Using Procmon to find registry keys

I am ashamed to say I have always found the Procmon tool by Sysinternals intimidating to use.  This is because I have never taken the time to use and understand the tool.  At Ignite 2017 I attended the Sysinternals sessions and thought that is great, these tools could help me.  I even purchased the book “Troubleshooting with the Windows Sysinternals Tools”.  However, it was not until this week I opened the book and used the Promon tool.

I was working on a new Windows 10 deployment where specific settings needed to be disabled.  We did not want to use GPO settings because the users needed the ability to change the values.  To configure the task sequence, I needed to know the registry keys values that were set were when disabling options in Windows 10 Settings.  So, the adventure began.  First, I downloaded the newest version of the utility from http://live.sysinternals.com.  Then because I had downloaded from the Internet, I opened the file properties and unblocked the file so I could run it.

Unblock

I opened the application running it as Administrator with elevated privileges.  Given that I was only interested in finding registry values, I filtered the view to the registry by de-selecting the icons for file activity, network activity, process and thread activity, and finally profiling events.

Procmon filter

To start my capture with a clean slate, I stopped the current capture, Ctrl+E, then cleared the display, Ctrl+X.  To minimize the amount of data returned, I opened Settings and proceeded to the page with the setting I needed to capture.  I then switched back and forth between settings and Promon.  First, I turned on the capture, Ctrl+E, switched to settings and made my change, the back over to Promon to stop the capture, Ctrl +E.  Those few minutes of capturing data logged 21,323 registry events.  I needed to filter this down to the events that wrote to the registry.

I opened the Filter dialog box.  I was only interested in the entries that wrote to the registry, so I added a filter for “operations is RegSetValue”.  I clicked the Add button to add the new condition to the filter.  Do not worry if you forget to click Add, the program will ask if you wanted to add the condition prior to closing the dialog box.

Procmon add filter

The privacy settings were the first group that needed to be disabled.  I started with turning off:

  • Settings / Privacy / Location “When locations services for this account are on, apps and services you allow can request location and location history.
  • Settings / Privacy / Camera “Let apps use my camera”
  • Settings / Privacy / Microphone “Let apps use my microphone”

Once I completed my capture of information, Promon showed the following information:

Procmon filter results

Reviewing the information, I noticed that the “Process Name” of SystemSettings.exe had made changes to the HKCU registry key.  Since I was in Settings application when I made my changes, this looked like the place to start looking for the registry keys I needed.  I immediately disregarded any settings with the word “Cache” in them.  This left 3 values pointing to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess registry keys.  I was configuring access to devices, so this looked like the right place to be.

The next part I found the coolest.  Instead of having to open RegEdit and drill down to the registry key listed above, I just selected the entry I was interested in, right-clicked and selected Jump To.  This opened RegEdit to the exact key I needed.  As shown in the screen print below, I also could have just pressed Ctrl+J.

Procmon Jump to

Once the registry was open to the correct key, it was just a matter of exporting the registry key.  I exported the 3 keys I was interested in.  Then to verify I had the correct entries, I performed the following steps:

  • Went back into Settings and re-enabled the options
  • Imported the registry keys by double-clicking on them
  • Restarted the computer to be sure I was looking at fresh information
  • Went back into Settings to verify the options were once again disabled

To my amazement, it really was this easy to find the registry keys I needed to make modifications.  Then it was just a matter of including these changes into the Microsoft Deployment Toolkit task sequence, but that is a different story.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s