Use powershell to track Windows Registry changes


Userlevel 7
Badge +13

Did you know that you can use Powershell to track registry changes? Well, it does.

There’s a function that create a snapshot of the current HKLM and HKCU registry keys to use them to compare with future snapshots. To create a Windows Registry snapshots, use the following PowerShell commands in a Windows PowerShell (Admin) prompt to make sure you can access all of the registry keys:

 

dir -rec -erroraction ignore HKLM:\ | % name > Base-HKLM.txt

dir -rec -erroraction ignore HKCU:\ | % name > Base-HKCU.txt

 

It’ll be generated a Base-HKLM.txt and Base-HKCU.txt

On freshly installed versions of Windows 11 and Windows 10, these snapshots’ sizes are about:

HKEY_LOCAL_MACHINE (HKLM): 82 MB
HKEY_CURRENT_USER (HKCU): 3 MB

 

After some time, if you need to compare the Windows registry with your base snapshots, you can create new snapshots using these following commands in an admin PowerShell prompt:

dir -rec -erroraction ignore HKLM:\ | % name > Current-HKLM-$(get-date -f dd-MM-yyyy).txt

dir -rec -erroraction ignore HKCU:\ | % name > Current-HKCU-$(get-date -f dd-MM-yyyy).txt

 

Now that you have both base snapshots and current snapshots created, you can compare them using another powershell command:

Compare-Object (Get-Content -Path .\Base-HKCU.txt) (Get-Content -Path .\[last_updated_snapshot.txt])

 

And you got what registry keys got added or changed, but only names, not values too.

 

 

It’s another way to use this command:

Get-ItemProperty -Path HKLM:\* | select pschildname

 

More info: https://docs.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.2

 

 


10 comments

Userlevel 7
Badge +20

Very cool and interesting. Always looking at ways to audit and improve security.  Will definitely test this out. 👍

Userlevel 7
Badge +9

Great stuff @marcofabbri I will explore this and test it. Thank you for sharing.

Userlevel 7
Badge +7

hi thx @marcofabbri 

I link 10 powershell commands for security analyst 😊

10 PowerShell Security Scripts for Analyst and Administrators (filecloud.com)

Userlevel 7
Badge +20

hi thx @marcofabbri 

I link 10 powershell commands for security analyst 😊

10 PowerShell Security Scripts for Analyst and Administrators (filecloud.com)

These are very cool too.  Thanks for sharing.

Userlevel 7
Badge +7

Additionally, the snapshots could be saved in Git for each workstation and could be easily diff’ed at a future time. 

Userlevel 7
Badge +7

GitHub - Seabreg/Regshot: Regshot is a small, free and open-source registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product

 

 

Userlevel 7
Badge +10

This is really interesting @marcofabbri  thanks for highlighting.

Userlevel 7
Badge +9

Interesting, I will check this tool out. Thank you very much for sharing.

Userlevel 7
Badge +13

Cool finding! Key is the compare-object cmdlet, I didn’t know up to now.

Userlevel 7
Badge +8

Interesting topic, we have an nrpe check who check a baseline from hardening windows OS. We tracked changes in registry and secpol… I will share this with my windows team 😁

Comment