Registry Watch
by Easy Desk Software
http://www.easydesksoftware.com

Contents:
Getting Started
Backup
Error Messages
How to Restore the Registry
More help for Registry Watch
Notes
Selecting a different browser


Getting Started

To monitor changes in the Registry you need to make two snapshots, one snapshot before any changes are made and the second one at the point you want to see what changed. To create a snapshot, make a selection on the main interface. Choose either the "Complete Registry", or one of the two main Hives displayed. These two Hives make up the complete Registry. All the other Hives such as HKEY_CURRENT_USER are part of these two main Hives. Then click on "Start Log".

Registry Watch (hereafter to be called RW) will create a snapshot of the current Registry. DO NOT ALTER the file Lsreg.dat. After the snapshot is complete, RW will store the snapshot so you can compare the original snapshot many times.until you select "New Log". When you are ready to see what changes have been made click on the Compare button.

The Compare button will check the current Registry against the first snapshot. Once the comparison is complete you will be shown what Keys have been changed, added or deleted since the snapshot was taken. You may also elect at this time to save the report. RW will create an undo file and a report file. DO NOT ALTER either of these two files. If you do alter either of these files, RW will incorrectly alter the Registry when undoing the changes.

The New Log button will delete the current snapshot without creating a report, allowing you to create a new snapshot.

You may make additional comparisons using the same snapshot. Example: Take a snapshot at 12:00 PM, make a comparison at 1:00 PM and save the report as "1report". Make a comparison at 2:00 PM and save the report as "2report" and so on. The 12:00 PM snapshot will not be replaced until you select New Log. Each of the saved reports will undo only the changes displayed in the report when you select the undo feature.

Before saving a report, which is the undo information, you may wish to remove any changes that are displayed in the report by highlighting the Key. All the values within the Key selected will be removed from the report. As in the example below, you cannot just remove the "Version=2" line only, you must select the HKEY_LOCAL_MACHINE line and all the values to that key will be removed from the report.

HKEY_LOCAL_MACHINE\Software\CLASSES\Interface\{1812E42B-97BA-11D5-96C4-0080C8786673}\TypeLib
Key was deleted
Deleted: @={1812E424-97BA-11D5-96C4-0080C8786673}
Deleted: Version=2.0

If you remove a Key from the report, then RW will not be able to undo that Key's changes.

The Go To Key feature will allow you to view the Key in RegEdit to help you determine if you want to remove it from the undo list. For best results close RegEdit after each Go To Key function.

The File System snapshot works the same way as the Registry snapshot, but you cannot make more than one comparison with each snapshot. When using the Undo button on the Report window, Registry Watch will delete only the added files. It cannot replace deleted files or modified files. You may remove any added file from the report before uninstalling the files.

If you get a message about a file being a shared file,look at the location that the file is in. If it is in the same folder as the program you are uninstalling it is safe to delete the shared file; it is really not a shared file, but the program vendor did not want it deleted.

A truly shared file will be in the System folder or the Common Files folder.


Backup

RW can make backups of your Registry. You should review the section How to Restore the Registry.

You may have RW make backups automatically, or manually. To make backups automatically check mark the box labeled Make Backups Automatically, enter the number of days you want between backups, i.e. 1,2, or 3. Then enter the backup file name you want to use, limit is 8 characters. RW will make backups saved to the Windows folder with the extension ".reg". The default file name is Backup.reg.

If you wish to make manual backups, it is recommended that you make them every 2 or 3 days .

When you select Restore Registry from Last Backup, the current Snapshot of the Registry will be overwritten with the Registry Backup file. RW will move the Backup.reg file (or whatever file name you use) to its' own folder and rename it Lsreg.dat (overwriting the current snapshot) in order to enable you to Compare the current Registry with the Backup.reg file. RW will automatically Import the Backup.reg file and then you will need to select Compare so that RW can delete any new Keys or values that have been added.

When restoring the Registry be sure you are logged on as the same user that made the backup! Only one user should be making backups.


Error Messages

If you receive an error message during the "Start log" process, "Unable to retrieve Registry Data" then the Registry cannot be Exported. Either the Registry is damaged or the folder that Registry Watch to buried to deeply: C:\Folder\Folder\Folder\Folder\Regwatch.exe

If RW seems to hang during the Compare process, close RW and start it up from the Start\Run box adding the switch ShowMe. Example: C:\Easy Desk Utilities\Registry Watch\Regwatch.exe ShowMe. ShowMe must be typed exactly as shown. This switch will display a check box titled "Enter Display Mode". Entering the display mode will enable you to see the report screen as soon as a change has been detected. If RW gets hung up you will see it reporting the same key (at the bottom) over and over.

Over Runs - If the list of changes become too large, a stack overflow may cause Registry Watch to shut down. Before a stack overflow occurs, RW will create a log file with the changes, then clear the report and continue the report where it left off. In most cases the Overrun file is caused by either an invalid character in a Key name or a corrupt Lsreg.dat file. Please use caution when saving the report if you get a message about over runs, as the Report will not only be incomplete but it will probably be inaccurate.

The following Key HKEY_LOCAL_MACHINE\SOFTWARE\Inverse\AccessRamp\IBM\Profile\AT&T Global Network\internet.vNZ.Š will cause an over run. It contains invalid characters causing the line to be read many times.

If RW needs to create an overrun.log file, review the report very carefully for inaccurate reporting before attempting to save the report. The Overrun file will not be added to the saved report because of possible inaccurate reporting. It is recommended that you repair the problem in the Registry and create a new report. It is also recommended that you do not attempt to undo changes with Registry Watch if an Overrun.log file is created. The Overrun.log file will be deleted when a new log is created.

Keys with encrypted information sometimes contain characters that are read as paragraph marks, end of file or other characters that are not printable. These characters may not even be read by RegEdit if you attempted to import these keys. Below is an example of a Key that is not a standard Windows Key, it was added to someone's Registry after he visited Microsoft's site for an update(so he believes). Removing this Key did not affect his machine at all.

This is what you see in RegEdit
before Exporting the Key:
After Exporting the Reg file will look like this
HKEY_LOCAL_MACHINE\Hardware\Data
g>VPD1#
= T?y
drPM)::
= Kz-Y
<Se8O
= S&127;)
VfKkO
= +g|ݢ
)Ok.F
= S&127;)
%b[
= e ™
%sI
= @f?O
)ln#C
= @f?O""
[HKEY_LOCAL_MACHINE\Hardware\Data]
"g>VPD1#"="T?y"
"drPM)::"="Kz-Y"
"<Se8O
"="S&127;)"
"VfKkO"="+g|ݢ"
")Ok.F "="S&127;)"
"%b["=",e ™"
"%sI"="
@f?O"
")ln#C"="
@f?O"
"\"

This is what would be returned to the Registry if you do not delete the Key and then Import it back in, using the Import function of RegEdit: Using Findline should correct this problem for you without deleting the Key.
HKEY_LOCAL_MACHINE\Hardware\Data
g>VPD1#
= T?y
drPM)::
= Kz-Y
The character (located in the third entry) will cause RegEdit to stop reading the file.


How to Restore the Registry

The Backup feature of RW was created primarily for the Windows NT Platform, NT, 2000, 2003, however, this feature can be used on the Windows 9x, ME Platform after you have restored the Registry. We recommend that you use WinSafe 2001 on the Win 9x , ME Platform and WinSafe XP for XP for backing up and restoring the Registry. The procedure discussed in this section is written for the Windows NT Platform.

In order to be able to restore your Windows Registry you need a backup of it. The Windows NT Platform does not allow you to copy a Registry file when in Windows. RW will automatically create an Export (plain text) version of the Registry for backup use, everyday or every other day, or every third day. This will ensure that a current backup is available.

If you have Windows 2000 or XP it is highly recommended that you read our past newsletters which cover the subject of backing up and restoring the registry in greater detail. You can read these newsletters at http://www.easydesksoftware.com/news/news4.htm and news5.htm. These newsletters will also explain the installation of the Repair Console, how to use the System State backup in Win 2000, and the System Restore feature in Win XP.

If you need to Restore the Registry while in Windows and you do not have a regular backup of the Registry you can use RW and and select "Restore Registry from last Backup". If you cannot get into Windows you can use the Repair Console. If you do not have a current Registry to restore with you can install the ".sav" files located in the System32\Config folder. These files are copies of the Registry that were created when you last installed Windows so you will be installing a stripped down Registry to get back into Windows. The Registry files you will be replacing are the following files, they do not have file extensions: Default, Sam, Software, System, and Security, but do not replace the Security file yet. The Security file is the Security Key and it cannot be Exported so RW cannot restore this Key. You should only replace the Security file if restoring the Registry without this file does not fix the problem you are having. The Security file contains the names and such of the machine users, not their settings. Before copying these files you should make a backup of them, possibly naming them ".old".

Once you have replaced the files, reboot to Windows. Once inside of Windows start RW, you may need to re-enter your registration number as the new Registry may not contain the registration number any longer. Now click on the Backup button, select Restore Registry from last backup and click OK. RW will install its' backup Registry and give you further instructions to create a report of any changes that need to be done to finish the restoration. Save the report and then select Undo. The Restoration is now complete.


Notes

I have noticed that on one of my machines, when the CPU gets too hot the Lsreg.dat  file becomes corrupted when using the "Start Log" , resulting in an invalid report. Misprints as such can also be caused by a bad CPU or RAM chip. Example of what you would see:
HKEY_LOCAL_MACHINE\Software\CLASS
GS\Interface instead of HKEY_LOCAL_MACHINE\Software\CLASSES\Interface
RegEdit is creating a corrupt exported file.

It has also been found that programs running in the background that use a lot of CPU usage will slow Registry Watch down to a crawl. Example: Virus Scanners


More help for Registry Watch

Please visit http://www.easydesksoftware.com/rwhelp.htm for additional help for Registry Watch. Any new comments will be posted at this site. If you still do not find what you are looking for, visit our FAQ page or do a search on our site.

If you wish to use a different browser for viewing this help file, add the string value name "Help" without the quotes to the Registry Key HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Registry Watch\Content. Set the Data value to the path and file name of the new browser. Example: C:\Netscape\Netscape.exe