PowerShell

Microsoft PowerShell lets you track Windows registry changes

A helpful tip was shared online this week, explaining how you can use PowerShell to monitor changes in the Windows registry over time.

Since Windows updates, application installations, settings changes, and malware constantly make changes to the Windows registry, this mode will allow you to quickly detect what has changed, allowing you to diagnose problems, remove malicious entries, and see what settings have changed.

This week, popular security and technology Twitter account SwiftOnSecurityhe tweeted how they would like to see the Windows Registry Editor mode which will display all registry entries that are not created by default.

In response to Swift’s tweet, Lee Holmes, Microsoft’s chief security engineer at Azure Security, tweeted an example of how something similar could be done in PowerShell.

Holmes’ example shows how you can use PowerShell to list all current Windows registry keys and store them in a dollar snapshot variable. Then, at a later time, you can create a snapshot of the current registry keys and store them in the $current variable.

The example then compares the contents of these variables to determine which registry keys have been added since you took the first snapshot.

While this isn’t exactly what Swift was looking for, it does point us in the right direction on how to monitor registry changes starting at a new installation of Windows, or at least a point in time in an existing Windows installation.

Moreover, since the Holmes example uses variables that will be removed when the machine restarts, it is best to store the log snapshots in files for comparison later, which we’ll explain how to do below.

Compare recording snapshots using PowerShell

Using Holmes’ example, BleepingComputer manipulated other ways to save Windows Registry snapshots and found that modifying Holmes’ example to save snapshots to a file provided the most versatility.

With files, you can create snapshots at different time points to compare with subsequent snapshots. Using the files, you can also compare them to recording footage created on other devices.

To get started, you need to create a base snapshot of your current HKLM and HKCU registry keys which you will compare to future snapshots. Ideally, but not necessary, you can create these base snapshots right after you install Windows.

To create basic Windows registry snapshots, you can run the following PowerShell commands at the Windows PowerShell (Administrator) prompt to ensure that you can access all registry keys:

dir -rec -erroraction ignore HKLM:\ | % name > Base-HKLM.txt
dir -rec -erroraction ignore HKCU:\ | % name > Base-HKCU.txt

These commands will create the Base-HKLM.txt and Base-HKCU.txt snapshot files in the current folder.

In BleepingComputer tests on newly installed versions of Windows 11 and Windows 10, these snapshots have the following sizes:

Windows 11 registry screenshots:

HKEY_LOCAL_MACHINE (HKLM): 82 MB
HKEY_CURRENT_USER (HKCU): 2.4 MB

Windows 10 registry screenshots:

HKEY_LOCAL_MACHINE (HKLM): 81 MB
HKEY_CURRENT_USER (HKCU): 1.45MB

Once you’ve created your base snapshots, you can now install software or use your computer as usual.

After some time, if you want to compare the current Windows registry to your base snapshots, you can create new snapshots using these commands in the PowerShell admin prompt:

dir -rec -erroraction ignore HKLM:\ | % name > Current-HKLM-$(get-date -f yyyy-MM-dd).txt
dir -rec -erroraction ignore HKCU:\ | % name > Current-HKCU-$(get-date -f yyyy-MM-dd).txt

Note: The above commands will insert the date into the current snapshot file names so you can specify when the snapshot was created.

Now that you have both base and current snapshots created, you can compare them using the following PowerShell command:

Compare-Object (Get-Content -Path .\Base-HKCU.txt) (Get-Content -Path .\[current_snapshot_file_name])

The Compare Object command will compare the base snapshot with the current snapshot, and display what has changed, as can be seen below. The SideIndicator column indicates the file that contains the change.

Comparison of basic and current recording footage
Comparison of basic and current recording footage
Source: BleepingComputer

It should be noted that this method only compares Windows registry keys and does not compare their values, which are commonly changed by Windows settings and malware.

Exporting the values ​​will also significantly increase the size of the snapshots and require a more complex script to properly compare them. For example, the base HKCU snapshot with registry values ​​on a new Windows 10 installation increases from 1.45MB to 11.6MB, which is a change of 8 times.

However, registry key comparison is still a useful tool that administrators can automate troubleshooting problems on the devices they manage.

Leave a Comment

Your email address will not be published.