Tracing Registry and File Access in Windows

February 26th, 2012 Leave a comment Go to comments

Processes open, read, write, and close many files and registry entries during their lifetime. How do you find out which registry entries and files a process has used if it doesn’t keep them open the entire time it is active? In this article I cover how to get this information on Windows. You can also get this information on OS X and Linux.

You may have already read the page describing how to find open files on your system. You can use this same technique to find open registry keys by searching for them using any part of their path or name. However processes usually quickly open, read, and then close registry keys and configuration files. Unless you catch the process in the act, it is hard to track these resources down. Here we introduce a tool called Process Monitor which does this tracking for you by logging every registry and file access the process makes during its lifetime. It tracks much more than just file and registry activity but for our purposes here we’ll focus on these abilities. Reading log output from Process Monitor is much like drinking from the fire hose. Luckily this utility includes powerful search tools to help you quickly drill down to the pertinent information for your problem. Let’s jump right in with an example.

  1. If you have not already, download and run Process Monitor.
  2. When first started, Process Monitor will present the filter page. In this example we will ask Process Monitor to filter by process name.
  3. Click the top left drop down and choose “Process Name”
  4. Enter the process name (notepad.exe for our example) in the text box
  5. Ensure that “is” is the filter and “include” is the action
  6. Click the “Add” button then click “Ok”
  7. Start notepad.exe

As notepad.exe starts it will read a series of registry keys and configuration files. All of this activity is logged and displayed in the Process Monitor log view. Even a fairly simple program like notepad.exe creates a flurry of activity.  Let’s drill down further and find all failed registry access attempts. We can do this by first filtering for RegOpenKey events then filtering for anything that is not “SUCCESS”.

  1. In the log view find any row that has “RegOpenKey” in the Operation column.
  2. Right click on RegOpenKey and choose “Include ‘RegOpenKey'”
  3. Including RegOpenKey will filter down to that operation only but now we have both success and failure results. Next we’ll filter for only non-success results
  4. Click the filter icon (highlighted here by a yellow box) or simply type “Ctrl – L” on your keyboard
  5. In the Filter dialog select “Result” from the top left drop down
  6. Select “Is Not” in the next drop down
  7. Enter “SUCCESS” in the text box
  8. Finally set the action to “Include” in the last drop down.
  9. Click “Add” then “Ok”

Below is an example of what the filter box should look like just before you click “Ok”. Note that Process Monitor puts some filters in place automatically so that you don’t see its own events since you usually don’t care about Process Monitor itself. You can leave these filters in place.

Now that all of your filters are setup (Process Name = notepad.exe, Operation = RegOpenKey, Result is not SUCCESS) you should see the failed registry access attempts from the run of notepad.exe we started earlier. If you want to capture more data ensure that Process Monitor is in capture mode by making sure the magnifying glass icon (highlighted here in the yellow box) does not have a red strike mark across it.

You should also see a increasing tally of all events at the bottom left of the window. Start notepad.exe (if not already running) and watch for a rolling log of RegOpenKey rows with non-success statuses. If you don’t see these events don’t worry, Process Monitor still captured them. All you need to do is fix your filtering to make them visible. This is a great feature of Process Monitor, non destructive filtering. You can add, remove, and edit your filters as much as you like without changing the underlying data.

Capturing events uses up disk space quickly and can slow your system down somewhat. When you have what you need click the magnifying glass icon noted above. This will change the icon to have a red strike mark across it and event captures will stop. You can start and stop as many times as you like on the same log. This is useful if you only want to capture events that occur during certain points of your application’s lifecycle.

You can also save your log so that it can be opened later by you or someone else on any PC that has Process Monitor installed. This is very useful for capturing events and sending them to support engineers or for comparison later after changes have been made in your application.

Tracing file activity is done in the same manner. One item of note is that in Windows files are opened with a call to CreateFile. If you are looking to trace file open success and failure, set your operation to CreateFile instead of OpenFile . The reasons for this goes all the way back to 16 bit Windows. We don’t have time for a history lesson here but I highly recommend the very entertaining read The Old New Thing: Practical Development Throughout the Evolution of Windows which covers this among many other fascinating tidbits about Windows and the reason it is the way it is today.

All of this powerful filtering is great but what if you just want to quickly see all registry or all file activity without any more specific filtering? Here’s how you do that

  1. Remove all previous filtering except for the Process Name filter. Remember to use the filter icon noted above to get to the filter dialog
  2. Deselect all of the activity icons except for the activity type you want. These icons are in the top right of the Process Explorer window
  3. If not already in capture mode, click the magnifying glass icon to enter capture mode (if you need to capture new data, otherwise you can leave Process Explorer in non capture mode).

Process Monitor is a powerful tool and should definitely be in your trouble shooting triage kit. It can do much more than just what we covered here today. To learn more about it, be sure to read the Process Monitor chapter in the Windows Sysinternals Administrator’s Reference .

  1. Jere Kristoff
    March 22nd, 2012 at 21:20 | #1

    Just a smiling visitor here to share the love (:, btw great pattern .

  2. Mika Dalmau
    April 19th, 2012 at 01:04 | #2

    I’m impressed, I need to say. Really not often do I encounter a weblog that’s both educative and entertaining, and let me inform you, you’ve gotten hit the nail on the head. Your concept is excellent; the problem is something that not enough individuals are speaking intelligently about. I’m very completely satisfied that I stumbled across this in my seek for one thing regarding this.

  1. No trackbacks yet.