Overview
Regshot is a lightweight, open-source utility that takes snapshots of the Windows registry and filesystem, then compares them to identify all changes that occurred between the two snapshots. This makes it invaluable for malware analysis (understanding what a sample modifies during execution), software installation auditing (tracking what an installer adds to the system), troubleshooting (identifying unexpected system modifications), and compliance verification. Regshot can detect added, deleted, and modified registry keys/values as well as filesystem changes.
The tool operates on a simple two-phase approach: take a baseline “1st shot” of the system state, perform the action you want to analyze (run malware, install software, apply a configuration), then take a “2nd shot” and compare. Regshot generates detailed comparison reports in plain text or HTML format showing every registry key, registry value, file, and folder that was added, deleted, or modified. While simple in concept, Regshot remains one of the most effective tools in a malware analyst’s toolkit for behavioral analysis, especially when combined with Process Monitor, API monitoring, and network capture tools.
Installation
Download and Run
# Download from GitHub
# https://github.com/Seabreg/Regshot
# Or from SourceForge
# https://sourceforge.net/projects/regshot/
# Regshot is portable — no installation required
# Extract and run regshot.exe (32-bit) or regshot-x64.exe (64-bit)
Chocolatey
choco install regshot
File Structure
regshot/
├── regshot.exe # 32-bit version
├── regshot-x64.exe # 64-bit version
├── regshot.ini # Configuration file
└── language/ # Language files
Core Usage
Basic Workflow
Step 1: Launch Regshot (run as Administrator for full access)
Step 2: Configure scan scope (registry paths, filesystem paths)
Step 3: Click "1st Shot" to capture baseline
Step 4: Perform the action to analyze (run malware, install software)
Step 5: Click "2nd Shot" to capture new state
Step 6: Click "Compare" to generate diff report
GUI Options
| Option | Description |
|---|
| Scan Dir1 | First directory to monitor for filesystem changes |
| Scan Dir2 | Additional directory to monitor |
| Output Path | Where to save snapshot and report files |
| Plain TXT | Generate report in plain text format |
| HTML Document | Generate report in HTML format |
| Shot (registry + file system) | Capture both registry and filesystem |
| Shot (registry only) | Capture registry only (faster) |
| 1st Shot | Take baseline snapshot |
| 2nd Shot | Take comparison snapshot |
| Compare | Generate comparison report |
Command-Line Usage
# Regshot can be automated via its INI file settings
# Configure regshot.ini before running
# Take first shot (via GUI or script interaction)
Start-Process regshot-x64.exe
# Automated workflow using AutoHotkey or similar
# (Regshot doesn't have native CLI for snapshots)
Configuration
regshot.ini Settings
; regshot.ini
[Regshot]
; Output directory for snapshots and reports
OutputPath=C:\Analysis\Regshot\
; File scan directories (semicolon-separated)
ScanDir1=C:\Windows\
ScanDir2=C:\Users\
; Registry paths to scan (default: full registry)
; Leave empty for full scan
; Report format
; 1 = Plain text, 2 = HTML
OutputFormat=2
; Save snapshots to file (for later comparison)
; 0 = No, 1 = Yes
SaveShot=1
; Use short path names
UseShortPath=0
; Expand strings in registry values
ExpandStrings=1
Optimized Configuration for Malware Analysis
[Regshot]
; Focus on areas malware typically modifies
ScanDir1=C:\Windows\System32\
ScanDir2=C:\Users\analyst\
; Output in HTML for easier review
OutputFormat=2
OutputPath=C:\Analysis\Reports\
; Save shots for archival
SaveShot=1
Targeted Registry Monitoring
; Key areas to focus on for malware analysis:
;
; Persistence:
; HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
; HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
; HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
; HKLM\SYSTEM\CurrentControlSet\Services
;
; Security settings:
; HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
; HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
; HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
;
; Network:
; HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
; HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
;
; COM/CLSID:
; HKLM\SOFTWARE\Classes\CLSID
; HKCU\SOFTWARE\Classes\CLSID
Interpreting Results
; Example plain text report output:
----------------------------------
Keys added: 5
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareKey
HKLM\SYSTEM\CurrentControlSet\Services\MalService
HKLM\SYSTEM\CurrentControlSet\Services\MalService\Parameters
HKLM\SOFTWARE\MalwareVendor
HKLM\SOFTWARE\MalwareVendor\Config
----------------------------------
Values added: 8
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareKey: "C:\Users\Public\malware.exe"
HKLM\SYSTEM\CurrentControlSet\Services\MalService\ImagePath: "C:\Windows\Temp\svc.exe"
HKLM\SYSTEM\CurrentControlSet\Services\MalService\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\MalService\Type: 0x00000010
----------------------------------
Values modified: 3
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA:
Old: 0x00000001
New: 0x00000000
----------------------------------
Files added: 4
----------------------------------
C:\Users\Public\malware.exe
C:\Windows\Temp\svc.exe
C:\Windows\System32\drivers\mal.sys
C:\Users\analyst\AppData\Local\Temp\payload.dll
----------------------------------
Files deleted: 1
----------------------------------
C:\Users\analyst\AppData\Local\Temp\dropper.tmp
Key Indicators to Look For
| Category | Suspicious Changes |
|---|
| Run keys | New entries in Run, RunOnce, RunServices |
| Services | New service registrations with auto-start |
| Policies | Disabled UAC, Windows Update, Defender |
| Firewall | New firewall rule exceptions |
| Hosts file | Modified C:\Windows\System32\drivers\etc\hosts |
| DLLs | New DLLs in System32 or SysWOW64 |
| Scheduled Tasks | New XML files in C:\Windows\System32\Tasks\ |
| Temp files | Executables dropped in Temp directories |
Advanced Usage
Malware Analysis Sandbox Workflow
# Prepare clean VM snapshot
# 1. Revert VM to clean snapshot
# 2. Launch Regshot as Administrator
# 3. Take 1st Shot (registry + filesystem)
# 4. Execute malware sample
# 5. Wait for malware to complete initialization (30-120 seconds)
# 6. Take 2nd Shot
# 7. Compare and save report
# 8. Revert VM to clean snapshot
# Post-analysis: parse report for IOCs
$report = Get-Content "C:\Analysis\Reports\comparison.txt"
$report | Select-String -Pattern "(Run\\|Services\\|\.exe|\.dll|\.sys)" |
ForEach-Object { $_.Line }
Comparing Saved Snapshots
# Regshot saves snapshots as .hiv files
# You can compare snapshots taken at different times:
# 1. Load previously saved 1st shot
# 2. Load previously saved 2nd shot
# 3. Click Compare
# Snapshot files are stored in the OutputPath directory
# File naming: computerName_date_time.hiv
# Comprehensive analysis workflow:
# 1. Start Process Monitor (capture API calls)
# 2. Start Wireshark (capture network traffic)
# 3. Take Regshot 1st shot
# 4. Execute sample
# 5. Take Regshot 2nd shot
# 6. Stop Process Monitor and Wireshark
# 7. Compare results across all tools
# Parse Regshot HTML report for specific patterns
$html = Get-Content "comparison.html" -Raw
if ($html -match "CurrentVersion\\Run") {
Write-Host "Persistence mechanism detected in Run key"
}
if ($html -match "Services\\") {
Write-Host "Service installation detected"
}
Scripted Report Analysis
#!/usr/bin/env python3
"""Parse Regshot text report for IOCs."""
import re
import sys
def parse_regshot_report(filepath):
with open(filepath, 'r') as f:
content = f.read()
iocs = {
'persistence_keys': [],
'files_added': [],
'services': [],
'security_changes': []
}
# Find persistence mechanisms
for match in re.finditer(r'(Run|RunOnce|Services)\\.*', content):
iocs['persistence_keys'].append(match.group())
# Find added executables
for match in re.finditer(r'(C:\\[^\n]+\.(exe|dll|sys|bat|ps1))', content):
iocs['files_added'].append(match.group(1))
# Find security policy changes
for match in re.finditer(r'(EnableLUA|DisableAntiSpyware|Policies).*', content):
iocs['security_changes'].append(match.group())
return iocs
if __name__ == "__main__":
iocs = parse_regshot_report(sys.argv[1])
for category, items in iocs.items():
if items:
print(f"\n[{category}]")
for item in items:
print(f" {item}")
Troubleshooting
| Issue | Solution |
|---|
| Incomplete registry capture | Run as Administrator for full HKLM/HKU access |
| Snapshot takes too long | Reduce scan scope — monitor specific directories instead of entire drives |
| Large report file | Focus on specific registry hives and directories relevant to analysis |
| Missing filesystem changes | Ensure Scan Dir paths are configured and “registry + file system” is selected |
| Access denied errors | Some registry keys require SYSTEM privileges; use PsExec to run as SYSTEM |
| 32-bit vs 64-bit differences | Use regshot-x64.exe on 64-bit systems to access native registry view |
| Report formatting issues | Switch between TXT and HTML formats; HTML provides better readability |
| Comparison shows too many changes | Take snapshots close together in time; disable Windows Update and background services |
