Sign in to follow this  
Followers 0
duckling78

Registry save checkpoint, compare to checkpoint

5 posts in this topic

#1 ·  Posted (edited)

This is a function to create a registry checkpoint and to compare the checkpoint to the current registry.

*** New AutoIt3 code using "reg export ..." and Windiff instead of "reg copy ..." and "reg compare ...":

Note: I got Windiff from the Microsoft Support Tools for Windows XP.

You will need a copy of the following to compile this script. These are all part of the Microsoft Support Tools for Windows XP. "gutils.dll" is a dependancy of Windiff.

(script directory)\Windiff\Windiff.exe

(script directory)\Windiff\gutils.dll

(script directory)\Windiff\Windiff.hlp <-- This is optional

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.2.13.11 (beta)
 Author:         Michael Sunwoo

 Script Function:
    Registry saving and comparing function

#ce ----------------------------------------------------------------------------

; Script Start

#include <ButtonConstants.au3>
#include <GUIConstantsEx.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include <Constants.au3>

Opt("GUIOnEventMode", 1)
#Region ### START Koda GUI section ### Form=
Local $formRegCompare = GUICreate("RegCompare", 381, 104)
GUISetOnEvent($GUI_EVENT_CLOSE, "formRegCompareClose")
Local $inputRegKey = GUICtrlCreateInput("HKCU\Software", 8, 8, 363, 21)
Local $btnCreate = GUICtrlCreateButton("Create Registry Checkpoint", 8, 33, 177, 25, 0)
GUICtrlSetOnEvent(-1, "btnCreateClick")
Local $btnCompare = GUICtrlCreateButton("Compare Current to Checkpoint", 189, 33, 177, 25, 0)
GUICtrlSetOnEvent(-1, "btnCompareClick")
Local $lblLastDateTime = GUICtrlCreateLabel("Initialized.", 10, 62, 354, 38)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

Local $locSave = @MyDocumentsDir & "\" & StringTrimRight(@ScriptName, 4) & "\"
Local $locWindiffDir = $locSave & "Windiff\"
Local $locWindiff = $locWindiffDir & "Windiff.exe"

DirCreate($locWindiffDir)

FileInstall("Windiff\Windiff.exe", $locWindiffDir, 1)
FileInstall("Windiff\Windiff.hlp", $locWindiffDir, 1)
FileInstall("Windiff\gutils.dll", $locWindiffDir, 1)

Local $regOld = $locSave & "RegOLD.txt"
Local $regNew = $locSave & "RegNEW.txt"

While 1
    Sleep(10000)
WEnd

Func TimeStamp()
    Return @HOUR & ":" & @MIN & ":" & @SEC
EndFunc

Func DateStamp()
    Return @MON & "/" & @MDAY & "/" & @YEAR
EndFunc

Func btnCreateClick()
    Blah("Clicked: Compare Current to Checkpoint")
    RegCreateCheckpoint()
EndFunc

Func RegCreateCheckpoint()
    Blah(TimeStamp() & ": Starting registry backup . . .")
    
    If FileExists($regOld) Then
        FileDelete($regOld)
    EndIf
    
    ShellExecuteWait("reg.exe", 'export ' & GUICtrlRead($inputRegKey) & ' "' & $regOld & '"', "", "open", @SW_HIDE)
    
    Blah(TimeStamp() & ": Finished registry backup!")
EndFunc

Func btnCompareClick()
    Blah("Clicked: Button Compare to Current Checkpoint")
    RegCompareToCheckpoint()
EndFunc

Func RegCompareToCheckpoint()
    Local $i = 1

    If FileExists($regOld) Then
        Blah("Starting registry export for comparison . . .")
        
        If FileExists($regNew) Then
            FileDelete($regNew)
        EndIf
        
        ShellExecuteWait("reg.exe", 'export ' & GUICtrlRead($inputRegKey) & ' "' & $regNew & '"', "", "open", @SW_HIDE)
        
        Blah(TimeStamp() & ': Finished registry export.  Starting Windiff.' & @CRLF & 'F7/F8 = "View Prev/Next Change"')
        
        ShellExecute($locWindiff, '"' & $regOld & '" "' & $regNew & '"')
    Else
        MsgBox(16, StringTrimRight(@ScriptName, 4) &  " error on line " & @ScriptLineNumber, "$regOld not found." & @CRLF & "$regOld = " & $regOld)
    EndIf
EndFunc

Func formRegCompareClose()
    Exit
EndFunc

Func Blah($text)
    ConsoleWrite($text & @CRLF)
    GUICtrlSetData($lblLastDateTime, $text)
EndFunc

Here are the batch file versions I originally created and based the above AutoIt3 version off of.

RegSave.cmd:

@echo off

reg>nul query "hkcu\_BackUp_" 2>nul && (
    echo Found old backup.  Deleting it . . .
    reg>nul delete "hkcu\_BackUp_" /f
)

echo.
echo Starting registry backup . . .

for /f "tokens=3 delims=\" %%a in ('reg.exe query hkcu\software') do (
    if /i not "%%a"=="Microsoft" (
        echo.
        echo Saving %%a . . .
        reg copy "hkcu\software\%%a" "hkcu\_Backup_\%%a" /s /f
    )
)

echo.
echo Completed registry backup.

RegCompare.cmd:

@echo off

for /f "tokens=3 delims=\" %%a in ('reg.exe query hkcu\software') do (
    for /f "tokens=1,2* delims=:" %%b in ('reg compare "hkcu\_Backup_\%%a" "hkcu\software\%%a" /s 2^>nul') do (
        if not "%%c"=="  Identical" (
            if not "%%b"=="The operation completed successfully" (
                if not "%%b"=="Result Compared" (
                    if /i not "%%a"=="Microsoft" (
                        if "%%b"=="< Value" (
                            echo.
                            echo     OLD: %%c
                        )
                        if "%%b"=="> Value" (
                            echo     NEW: %%c
                        )
                        if "%%b"=="< Key" (
                            echo.
                            echo REMOVED: %%c
                        )
                        if "%%b"=="> Key" (
                            echo.
                            echo   ADDED: %%c
                        )
                        if not "%%b"=="> Value" if not "%%b"=="< Value" if not "%%b"=="< Key" if not "%%b"=="> Key" (
                            echo.
                            echo %%a: %%b --^> %%c
                        )
                    )
                )
            )
        )
    )
)

These skip the "Microsoft" key because there seems to be some type of Access Denied error on WinXP with one of the keys in there.

Here some example output from RegCompare.cmd:

Z:\>RegCompare.cmd

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  preferred_language  REG_SZ
    NEW:   HKEY_CURRENT_USER\software\Google  preferred_language  REG_SZ  en

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  blt_count_slp  REG_DWORD  0xeab38
    NEW:   HKEY_CURRENT_USER\software\Google  blt_count_slp  REG_DWORD  0xeabc8

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  blt_msec_slp  REG_DWORD  0x17c64a
    NEW:   HKEY_CURRENT_USER\software\Google  blt_msec_slp  REG_DWORD  0x17c69c

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  dib_count_slp  REG_DWORD  0x57aa6e
    NEW:   HKEY_CURRENT_USER\software\Google  dib_count_slp  REG_DWORD  0x57aafe

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  dib_msec_slp  REG_DWORD  0x20e57
    NEW:   HKEY_CURRENT_USER\software\Google  dib_msec_slp  REG_DWORD  0x20e5b

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  searches_integrated  REG_DWORD  0x4f1
    NEW:   HKEY_CURRENT_USER\software\Google  searches_integrated  REG_DWORD  0x4f2

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  google_search  REG_DWORD  0x505
    NEW:   HKEY_CURRENT_USER\software\Google  google_search  REG_DWORD  0x506

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  google_search_slp  REG_DWORD  0x505
    NEW:   HKEY_CURRENT_USER\software\Google  google_search_slp  REG_DWORD  0x506

    OLD:   HKEY_CURRENT_USER\_Backup_\Panda Software  InstallCLSID  REG_SZ  {F6B1ED50-1F91-46A6-A104-64B99145C1BC}
    NEW:   HKEY_CURRENT_USER\software\Panda Software  InstallCLSID  REG_SZ  {F6B1ED50-1F91-46A6-A104-64B99145C1BC}

REMOVED:   HKEY_CURRENT_USER\_Backup_\StudiosQA\Testing Key 1

  ADDED:   HKEY_CURRENT_USER\software\StudiosQA\Testing Key 2

Hope this helps someone :)

Edited by duckling78

Share this post


Link to post
Share on other sites



Sounds good.

Perhaps an addition from yourself to load a checkpoint, possibly only specifying which ones you would like to load?

Could be usefull for rolling back from some pesky virus's.. then again we have system restore.

Share this post


Link to post
Share on other sites

Thank you it's usefull to me.

Share this post


Link to post
Share on other sites

Thank you it's usefull to me.

i have looking for a program like this, but could you upload compiled version?


0x616e2069646561206973206c696b652061206d616e20776974686f7574206120626f64792c20746f206669676874206f6e6520697320746f206e657665722077696e2e2e2e2e

Share this post


Link to post
Share on other sites

Fixed the script to work on Vista. The "reg" executable has some different parameters on XP vs Vista.

I believe I'm done with this. The updated script is in the original post.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0