Registry save checkpoint, compare to checkpoint

[duckling78]

This is a function to create a registry checkpoint and to compare the checkpoint to the current registry.

*** New AutoIt3 code using "reg export ..." and Windiff instead of "reg copy ..." and "reg compare ...":

Note: I got Windiff from the Microsoft Support Tools for Windows XP.

You will need a copy of the following to compile this script. These are all part of the Microsoft Support Tools for Windows XP. "gutils.dll" is a dependancy of Windiff.

(script directory)\Windiff\Windiff.exe

(script directory)\Windiff\gutils.dll

(script directory)\Windiff\Windiff.hlp <-- This is optional

expandcollapse popup

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.2.13.11 (beta)
 Author:         Michael Sunwoo

 Script Function:
    Registry saving and comparing function

#ce ----------------------------------------------------------------------------

; Script Start

#include <ButtonConstants.au3>
#include <GUIConstantsEx.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include <Constants.au3>

Opt("GUIOnEventMode", 1)
#Region ### START Koda GUI section ### Form=
Local $formRegCompare = GUICreate("RegCompare", 381, 104)
GUISetOnEvent($GUI_EVENT_CLOSE, "formRegCompareClose")
Local $inputRegKey = GUICtrlCreateInput("HKCU\Software", 8, 8, 363, 21)
Local $btnCreate = GUICtrlCreateButton("Create Registry Checkpoint", 8, 33, 177, 25, 0)
GUICtrlSetOnEvent(-1, "btnCreateClick")
Local $btnCompare = GUICtrlCreateButton("Compare Current to Checkpoint", 189, 33, 177, 25, 0)
GUICtrlSetOnEvent(-1, "btnCompareClick")
Local $lblLastDateTime = GUICtrlCreateLabel("Initialized.", 10, 62, 354, 38)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

Local $locSave = @MyDocumentsDir & "\" & StringTrimRight(@ScriptName, 4) & "\"
Local $locWindiffDir = $locSave & "Windiff\"
Local $locWindiff = $locWindiffDir & "Windiff.exe"

DirCreate($locWindiffDir)

FileInstall("Windiff\Windiff.exe", $locWindiffDir, 1)
FileInstall("Windiff\Windiff.hlp", $locWindiffDir, 1)
FileInstall("Windiff\gutils.dll", $locWindiffDir, 1)

Local $regOld = $locSave & "RegOLD.txt"
Local $regNew = $locSave & "RegNEW.txt"

While 1
    Sleep(10000)
WEnd

Func TimeStamp()
    Return @HOUR & ":" & @MIN & ":" & @SEC
EndFunc

Func DateStamp()
    Return @MON & "/" & @MDAY & "/" & @YEAR
EndFunc

Func btnCreateClick()
    Blah("Clicked: Compare Current to Checkpoint")
    RegCreateCheckpoint()
EndFunc

Func RegCreateCheckpoint()
    Blah(TimeStamp() & ": Starting registry backup . . .")
    
    If FileExists($regOld) Then
        FileDelete($regOld)
    EndIf
    
    ShellExecuteWait("reg.exe", 'export ' & GUICtrlRead($inputRegKey) & ' "' & $regOld & '"', "", "open", @SW_HIDE)
    
    Blah(TimeStamp() & ": Finished registry backup!")
EndFunc

Func btnCompareClick()
    Blah("Clicked: Button Compare to Current Checkpoint")
    RegCompareToCheckpoint()
EndFunc

Func RegCompareToCheckpoint()
    Local $i = 1

    If FileExists($regOld) Then
        Blah("Starting registry export for comparison . . .")
        
        If FileExists($regNew) Then
            FileDelete($regNew)
        EndIf
        
        ShellExecuteWait("reg.exe", 'export ' & GUICtrlRead($inputRegKey) & ' "' & $regNew & '"', "", "open", @SW_HIDE)
        
        Blah(TimeStamp() & ': Finished registry export.  Starting Windiff.' & @CRLF & 'F7/F8 = "View Prev/Next Change"')
        
        ShellExecute($locWindiff, '"' & $regOld & '" "' & $regNew & '"')
    Else
        MsgBox(16, StringTrimRight(@ScriptName, 4) &  " error on line " & @ScriptLineNumber, "$regOld not found." & @CRLF & "$regOld = " & $regOld)
    EndIf
EndFunc

Func formRegCompareClose()
    Exit
EndFunc

Func Blah($text)
    ConsoleWrite($text & @CRLF)
    GUICtrlSetData($lblLastDateTime, $text)
EndFunc

Here are the batch file versions I originally created and based the above AutoIt3 version off of.

RegSave.cmd:

@echo off

reg>nul query "hkcu\_BackUp_" 2>nul && (
    echo Found old backup.  Deleting it . . .
    reg>nul delete "hkcu\_BackUp_" /f
)

echo.
echo Starting registry backup . . .

for /f "tokens=3 delims=\" %%a in ('reg.exe query hkcu\software') do (
    if /i not "%%a"=="Microsoft" (
        echo.
        echo Saving %%a . . .
        reg copy "hkcu\software\%%a" "hkcu\_Backup_\%%a" /s /f
    )
)

echo.
echo Completed registry backup.

RegCompare.cmd:

@echo off

for /f "tokens=3 delims=\" %%a in ('reg.exe query hkcu\software') do (
    for /f "tokens=1,2* delims=:" %%b in ('reg compare "hkcu\_Backup_\%%a" "hkcu\software\%%a" /s 2^>nul') do (
        if not "%%c"=="  Identical" (
            if not "%%b"=="The operation completed successfully" (
                if not "%%b"=="Result Compared" (
                    if /i not "%%a"=="Microsoft" (
                        if "%%b"=="< Value" (
                            echo.
                            echo     OLD: %%c
                        )
                        if "%%b"=="> Value" (
                            echo     NEW: %%c
                        )
                        if "%%b"=="< Key" (
                            echo.
                            echo REMOVED: %%c
                        )
                        if "%%b"=="> Key" (
                            echo.
                            echo   ADDED: %%c
                        )
                        if not "%%b"=="> Value" if not "%%b"=="< Value" if not "%%b"=="< Key" if not "%%b"=="> Key" (
                            echo.
                            echo %%a: %%b --^> %%c
                        )
                    )
                )
            )
        )
    )
)

These skip the "Microsoft" key because there seems to be some type of Access Denied error on WinXP with one of the keys in there.

Here some example output from RegCompare.cmd:

Z:\>RegCompare.cmd

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  preferred_language  REG_SZ
    NEW:   HKEY_CURRENT_USER\software\Google  preferred_language  REG_SZ  en

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  blt_count_slp  REG_DWORD  0xeab38
    NEW:   HKEY_CURRENT_USER\software\Google  blt_count_slp  REG_DWORD  0xeabc8

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  blt_msec_slp  REG_DWORD  0x17c64a
    NEW:   HKEY_CURRENT_USER\software\Google  blt_msec_slp  REG_DWORD  0x17c69c

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  dib_count_slp  REG_DWORD  0x57aa6e
    NEW:   HKEY_CURRENT_USER\software\Google  dib_count_slp  REG_DWORD  0x57aafe

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  dib_msec_slp  REG_DWORD  0x20e57
    NEW:   HKEY_CURRENT_USER\software\Google  dib_msec_slp  REG_DWORD  0x20e5b

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  searches_integrated  REG_DWORD  0x4f1
    NEW:   HKEY_CURRENT_USER\software\Google  searches_integrated  REG_DWORD  0x4f2

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  google_search  REG_DWORD  0x505
    NEW:   HKEY_CURRENT_USER\software\Google  google_search  REG_DWORD  0x506

    OLD:   HKEY_CURRENT_USER\_Backup_\Google  google_search_slp  REG_DWORD  0x505
    NEW:   HKEY_CURRENT_USER\software\Google  google_search_slp  REG_DWORD  0x506

    OLD:   HKEY_CURRENT_USER\_Backup_\Panda Software  InstallCLSID  REG_SZ  {F6B1ED50-1F91-46A6-A104-64B99145C1BC}
    NEW:   HKEY_CURRENT_USER\software\Panda Software  InstallCLSID  REG_SZ  {F6B1ED50-1F91-46A6-A104-64B99145C1BC}

REMOVED:   HKEY_CURRENT_USER\_Backup_\StudiosQA\Testing Key 1

  ADDED:   HKEY_CURRENT_USER\software\StudiosQA\Testing Key 2

Hope this helps someone

Edited December 10, 2008 by duckling78

[Demonic]

Sounds good.

Perhaps an addition from yourself to load a checkpoint, possibly only specifying which ones you would like to load?

Could be usefull for rolling back from some pesky virus's.. then again we have system restore.

[Jango]

Thank you it's usefull to me.

[corgano]

Thank you it's usefull to me.

i have looking for a program like this, but could you upload compiled version?

[duckling78]

Fixed the script to work on Vista. The "reg" executable has some different parameters on XP vs Vista.

I believe I'm done with this. The updated script is in the original post.