SEARCH

How-To Geek

Lesson 5: Using Process Monitor to Troubleshoot and Find Registry Hacks

SysInternals 5

In today’s edition of Geek School we’re going to teach you how to use Process Monitor to actually accomplish troubleshooting and figuring out registry hacks that you would not know about otherwise.

Process Monitor is one of the most impressive tools that you can have in your toolkit, as there is almost no other way to see what an application is actually doing under the hood. It is the only way to know what files are being written to by which process, and where things are stored in the registry, and which files are accessing them.

We’ll start off with today’s lesson by looking at how to find registry keys using Windows setting dialogs and Process Monitor, and then we’ll go through an actual troubleshooting scenario that we encountered on one of our computers in the lab, and easily solved using Process Monitor.

Using Process Explorer to Find Registry Keys for Common Settings

Everybody has clicked a checkbox or changed the value of a drop-down box at some point, but have you ever wondered where those values are actually stored? Many applications, and virtually everything in Windows, is stored in the Registry… somewhere.

For today’s example we’re going to use the first option on the first pane of Taskbar and Navigation Properties, which is a dialog that should exist in all versions of Windows. So now our mission is to figure out where that setting is actually stored in the registry. You can follow along with this particular setting, or you can try one of the other settings on the same dialog — or anywhere else you’d like to find the hidden setting location for.

The first thing you’ll want to do whenever trying to capture a set of data is to launch Process Monitor, and then change the setting. At that point you can stop Process Monitor from continuing to capture events, so the list doesn’t get out of control. (Hint: the File menu has the option, or it’s the third icon from the left).

Now that we’ve got a ton of data in the list, it’s time to filter the list to reduce the number of rows that we’re going to have to look through. Since we’re looking at a registry value that is being changed, we’ll need to filter by “RegSetValue”, which is what Windows uses to actually set a registry key to a new setting. Use the “Include” option to show only those events.

Your list should now be limited to just registry keys that were changed, so it’s time to take a look at the events and try to figure out which registry key it might be. Since we’re checking the “Lock the Taskbar” setting, and one of the registry keys being set includes the word “Taskbar” in the name, that’s a good place to start. Right-click on the path and choose to Jump To the location.

Process Monitor will open up the Registry Editor and highlight the key in the list. Now we need to make sure that this is actually the right key, which is pretty easy to figure out. Take a look at the setting, and then take a look at the key. Right now the setting is on, and the key is set to 0.

So change the setting, hit Apply on the dialog, and then use the F5 key to refresh the Registry Editor window. In our case we definitely picked the right setting, so now you can see that the TaskbarSizeMove value is set to 1.

If you didn’t pick the right value, you won’t see a change when you do the setting test again. So go and find the next logical one, and start over.

Troubleshooting Problems with Process Monitor

It’s not really possible to illustrate in a single article how to troubleshoot any problem with Process Monitor, or any other tool for that matter. There are just way too many combinations of issues that could possibly go wrong.

What we can do, however, is show how we actually used Process Monitor to troubleshoot a real problem that actually happened to one of our test computers. We had been installing some crapware, and then decided to try and clean the computer up. The problem was an entry in the Uninstall Programs panel that just wouldn’t go away.

    Continue Reading »
  • 1
  • 2
  • Next

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 03/28/14

Enter Your Email Here to Get Access for Free:

Go check your email!