Did you know that you can use Powershell to track registry changes? Well, it does.
There’s a function that create a snapshot of the current HKLM and HKCU registry keys to use them to compare with future snapshots. To create a Windows Registry snapshots, use the following PowerShell commands in a Windows PowerShell (Admin) prompt to make sure you can access all of the registry keys:
dir -rec -erroraction ignore HKLM:\ | % name > Base-HKLM.txt
dir -rec -erroraction ignore HKCU:\ | % name > Base-HKCU.txt
It’ll be generated a Base-HKLM.txt and Base-HKCU.txt
On freshly installed versions of Windows 11 and Windows 10, these snapshots’ sizes are about:
HKEY_LOCAL_MACHINE (HKLM): 82 MB
HKEY_CURRENT_USER (HKCU): 3 MB
After some time, if you need to compare the Windows registry with your base snapshots, you can create new snapshots using these following commands in an admin PowerShell prompt:
dir -rec -erroraction ignore HKLM:\ | % name > Current-HKLM-$(get-date -f dd-MM-yyyy).txt
dir -rec -erroraction ignore HKCU:\ | % name > Current-HKCU-$(get-date -f dd-MM-yyyy).txt
Now that you have both base snapshots and current snapshots created, you can compare them using another powershell command:
Compare-Object (Get-Content -Path .\Base-HKCU.txt) (Get-Content -Path .\nlast_updated_snapshot.txt])
And you got what registry keys got added or changed, but only names, not values too.
It’s another way to use this command:
Get-ItemProperty -Path HKLM:\* | select pschildname
