A handy tip was shared online this week, showing how you can use PowerShell to monitor changes to the Windows Registry over time.
As Windows updates, application installs, setting changes, and malware constantly makes changes to the Windows registry, this mode would allow you to quickly spot what was changed, allowing you to diagnose issues, remove malicious entries, and see what settings have been changed.
This week, popular security and technology Twitter account SwiftOnSecurity, tweeted how they would love to see a Windows Registry Editor mode that would display all registry entries that were not created by default.
In response to Swift's tweet, Microsoft's Principal Security Architect in Azure Security, Lee Holmes, tweeted an example of how you could do something similar in PowerShell.
Holmes' example shows how you can use PowerShell to list all existing Windows Registry keys and store them in a $snapshot variable. Then, at a later point in time, you create a snapshot of the current Registry keys and store them in the $current variable.
The example then compares the contents of these variables to determine what Registry keys were added since you took the first snapshot.
While this is not precisely what Swift was looking for, it points us in the right direction on how you can monitor Registry changes starting with a new install of Windows, or at least a point of time in your existing Windows installation.
Furthermore, as Holmes' example uses variables that will be removed when a device reboots, it is better to store your Registry snapshots in files to compare them later, which we describe how to do below.
Comparing Registry snapshots using PowerShell
Using Holmes' example, BleepingComputer played around with other ways of saving Windows Registry snapshots and found that modifying Holmes' example to save snapshots to a file provides the greatest versatility.
By using files, you can create snapshots at various points in time to be compared with later snapshots. With files, you can also compare them to Registry snapshots created on other devices.
To start, you need to create a base snapshot of the current HKLM and HKCU Registry keys that you will compare to future snapshots. Ideally, but not necessary, you would generate these base snapshots right after you install Windows.
To create the base Windows Registry snapshots, you would execute the following PowerShell commands in a Windows PowerShell (Admin) prompt to make sure you can access all of the registry keys:
dir -rec -erroraction ignore HKLM:\ | % name > Base-HKLM.txt
dir -rec -erroraction ignore HKCU:\ | % name > Base-HKCU.txt
These commands will make the Base-HKLM.txt and Base-HKCU.txt snapshot files in the current folder.
In BleepingComputer's tests on freshly installed versions of Windows 11 and Windows 10, these snapshots have the following sizes:
Windows 11 Registry snapshots:
HKEY_LOCAL_MACHINE (HKLM): | 82 MB |
HKEY_CURRENT_USER (HKCU): | 2.4 MB |
Windows 10 Registry snapshots:
HKEY_LOCAL_MACHINE (HKLM): | 81 MB |
HKEY_CURRENT_USER (HKCU): | 1.45 MB |
Once you have created your base snapshots, you can now install programs or use your computer as usual.
After some time, if you wish to compare the current Windows registry with your base snapshots, you can create new snapshots using these commands in an admin PowerShell prompt:
dir -rec -erroraction ignore HKLM:\ | % name > Current-HKLM-$(get-date -f yyyy-MM-dd).txt
dir -rec -erroraction ignore HKCU:\ | % name > Current-HKCU-$(get-date -f yyyy-MM-dd).txt
Note: the above commands will insert the date into the Current snapshot filenames so you can determine when the snapshot was created.
Now that you have both base snapshots and current snapshots created, you can compare them using the following PowerShell command:
Compare-Object (Get-Content -Path .\Base-HKCU.txt) (Get-Content -Path .\[current_snapshot_file_name])
The Compare-Object command will compare the base snapshot with the current snapshot, and display what has been changed, as can be seen below. The SideIndicator column indicates which file contains the change.
It should be noted that this method only compares Windows Registry keys and does not compare its values, which are commonly changed by Windows settings and malware.
Exporting values would also dramatically increase the size of your snapshots and require a more complicated script to compare them properly. For example, the base HKCU snapshot with Registry values on a new Windows 10 install increases from 1.45 MB to 11.6 MB, an 8x times change.
However, comparing the Registry keys is still a helpful tool that admins can automate to better troubleshoot problems on devices they manage.
Comments
lonegull - 1 year ago
Blocked/Restricted PowerShell as much as possible, it is a giant security hole that allows covert access. Elevated command prompt and registry editor (scripts and remote functions) and the various remote access commands and functions hidden in Windows. The "Living off the Land" techniques hackers use now days is scary and exceedingly hard to protect against.
At the same time there is a rush to finding and trying to defend these security issues. Keep the "little grey cells" busy, to quote Poirot.
Peter Blaise - 1 year ago
This still only compares results, not actual writing to the registry, such that temporary writes that are removed get lost, and writing by other than the program we are studying gets mixed in, we still have to sift through Windows itself writing to the registry in the background, and other programs writing to the registry in the background.
Does anyone have any examples to share here of using this comparison technique to identify what a specific program does during install or when a specific program is running?
After almost 40 years of computing, we still have no way of watching and recording what one specific program does?
I understand using a sandbox, but that does not make a record of program activity, it only isolates the main computer in case the program under study is a firestarter..
Anybody?
Anybody?
Thanks for letting us explore this and share.
.
TsVk! - 1 year ago
They do deep behavioral analysis on installers with sandbox VM's at joesandbox. If you'd like to know more about installers before you run them, other than being good/bad, it's worth having a free account over there. Produces different tiers of reports, very illuminating.
Ice19 - 1 year ago
You may find this free Microsoft utility useful. Supposedly it can monitor and log registry changes.
Process Monitor v3.89
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
From the utility's introduction paragraph:
"Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit."
TsVk! - 1 year ago
And there's Sysmon as well from Sysinternals for a pile more local data... if you're willing to do the analysis yourself.