I have heard about RegFromApp tool for quite some time but never really tested it because I am a very happy SysTracer user. SysTracer is able to take snapshots and then perform comparison to show the differences on the files, registries and applications. As for RegFromApp, the name itself sounds like it only monitors the registry which I think is not complete since I also need to monitor for file changes. Nevertheless, I am always a big fan of tools created by Nir Sofer so here is my review on RegFromApp.
After testing RegFromApp, the methodology is actually quite different from SysTracer because RegFromApp attempts to inject to a process and then monitors the registry changes in real time. Unlike SysTracer where I had to take the first snapshot, make the changes and then taking another snapshot to compare the differences.
There are two ways to monitor with RegFromApp. The first is to inject it into a process that is already running and the second method is to select the file that you want to monitor and then run it from RegFromApp. One important note is if you have UAC enabled, you should run RegFromApp as administrator so you will be able to trace processes that are ran under administrator. The registry changes will be outputted instantly on the RegFromApp interface. You can then save the entire Registry changes into a .reg file by using the ‘Save As’ option.
One possible problem that I’ve discovered when testing RegFromApp is that you may not be able to directly monitor for registry changes on installation setup files. Reason is when you run a setup file, it actually extracts a couple of real installation files to the temporary folder and then use them for installation. Here is an example scenario where I ran gbooks.exe from desktop to install Google Books Downloader. After clicking the Next button once, gbooks.exe process is no longer active and is bring replaced by 11659nua.exe and 11659nua.tmp at temp folder. So in order to monitor the installation registry changes on gbooks.exe, I will have to inject RegFromApp to both 11659nua.exe and 11659nua.tmp process from two different instances.
The same goes to a malware that has melting capability. When you run the malware, it creates a copy of itself into a deeper location where it is not easily seen and then the newly created malware starts to make changes on your registry by automatically adding itself to startup. RegFromApp is useful but only for certain situation. It is free and works from Windows 2000 to Windows 7.