Paraglider BartPE Plugins

Utility to monitor registry changes

This utility monitor all registry changes made by the process which it starts. If this process spawns any further processes then they will also be monitored. The monitoring stops when all the spawned processes have exited. This utility uses the ideas pioneered in the RegSpy utility. However instead of creating a remote thread in the spawned process it injects the RegMonitorDLL into the process and any child processes.

One way to use this utility is to spawn a command shell. Then any DLL registration can be done by calling regsvr32. Any services can be installed by running the service with the install parameter which is usually "-service". When all registration is finished the command shell should be exited with the exit command. RegMonitor will then write all registry changes to the reg file whose path is specified on the RegMonitor command line.

The program is invoked with the following command line:

RegMonitor <PathToOutputRegFile> <ProgramToInvoke> {<OptionalProgramParameters>}

The example command line from the plugin file is:

RegMonitor %ramdrv%\RegMonitor.reg cmd.exe /k