Track registry changes (useful for remote collection and analysis as a part of IR Process)

In this example, we are tracking changes in “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion”

1. Run PowerShell as admin and take 1st snapshot.

   
   

   “dir -rec -erroraction ignore HKLM:\Software\Microsoft\Windows\CurrentVersion | % name > C:\HKLM_Snap_Before.txt”

2. Take 2nd snapshot.

   
   

   “dir -rec -erroraction ignore HKLM:\Software\Microsoft\Windows\CurrentVersion | % name > C:\HKLM_Snap_of_Date-$(get-date -f dd-MM-yyyy).txt”

3. Compare 1st and 2nd.

   
   

   “Compare-Object (Get-Content -Path C:\HKLM_Snap_Before.txt) (Get-Content -Path [Insert path and file name of 2nd Snapshot (remove square brackets too)])”

   
   

Although tools are available, this simple PS script is useful during remote collection and analysis.