If FileExists($saveLoc & "RegValues_Old.txt") Then
            Blah('FileGetSize($saveLoc & "RegValues.txt"): ' & FileGetSize($saveLoc & "RegValues.txt") & '  FileGetSize($saveLoc & "RegValues_Old.txt"): ' & FileGetSize($saveLoc & "RegValues_Old.txt"))
            If FileGetSize($saveLoc & "RegValues.txt") > FileGetSize($saveLoc & "RegValues_Old.txt") * .8 And _
                FileGetSize($saveLoc & "RegValues.txt") < FileGetSize($saveLoc & "RegValues_Old.txt") * 1.2 Then
                Blah("Notice [" & @ScriptLineNumber & "]: Filesize within limits.")
                ;FileWriteLine($saveLoc & "RegChanges.txt", @YEAR & "/" & @MON & "/" & @MDAY & " " & @HOUR & ":" & @MIN & ":" & @SEC & ": SINK_OnObjectReady launching file compare...")
                $return = RunWait(@ComSpec & ' /c fc /L /N RegValues.txt RegValues_Old.txt', $saveLoc, @SW_HIDE)
                Switch $return
                    Case 0
                        Blah("Notice FC [" & @ScriptLineNumber & "]: No differences encountered.")
                    Case 1
                        Blah("Notice FC [" & @ScriptLineNumber & "]: Difference found between files.")
                        FileWriteLine($saveLoc & 'RegChanges.txt', @YEAR & "/" & @MON & "/" & @MDAY & " " & @HOUR & ":" & @MIN & ":" & @SEC & ": Change detected.")
                        RunWait(@ComSpec & ' /c fc /L /N RegValues.txt RegValues_Old.txt >> "' & $saveLoc & 'RegChanges.txt"', $saveLoc, @SW_HIDE)
                    Case 2
                        Blah("Error FC [" & @ScriptLineNumber & "]: File not found.")
                If StringInStr(FileRead($saveLoc & "RegValues.txt"), "FC: no differences encountered") Then
                    Blah("File compare [" & @ScriptLineNumber & "]: no differences encountered.")
                Blah("Notice [" & @ScriptLineNumber & "]: Filesize not within limits.")
            Blah("Error line " & @ScriptLineNumber & ": SINK_OnObjectReady called but RegValues_Old.txt not found.")
        Blah("Error line " & @ScriptLineNumber & ": SINK_OnObjectReady called but RegValues.txt not found.")
    Blah(@CRLF & "End of SINK_OnObjectReady")
EndFunc ;==>SINK_OnObjectReady
Func Blah($text)
    ConsoleWrite($text & @CRLF)
EndFunc ;==>Blah
Func ExitScript()
EndFunc ;==>ExitScript

Exit hotkey: Ctrl+Alt+Shift+Esc

It will create logs in: %appdata%\StudiosQA\RegMonitor

I am working on this because my group needs a program to track if any programs we're creating from third party developers write to the registry (possibly in incorrect locations, etc).

There is a bunch of debug text in the console as I've just been working on this for a day so far. It only tracks things in HKCU\Software with the exception of things in HKCU\Software --> Microsoft, Google, Adobe and RealWorld (they take up a lot of registry keys and slow down performance).

There are a lot of false positives because the function in the initial thread seems to track any write to the registry while I'm only monitoring a small portion of it.


I want set permisson for a key eg :


help me

thank very much

i also want to know on how to set permission on a reg key. anyone knows?

