• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Whenever you search in PBworks, Dokkio Sidebar (from the makers of PBworks) will run the same search in your Drive, Dropbox, OneDrive, Gmail, and Slack. Now you can find what you're looking for wherever it lives. Try Dokkio Sidebar for free.



Page history last edited by AlephX 15 years, 11 months ago

Regshot, a tutorial


How to determine the portability of an application



0. Introduction

1. Step 1: let Regshot run!

2. Step 2: Read the log!

2.1 DirectX related entries

3. Conclusion









Many TPFC Users post submissions of portable applications, but, at the end, these programs are not really portable. Despite the disappointment the users try to submit a new program, because an author´s webpage claims that his/her "program can be used even on a USB Ky or a floppy!"... and they get frustrated once again... and then it seems that Andrew, Fluffy and Darkbee are the nasty ones!


Well, there is a simple solution: testing a program before submitting it. Many users ask: "how can I test it?". The answer is: "By using Regshot!" The secon Very FAQ is: "Ok! But how can I read the results of the Log produced by Regshot?"


...the answer is this short tutorial! Smile





Step 1: Let Regshot run!



Regshot is an easy portable application itself! Run it and a little window will appear:



First set "compare logs save as" as Text file: it´s better if you want to post the results. These are the steps to follow:


0) If not already set, you have to set the "Scan Dir" options...


Normally it´s very good to check even the "Scan dir" option (Below the HTML/Text Output option), and enter the following three folders:


- the application folder (i.e. where the EXE you are testing resides)

- the user profile folder (normally C:\Documents and Settings\UserName)

- the Windows folder (C:\WINNT on Win2K, C:\WINDOWS on WinXP).



1) BEFORE running the application to be tested, click on the "1st shot" button.A little white panel will prompt you to choose among three options:

a) shot, b) shot and save, c) load


Choose "shot" by clicking on it!


You will have to wait few seconds, depending on your processor, or on how bloated is your registry...


Important: leave the program alive and don´t terminate it!



2) When you will hear a "ding" (it means that the regshot is complete), you have to run your application. The application must be ready to run, if not, if you unpack, pack, and use many other applications, all the (not directly related) registry modifications will be collected by Regshot, making not so easy to understand what happened.


3) Play with the application to be tested! It´s important to determine if however the program saves its setting... last used folder, window position and so on... Then terminate the program normally.


4) Finally go back to Regshotand click on "2nd Shot". Like with "1st shot" you will be prompted the same options... Click again on "Shot" and wait for the "Ding!". Now you are ready to... (suspence)


5) Click on "cOmpare"... Magically a Notepad Window will appear informing you about the modifications in the registry!


with this structure:



Regshot 1.7
Comments: (usally nothing)
Datetime: (no comment)
Computer: (The name of your machine under Windows, before and after)
Username: (The User name under Windows, before and after)

Keys added: (number)
added key string 1
added key string 2

Keys deleted: (number)
deleted key string 1
deleted key string 2
deleted key string 3
deleted key string 4

Values deleted: (number)
deleted value 1

Values modified: (number)
original key string 1
modified key string 1
original key string 2
modified key string 2
original key string 3
modified key string 3
Total changes: (number)


The strings you read, are the values you can find in the registry. In order to try that, simply run regedit.exe and try to search where they are. If you want to show this log in the forum to ask for advice, simply copy and paste... Pay attention, anyway: the registry keys often can contain reserved informations like your real name... simply read it carefully, before posting it.



2. Step 2: Read the Log!


Normally if Total Changes is 0 (zero), it´s easy to determine that the application is really portable. More often you will find more values to be modified. There is not a rule, but if "Total Changes" is more than 20, you can be pretty sure that this application is not portable.


In many cases, if the application is a very interesting tool for IT support, or a quite rare utility, the application can be considered portable.


But sometimes there are many modified keys which are made by the system itself, and don´t influence the behavior of the application. They are not real settings...


This is an example of a non relevant key:


HKLM/SOFTWARE/Microsoft/CryptographyRNGSeed: 6A 8F D0 A9 4A 88 93 20 1C 24 4D B8 9F 76 36 43 AC E4 43 1D 3E 47 15 04 6F DB 66 21 74 E9 40 EC 3D 4D 4F 51 89 BB 64 BF 3F 64 E3 07 10 5D 32 75 8A A8 69 E8 E9 BA 49 15 DC DD 82 A7 7F F0 A6 0D 6F 2C 45 92 7A CE CA 25 23 98 5B C5 AC 48 53 18
HKLMSOFTWAREMicrosoftCryptographyRNGSeed: 87 EB 6F 67 70 87 F6 07 C1 25 79 06 42 25 C5 ED 67 B4 29 11 63 52 96 2A 63 67 77 A3 8F 0A 1D CC 96 CE 6D 21 DA 0D A9 17 43 41 92 00 1A 20 94 AE F1 6D 2D 23 7B 5A 2A ED 3A 26 EA 6B 82 02 F7 76 DC 63 2B 43 C2 1E 61 37 AC 56 92 5A 19 C7 73 78


It´s related to the cryptographic service, and you will find this modifications on almost every machine...



Using the Scan Dir option


Now let´s go back to Regshot´s screen...




This helps to check whether an application uses either the user profile folder or the Windows folder instead of the registry.


For example Regshot can report this:


Files [attributes?] modified:1


It´s clear that the app writes something in the system folder. It means that the application is not portable.


It is common for some apps to create file associations by default:


HKLMSOFTWAREClassesKMPlayer.kplDefaultIcon: "C:TempkmpKMPlayer.exe,0"
HKLMSOFTWAREClassesKMPlayer.kplDefaultIcon: "C:TempkmplayerKMPlayer.exe,0"
HKLMSOFTWAREClassesKMPlayer.kplshellEnqueuecommand: ""C:TempkmpKMPlayer.exe" /ADD "%1""
HKLMSOFTWAREClassesKMPlayer.kplshellEnqueuecommand: ""C:TempkmplayerKMPlayer.exe"


Many expert users don't have any issues with that, but it will be nice if the app doesn't do that by default, or provide an option to remove file associations. However, some people will get really angry if the registry is "tainted" by an app.


By the way, we remember you what you read already at Step 1, part 2: If there is a sizable interval between the 1st and 2nd shot (eg. you are just messing around with the app and didn't terminate it soon enough), you will often get registry changes made by Windows itself.. E.g.:


HKUS-1-5-21-329068152-343818398-725345543-1001SoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsSavedLegacySettings: 3C 00 00 00 9F 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 20 4D 78 F6 5F 51 C6 01 01 00 00 00 C0 A8 DC 80 00 00 00 00 00 00 00 00


That is because the various components of Windows will make changes to the registry from time to time. I don't have any "exact" guidelines on how to spot these registry changes. But applying common sense, and doing it often enough, helps.


When you turn "Scan dir" on, certain system files will frequently be updated eg.


Files [attributes?] modified:10
C:Documents and SettingsNormalCookiesindex.dat
C:Documents and SettingsNormalLocal SettingsHistoryHistory.IE5index.dat
C:Documents and SettingsNormalLocal SettingsTemporary Internet FilesContent.IE5index.dat
C:Documents and SettingsNormalNTUSER.DAT
C:Documents and SettingsNormalntuser.dat.LOG


These has got nothing to do with the app you are testing. Again, applying common sense and experience will help determine which entries to ignore.




Direct X related entries



When running apps that uses DirectX in any way, chances are you will get DirectX related registry changes:


HKUS-1-5-21-329068152-343818398-725345543-1001SoftwareMicrosoftActiveMoviedevenum{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}Default WaveOut DeviceWaveOutId: 0xFFFFFFFF
HKUS-1-5-21-329068152-343818398-725345543-1001SoftwareMicrosoftActiveMoviedevenum{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}DirectSound: Creative Sound Blaster PCIFriendlyName: "DirectSound: Creative Sound Blaster PCI"
HKUS-1-5-21-329068152-343818398-725345543-1001SoftwareMicrosoftActiveMoviedevenum{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}DirectSound: Creative Sound Blaster PCICLSID: "{79376820-07D0-11CF-A24D-0020AFD79767}"


Some people will argue that DirectX apps should not be considered portable, but that's another debate for another day...






Until now, there is no conclusion! This is still a work in progress...

Comments (0)

You don't have permission to comment on this page.