Does regshot compatible with undoREG(1.46)?
Yes, in version 1.6x and >=1.8.1 it is compatible with undoREG . And you must set "UseLongRegHead=1" in 1.8.1 , please view "readme.txt,history.txt" for details.
version 1.7x and 1.8.0 does not compatible with undoREG.
It looks like, Regshot is not working on Vista RTM. It freezes 3 sec after 1 shot
This question was posted by "DJ" at my message board(23 Feb 07, 18:39) and was solved by himself :)
The solution is "13 Jan 07, 00:52 DJ: Regarding my previous post: I finally managed to
run Regshot on Vista RTM. Setting property - compatibilty to WinXP and
running as administrator won't help, UAC has to be disabled" ! Thanks to "DJ"!
Regshot can monitor "most" of the windows registry changes,Why is "most" ,not "all" ??
There are several possible reasons:
(1)Privilege
Regshot can monitor almost "all" user application's changes done to
the registry, but in Windows NT(2000,XP,2003) platform, user apps do
not have enough privileges to "see" what System OS have done,
for example: If you are using XP,and change the xDSL Dialup password in
the "network connections", and you have monitor the action with
regshot, but after compare the 2 shots, you would find nothing happend
:(( , does windows save it else where ??
The answer is no, Windows does save the password (encrypted) in the Registry, but user just can not see it. :(
The solution is we should run regshot in a higher privileged level,here is how:
1.Open your services control panel,Make sure that your "Task scheduler"
service is running and is using the "Local system" account.
2.Schedule a task with "at" command in a cmd shell:
at 18:22 /interactive "d:\tools\regshot.exe"
The time "18:22" is the current clock time(eg:18:20) plus 1 or 2
minutes , so you can wait task scheduler to run your regshot at 18:22
3. Wait 1 or 2 minutes,after the regshot runs, do the normal job .Remember, it is running with the "local system" privileges
and can "see" the changes made by the system os. Guess where windows store the xDSL dialup password :)))
For more info , try search help in microsoft for "windows
privileges","task schedule","regedt32", There may be more tricks......
There are even utils help you to run apps under special account......
(2)Hook,Rootkit
In Windows NT,Normal applications can be fooled if some APIs are hooked by a rootkit to hide some registry keys and disk files, so you must use some Anti-rootkit tools to check this situations. Try search "rootkit revealer" or "Icesword" in your search engine.
(3)Some app may changed a file's content and keep file size and file time "untouched"
In current version,the fileshot part of Regshot only checks file's datatime,size,attribute to determine if this file has been altered,it is fast but not 100% reliable. I left "cksum" field in fileshot hive,but find it is too slow. You can use "md5file" in my page to do that kind of job.