You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.

18: How to use ProcMon to track changes over time to specific registry keys

More info:

For this example, we will be monitoring the following Registry Key and values.

  1. Download and install ProcMon from:
  2. Run ProcMon elevated.
  3. Run Regedit (does not need to be run elevated).
  4. Next, in the Regedit window go to the path you wish to monitor, highlight the desired path in the address bar and copy the text.


  5. Back in ProcMon click on the filter icon, select the values “Path” and “is” as shown in the screenshot below, then paste in the registry path you saved to your clipboard earlier in step 4 above. Edit the path to correct for HKCU or HKLM (see note directly below), then click “Add”, and then “Ok” to save and apply the filter.

    NOTE: Edit the reg path and replace the text “Computer\HKEY_CURRENT_USER” with “HKCU”, or “Computer\HKEY_LOCAL_MACHINE” with “HKLM” as needed. See screenshots below for examples.

  6. Test that the filter is working by click clear results in ProcMon, then selecting the reg key in regedit window, you should see read events in the ProcMon capture window.

    Note for this example I used the following path:

    Alternatively, you can test that the filter is working by making a change using the Windows System Preferences.

    Default Browser Selection via System Preferences
  7. Next, and most importantly enable the “Drop Filtered Events” option on the Filter menu.

  8. Now all that is left, is to wait until the issue reoccurs.
  9. Once it does, whether it’s 6 hours, 24 hours, or days later you will need to collect the resulting ProcMon trace from the steps above along with the PolicyPak logs (pplogs) by following the steps below, and then upload everything to Netwrix PolicyPak Support.

GATHER PPLOGS: You’re going to run PPLOGS from CMD TWICE, once as USER and once as ADMIN, give the files a descriptive name,, etc. Example screenshot: 


PLACE LOGS (and anything else gathered, procmon trace, etc.) into a SINGLE ZIP upload as SFxxxxx.ZIP to the SUPPORT INBOX on SHAREFILE:
And remember to click the UPLOAD button!!

Video KB:

  • 1198
  • 05-Jun-2024