Registry from scratch

Hi there guys. I've been tweaking and modifying the Windows registry for years now. Usually I use google to search for what I want, I also use programs like regshot to monitor changes to the registry as I change settings.

One thing I wish to learn though is how do people come up with registry hacks from scratch?

From time to time you'll fine a reg file which makes changes and I wander how did they even go about finding this. An example of this would be the kill none responding tasks. You can read about it here: Kill All Not Responding Tasks in Windows 10
My question is, how do you go about creating one of these to begin with and sharing it on the internet.

Not sure what you're asking...

• How did they figure out the command?
• How did they know how to create a context menu entry?
• Something else?

RegShot is good, albeit slow. I use TechNet/Sysinternals' Process Monitor to monitor registry changes in realtime. Create a shortcut to run it as Administrator and change the target by adding /NoConnect (so it doesn't automatically start monitoring).



Deselect all monitors in the toolbar except for Registry.



Add a filter for RegSetValue then start monitoring and making changes to the system.



The RegSetValue filter will show you when a registry change is made.

Have a look at this article for more detailed info.

Hope this helps...

KeithM said:

Not sure what you're asking...

• How did they figure out the command?
• How did they know how to create a context menu entry?
• Something else?

All of the above.

- - - Updated - - -

RickC said:

RegShot is good, albeit slow. I use TechNet/Sysinternals' Process Monitor to monitor registry changes in realtime. Create a shortcut to run it as Administrator and change the target by adding /NoConnect (so it doesn't automatically start monitoring).



Deselect all monitors in the toolbar except for Registry.



Add a filter for RegSetValue then start monitoring and making changes to the system.



The RegSetValue filter will show you when a registry change is made.

Have a look at this article for more detailed info.

Hope this helps...

Yes I know how to monitor changes made to the registry. I talking about creating values from scratch without sniffing changes. Because these changes can only be made directly

Mintmag said:

All of the above.
... Because these changes can only be made directly

In the case of your example, the taskkill command is documented by both built-in help:

as well as online.

The same for adding a context menu entry. Numerous tutorials online, much of it most likely learned by studying existing entries and subsequent trial & error.I
You seem to gloss over the importance of programs like ProcMon. I don't think you realize how important the Value Not Foun resullt can be. That can clue you in to values that don't exist by default, but if created, can alter behavior. That's how I discovered JumpListItems_Maximum when Start_JumpLIstItems ​ stopped working as it had before.

RickC said:

RegShot is good, albeit slow.

Consider: Regshot2 Unicode - The Portable Freeware Collection

KeithM said:

In the case of your example, the taskkill command is documented by both built-in help:

as well as online.

The same for adding a context menu entry. Numerous tutorials online, much of it most likely learned by studying existing entries and subsequent trial & error.I
You seem to gloss over the importance of programs like ProcMon. I don't think you realize how important the Value Not Foun resullt can be. That can clue you in to values that don't exist by default, but if created, can alter behavior. That's how I discovered JumpListItems_Maximum when Start_JumpLIstItems ​ stopped working as it had before.

I'm not glossing over programs like ProcMon it's that monitoring the registry if you don't know what you're looking for. That being said I found ProcMon to be difficult to use compared to regshot.


the PowerShell example you have provided is kind of what I was after. Itr seems that kill all none responding tasks was feature of powerShell so maybe he then used tools like ProcMon to observe how things are added to the context menu and added the PowerShell feature in the same manner. Is that what you mean?


You mentioned Value Not Found can be used as a clue for these type of things. I’d very much like to learn more about this. This is less about "how do I do this" and more of a "How do I learn to do this."

There's nothing specific to PowerShell going on there. Taskkill is a command line program that can be invoked from cmd.exe or PowerShell. There's no magic bullet to learning, it just takes time.

KeithM said:

There's nothing specific to PowerShell going on there. Taskkill is a command line program that can be invoked from cmd.exe or PowerShell. There's no magic bullet to learning, it just takes time.

Say you find a command line program that you like such as diskpart for example and you wanted to open a drive partition within diskpart using the right click menu . How would you do it?