Introduction to RegAlyzer

RegAlyzer is one of our oldest tools. If I check our version history, it ranges back two decades at least.

The Windows Registry is an essential part of Microsoft Windows where most of its configuration is stored. Malware needs to use it to be persistent, to be loaded when the system restarts (except for very few rare exceptions like MBR / EFI viruses, for example). So even early on in our fight against spyware, we regularly had to browse, search, and compare registry entries. Microsofts included regedit.exe had a lot of downsides that soon made us write our own, better, tool.

Features are, among others:

• Multiple browsers (tabs)
• Background search
• Regular expressions search
• Live Bookmarks
• Disassembler
• Value Interpretation
• Value Documentation
• Hive Snapshots

 

[PepiMK]

Over time, I'll show some of it's features in more detail.

A few years ago, we added constants and documentation.

This basically means that for well known registry entries, the window will tell you what they are used for, and if they use numeric values, what these do mean. This screenshot shows a system service. System services have a value named Start that determines how they are started. With regedit.exe, you would only see the value 4. RegAlyzer shows you that this means SERVICE_DEMAND_START, and includes further documentation of what this means.

Another feature can be seen for the value DisplayName. Some registry entries refer to localized texts. Here, the name displayed in the System Service Overview is not stored in the registry, but in a file, so the entry simply refers to the file. In regedit.exe, you would only see the @acpidev.inf reference, but with RegAlyzer, you will be shown the name read from the external file, here ACPI Devices driver, so that you get a better idea.

 

[PepiMK]

Registry Hives are files in which parts of the registry is stored. RegAlyzer is able to detect secondary installations attached to the computer (e.g. if you're booting from a CD/DVD, or if you have the hard disk of another computer attached) and can open them so that you can edit these inactive registries as well.

And even better, it allows you to take snapshots of registry hives, which allows you to list differences between different moments in time.



This screenshot shows the difference between current registry entries and entries within a snapshot previously made. This is useful if you want to quickly see what e.g. a software installation has changed (for monitoring changes made by malware, there are more enhanced tools available).