Registry Tracer


  1. Auto Setup.
    RegRun automatically adds important security traces.
  2. Fully Customizable.
    You can easily add any number of new traces.
  3. Low CPU consumption.
    Tracer monitors in the background with user specified interval.
Registry Tracer monitors selected registry keys, and advises of changes. It allows you to reverse any modifications, additions, or deletions.
You will see the "Registry Compare Results" window when the changes found.
  • If a new key was added - it will show a ′+′
  • If a new key was deleted - it will show a ′-′
  • If an existing key was modified it will show a ′?′
    All you do is click the key and you will see the added, deleted or modified values in the right panel.
Click on the "What′s this" button to get information about monitored registry key or send a request to support team.

How to set traces?

Open RegRun Control Center, choose Registry page.
Click on the "Registry Tracer" button.

You can browse the registry using registry viewer in the bottom of the window.
Click on the "Add to Trace List" button.

How to check traces?

  1. You can click on the "Check All" button in the Registry Tracer window.
  2. Or right lick on the WatchDog icon and choose "Check System Now!".
  3. Or launch RegRun Start Control.

List of the registry keys monitored by default.

  1. HKEY_CURRENT_USER\Control Panel\Desktop
    Type: REG_SZ
    Description: Screen saver program. If the screen saver is not specified, the value may not exist.
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units
    Description: Internet software distribution units are packages consisting of a cabinet file (.cab) that contains an INF file and/or an Open Software Description (OSD) file, with or without a software component. One or more distribution units may be needed to distribute a single software component.
    The software provider or Web master, can create distribution units that, when placed on your Web server, enable the Microsoft Internet Explorer Internet Component Download services to pull down and install software on users′ computers.
  3. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    Value: Start Page
    Type: REG_SZ
    Description: Internet Explorer start page.
  4. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles
    Description: A user can set his/her own style sheet file for Internet Explorer.
    Value: User Stylesheet
    Type: REG_SZ
    Default: Empty. It contains the full path to user style file.
    Value: Use My Stylesheet
    Type: REG_DWORD
    Default: 1 - use. 0 - do not use user stylesheet.
  5. HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini
    Description: System.ini is not used in Windows NT4/2000/XP.
    This key is used to map file sections to the registry keys.
  6. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini
    Description: Win.ini is not used in Windows NT4/2000/XP.
    This key is used to map file sections to the registry keys.
  7. HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
    Description: Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.
  8. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    Value: AppInit_DLLs
    Type: REG_SZ
    Description: All of the DLLs specified in the AppInit_DLLs value are loaded by each Windows-based application running within the current logon session. Only the first 32 characters of the AppInit_DLLs value are picked up by the system.
  9. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Value: System
    Type: REG_SZ
    Description: The programs listed in this value launch in the protected system context.
    Looks like this value is not used by Winlogon at this moment.
  10. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Value: TaskMan
    Type: REG_SZ
    Description: Specifies the task manager that the system uses during logon. It does not exist by default.
  11. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Value: UserInit
    Type: REG_SZ
  12. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Value: VMApplet
    Type: REG_SZ
    Description: Specifies programs that Winlogon runs for the user so that the user can adjust the configuration of virtual memory when there is no paging file on the system volume. These programs run only when the system volume does not include a paging file.
  13. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    Description: Winlogon loads any notification packages listed in this key. Each package uses own subkey under Notify key. The DllName value(REG_EXPAND_SZ) contains the DLL file name.
  14. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects
    Description: Browser Helper Objects are the COM components-that Internet Explorer will load each time it starts up. For example, a BHO could spy all browser events, access the browser′s menu and toolbar and make changes, create windows to display additional information, etc. There are no default objects.
  15. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
    Description: The key contains the list of the GUIDs automatically loaded by Explorer
    Type of values: REG_SZ
    Value Name: GUID of COM object.
    Value: description.
    Default for Windows XP:
    {438755C2-A8BA-11D1-B96B-00A0C90312E1} (Browseui)
    {8C7461EF-2B13-11d2-BE35-3078302C2030} (Cache daemon).
  16. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Value: Startup
    Type: REG_SZ
    Location of the user startup folder.
  17. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
    Description: The ShellExecuteHooks registry key contains the list of COM objects that trap execute commands.
    Each object has the GUID.
    By default you must have the "shell32.dll".
    If you don′t see sheel32.dll GUID "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" it is not fatal. Your computer will work.
  18. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    Description: Location of the user folders.
    It has priority to "Shell Folders" keys.
  19. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    Description: The System subkey stores the entries created when you configure a Group Policy that affects a basic component of Windows. Group Policy creates and maintains the entries in this subkey, and the component program reads and interprets them.
  20. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    Description: The System subkey stores the entries created when you configure a Group Policy that affects a basic component of Windows. Group Policy creates and maintains the entries in this subkey, and the component program reads and interprets them.
    This subkey stores policy-related entries that are configured separately for each user. There is also a Software\Microsoft\Windows\CurrentVersion\Policies\System subkey in HKEY_LOCAL_MACHINE that stores entries applying to all users of this computer.
  21. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    Description: The ShellServiceObject DelayLoad key is used to automatically load DLL, required for Explorer.
    This key is used by the new generation of viruses.
    Usually, this key contains: CDBurn, PostBootReminder, SysTray, WebCheck items. But these items are not required for normal processing.
  22. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
    Value: BootExecute
    Type: REG_MULTI_SZ
    Description: BootExecute is configured to execute programs on the Kernel phase boot. Usually it is used to check disks. Default: autocheck autochk *.
  23. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    Description: WinSock2 LSP stack.


RegRun WatchDog automatically checks changes in prefedined registry keys.

  1. HKLM\Software\Microsoft\Windows\CurrentVersion\RunEx
  2. HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  3. HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  4. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
  5. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
  6. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  7. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Values: Shell, Run, Load
  8. HKLM\Software\Microsoft\Active Setup\Installed Components
There is no reason to trace these keys using Registry Tracer again.
Add or See Comments (>10)