This is how you monitor files

You install or use an application and you want to know which registry keys or files it creates or changes, because you don’t trust it completely, for example. Or you adjust a Windows or program setting and want to investigate where in the registry that change takes place so that you can easily apply it elsewhere. This is how you monitor files.

Not only Windows itself but also many background processes and applications constantly and unnoticed create or modify all kinds of files and also countless registry keys. In this article, we’ll discuss some tools you can use to monitor such changes, as that information can be quite useful. Especially the more advanced user will find themselves addressed here. We limit ourselves to techniques that can also be used in Windows 10 Home and thus bypass the powerful auditing features built into Windows 10 Pro and above. Let’s focus on the Windows Registry first and then look at the file system.

Register in the picture

The Windows registry is a series of files that together form a hierarchically structured database containing numerous configuration settings for Windows, hardware components, and applications. You can study this database by pressing Windows key + R and then type: regedit.

Suppose you are installing an application and you would like to know which registry changes are made during this installation. Then try the free, portable tool RegistryChangesView, for which a Dutch language file is also available. Start the tool, choose Take Registry Snapshot, choose a location, possibly limit the snapshot to specific registry items (such as HKEY_CURRENT_USER) and confirm with Snapshot. Then start the installation of the application. Again at RegistryChangesView choose you File, RegistryChangesView–options. At the first data source you refer to the snapshot file just saved and the second you set to Current register. click on OK to see an overview of all differences in the overview window.

Specific keys

Tools like RegistryChangesView are of course less useful if you want to monitor specific registry keys. Then it’s free, portable BgInfo more suitable. Here you can select one or more registry keys whose key values ​​you can make visible on your desktop. Every time you restart BgInfo (or Windows), you can see if the relevant key values ​​have been modified.

Extract the archive file and start Bginfo.exe or Bginfo64.exe on. By default, a lot of system information appears to be available, such as Boat Time, DHCP Server and Free Space, but we are only interested in specific registry keys and so you are allowed to delete all items in the blue-green tab. Then press custom, New and select Registry Value. Bee path now enter the path to the intended registry key. You can also do this as follows: start Regedit, navigate to the key and choose To process, Copy key name. Via Ctrl+V you then paste it in the Path field, after which you add the correct value. For instance: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsPersonalizationNoLockScreen. Confirm with OK, select the item just added, press Add and on preview for the result. Press . again preview and on Apply or OK to save the configuration.

Filter conditions

Windows Pro and above contain a number of configuration options that are not available in Windows Home or at least not accessible from the graphical interface. But often you can also set those options in Home by creating or changing the corresponding registry key(s). The question in this case is: which registry key(s) are involved? The powerful and free tool can do that Process Monitor tell you.

Extract the archive file and start Procmon.exe yes Procmon64.exe on. Click on the magnifying glass icon to stop the automatic logging and clear the current log with the eraser icon. On the toolbar, click the four rightmost icons to disable them, but leave the icon Show Registry Activity is enabled.

Now tap the Filter icon so that the dialog Process Monitor Filter appears. Press on the button Reset after which you join Display entries matching these conditions use the drop-down menus to obtain the following: Category is Write then Include. Add this condition to the default list with the button Add and press OK. Now open the menu Filter and put a check next to Drop filtered events, so Process Monitor does not display or store filtered events.

Zoom in further

You are now almost ready to log registry changes. Leave Process Monitor open and go to the settings window with the option you want to investigate in which registry key it is stored. Don’t change this option yet, but first drag the Process Monitor crosshairs icon into the settings window so that a filter is added that will only log registry changes if they come from the process from that settings window. You can tell by the added pid line (process ID) in the Process Monitor Filter window.

Now start the logging process in Process Monitor by clicking on the magnifying glass icon or via the shortcut Ctrl+E, after which you switch the relevant option on or off. Immediately after that you stop logging again. If all goes well, one or more registry keys will appear in the log panel a little later, so you know on which key(s) enabling or disabling the option has an impact.

reg files

With some skill you can now create a file (on your desktop) that allows you to quickly adjust that key value, so you don’t have to go to that settings window anymore. Right-click on the appropriate key in the Process Monitor log window and select Jump To. The Registry Editor (Regedit) will open and automatically navigate to that key. With that key selected you open the menu in Regedit File and choose you Export. Make sure the option Selected subkeys is checked and enter a suitable file name with, for example, your desktop as storage location. Confirm with Save. You will now see a reg file on the desktop. Right click on it and choose To process so that the contents are visible in Notepad.

Such a reg file always starts with Windows Registry Editor Version 5.00, followed by a blank line, then the keypath in square brackets, with the actual statement below it (“<name>”=[type:]>), for instance: “UseDefaultTile”=dword:00000000. If you want to delete a key value this way, that’s enough ““=-, for example “UseDefaultTile”=-.

You can now also create two complementary reg files: one that enables the option and one that disables it. Switching is then only a matter of a few mouse clicks: double click on the desired reg file and confirm with Yes (2x) and OK. Depending on the key, you may need to log in to Windows again or even restart Windows for the change to take place.

File filtering

Sometimes not only registry keys but also files are created or modified. It can be interesting to know which files are being accessed, for example by an application you don’t really trust. This is also possible with Process Monitor and we used it to find out, for example, the operation of Secret Disk. This tool creates a hidden drive that only becomes visible after entering a password.

If you also want to perform this research yourself, install Secret Disk and start the tool. Fill a Pin (2x) and email address and confirm with Save. Enter your pin again and press Login. Then start Process Monitor, temporarily disable logging and reset the filter window. Make sure that only the button this time Show File System Activity is enabled. In the menu Filter put a checkmark Drop Filtered Events. Drag the crosshair icon to the program window of the now started Secret Disk and enable the Process Monitor logging function.

Now go through the procedure in Secret Disk to create a ‘secret’ drive, via Choose a disc letter, Connect and : Open in File Explorer. Optionally, you can now also drag the visor icon above the Explorer window as long as you are working with your ‘secret’ station. In the logs you notice that both SecretDisk.exe and explorer.exe frequently use the path C:UsersLocal<…> to approach. And indeed: when you boot your PC with a live (Linux) medium and navigate to this location, you will find all hidden files from your secret drive there. Secret Disk therefore offers little in terms of security.

Map monitor

Process Monitor is therefore the ideal tool to discover which files (and registry keys and network activity) are accessed by an application. But there are also tools that monitor and keep track of which files are created, modified or deleted in folders that you can set yourself. That can also be useful, for example if you want to know when a co-user changes something in a network share.

This is possible with tools such as FolderChangesView, of which a Dutch language file is available, and Folder Monitor. We look at the latter.

Extract the zip archive and launch the tool. Right-click the icon in the Windows system tray and choose Open. Right click on the still empty window and choose Add folder (for a folder) or Add Path (for an unc network path like \). Right click on the added item and uncheck recursive if you do not want to monitor changes in subfolders. Choose Options to determine which events the tool should notify you of: created, Changed, Renamed or Deleted. On the tab Execute command In that case, you can also have a command or program run. On the tab Filter you can include or exclude specific files (using RegEx). By default you get both a visual and auditory notification. You can adjust it by Options from the context menu of the program icon.

.