5 stars  PC World WUGNET Shareware Pick
Copyright © 1998-1999 Mark Russinovich and Bryce Cogswell
Last Updated February 20, 1999 v4.13
Introduction Regmon is a Registry spying utility that watches and displays information on system-wide registry accesses as they are occurring. This makes it a uniquely powerful tool for learning how Windows works or tracking down problems due to misconfigured Registry settings.

Version 4.0 unifies previous NT and Win9x-specific versions of Regmon into a common interface. Enhancments to the device drivers, and the addition of UI features (always-on-top, listview tool-tips) also mark this major version update.

Regmon works on NT 3.51, 4.0, 5.0 (Win2K), Windows 95 and Windows 98.

Sample Screen Shot This is a screenshot of Regmon watching registry activity.

Installation and Use

Install Regmon by copying the files to your hard drive, and start it by running Regmon.exe from the directory in which you place them. The GUI dynamically loads the virtual device driver, which starts filtering all registry accesses. The menus and tool bar buttons can be used to toggle on and off monitoring, disable event capturing, control the scrolling of the listview, and save the listview contents to an ASCII file.

Both process and path filters take expressions similar to what the command prompt takes: you can specify names with '*' representing wild cards. The "Path Include" filter represents path names that will be monitored and the "Path Exclude" filter represents path names that will not be monitored. Where there is overlap, Path Exclude overrides. Note that the filters are intrepreted in a case-*in*sensitive manner, and that you can specify multiple filter strings by separating them with the ';' character. By default, the filters are set up to watch all Registry activity.

For example, if you do not want to see activity to Software subkeys you could specify "*Software*" as the "Path Exclude" filter. If you only want to see activity to the HKLM and HKCU keys, set "HKLM*;HKCU*" as the Path Include filter. If you set both of these filters all activity to HKLM would be logged except to subkeys with the name "Software" in them like HKLM\Software. Each time you exit Regmon it remembers the filters you've configured, position of the window and the widths of the output columns.

Regmon v4.1 introduces a powerful new feature. When you see a Registry value or key in Regmon's output that you want to edit, simply double click on the line that includes the reference (or use the Regedit toolbar button) and Regmon will take you directly to the specific value using Regedit.

Click here to learn about Regmon's boot monitoring capability, which is available on Windows NT.

How Regmon Works

The heart of Regmon on Windows 9x is in the virtual device driver, Regvxd.vxd. It is dynamically loaded, and in its initialization it uses VxD service hooking (see our May 1996 Dr. Dobb's Journal article on VxD service hooking for more information) to insert itself onto the call chain of 16 registry access functions in the Windows 95 kernel (Virtual Machine Manager). All registry activity, be it from 16-bit programs, Win32 applications, or device drivers, are directed at these routines, so Regmon catches all registry activity taking place on a machine.

On Windows NT the Regmon loads a device driver that uses a technique we developed for NT called system-call hooking. When a user-mode component makes a privileged system call, control is transfered to a software interrupt handler in NTOSKRNL.EXE (the core of the Windows NT operating system). This handler takes a system call number, which is passed in a machine register, and indexes into a system service table to find the address of the NT function that will handle the request. By replacing entries in this table with pointers to hooking functions, it is possible to intercept and replace, augment, or monitor NT system services. Regmon, which obviously hooks just the Registry-related services, is merely one example of this capability in action.

When Regmon sees an open, create or close call, it updates an internal hash table that serves as the mapping between key handles and registry path names. Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a key opened before Regmon started, Regmon will fail to find the mapping in it hash table and will simply present the key's value instead.

Information on accesses is dumped into an ASCII buffer that is periodically copied up to the GUI for it to print in its listbox.

For more detailed information on how Regmon works on Windows NT, see:

  • "Windows NT System Call Hooking," by Mark Russinovich and Bryce Cogswell, Dr. Dobb's Journal, January 1997
  • "Inside NT Utilities", Windows NT Magazine, February 1999.

Related Utilities

Here are some other monitoring tools available at Systems Internals:
  • Filemon - a file system activity monitor
  • Portmon - a serial and parallel port monitor
  • PMon - a process and thread monitor (NT/Win2K)
  • Diskmon - a hard disk monitor (NT/Win2K)
  • DebugView/EE - a debug output monitor

More Information

The following serve as additional sources of information on the Windows NT and 9x registries:

In order to help us track its use, please download through the link that represents the operating system on
which you will use or mostly use
Regmon.
Note that the zip files are identical, and
Regmon runs on either platform.

Download Regmon (x86 - 51KB) - you plan on using Regmon on Win9x

Download Regmon (x86 - 51KB) - you plan on using Regmon on WinNT

Download Regmon (Alpha - 81KB)

Download Regmon plus Source (255KB)