利用RegMon来支持NT 4.0 迁移到Windows 2003 Servers

白森

1.1        Overview
　　Regmon is a registry monitoring utility that will show you which applications are accessing your registry, which keys they are accessing, and the registry data that they are reading and writing – all in real-time.  This advanced utility allows you see and understand exactly how programs use the Registry.  With Regmon you'll see how the values and keys are changed.  
　　Regmon works on Windows NT/2000/XP/2003, Windows 95/98/Me and Windows 64-bit for Itanium and x64.  
　　
http://images.iyunv.com/cnblogs_com/shenr/27445/regmon.jpg
Figure 3?1: RegMon registry monitor
1.2     Installation and Use
　　Install Regmon by copying the files to your hard drive, and start it by running Regmon.exe.  Menu items and tool bar buttons can be used to toggle on and off monitoring disable event capturing, control the scrolling of the listview, and save the listview contents to an ASCII file.  
　　Use the Filter dialog, which is accessed with a toolbar button or the Option|Filter/Highlight menu selection, to select what data will be shown in the list view.  The wildcard (*) matches arbitrary strings, and the filters are case-insensitive.  Only matches shown in the include filter, but that are not excluded with the exclude filter, are displayed.  Use ';' to separate multiple strings in a filter (e.g. regmon;software).  
　　For example, if the include filter is HKLM, and the exclude filter is HKLM\Software, all references to keys and values under HKLM, except to those under HKLM\Software will be monitored.  
　　Wildcards allow for complex pattern matching, making it possible to match specific Registry accesses by specific applications, for example.  The include filter “Winword*Windows” would have Regmon only show accesses by Microsoft Word to keys and values that include the word “Windows”.  
　　Use the highlight filter to specify which output that you want to have highlighted in the listview output.  Select highlighting colors to highlight colors.  
　　Regmon can either timestamp events or show the time elapsed from the last time you cleared the output window (or since you started Regmon).  The Options menu and the clock toolbar button let you toggle between the two modes.  The button on the toolbar shows the current mode with a clock or a stopwatch.  When showing duration the Time field in the output shows the number of seconds it took for the underlying file system to service particular requests.  
　　When you see a Registry value or key in Regmon's output that you want to edit, simply double click on the line that includes the reference (or use the Regedit toolbar button) and Regmon will take you directly to the specific value using Regedit.  

Click here to learn about Regmon's boot monitoring capability, which is available on Windows NT.  
1.3     How Regmon Works
　　The heart of Regmon on Windows 9x is in the virtual device driver, Regvxd.vxd.  It is dynamically loaded, and in its initialization it uses VxD service hooking (see our May 1996 Dr.  Dobb's Journal article on VxD service hooking for more information) to insert itself onto the call chain of 16 registry access functions in the Windows 95 kernel (Virtual Machine Manager).  All registry activity, be it from 16-bit programs, Win32 applications, or device drivers, are directed at these routines, so Regmon catches all registry activity taking place on a machine.  

On Windows NT, 2000 and XP the Regmon loads a device driver that uses a technique we pioneered for NT called system-call hooking.  When a user-mode component makes a privileged system call, control is transfered to a software interrupt handler in NTOSKRNL.EXE (the core of the Windows NT operating system).  This handler takes a system call number, which is passed in a machine register, and indexes into a system service table to find the address of the NT function that will handle the request.  By replacing entries in this table with pointers to hooking functions, it is possible to intercept and replace, augment, or monitor NT system services.  Regmon, which obviously hooks just the Registry-related services, is merely one example of this capability in action.  
　　On Windows .NET Server Regmon takes advantage of a new operating system Registry callback mechanism to register for and receive information about Registry accesses as they occur.  When you run Regmon on .NET Server it loads a version of the Regmon driver utlizing the callbacks.  
　　When Regmon sees an open, create or close call, it updates an internal hash table that serves as the mapping between key handles and registry path names.  Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display.  If a handle-based access references a key opened before Regmon started, Regmon will fail to find the mapping in it hash table and will simply present the key's value instead.  
　　Information on accesses is dumped into an ASCII buffer that is periodically copied up to the GUI for it to print in its listbox.  
　　For more detailed information on how Regmon works on Windows NT, see:
　　·             "Windows NT System Call Hooking," by Mark Russinovich and Bryce Cogswell, Dr.  Dobb's Journal, January 1997
　　·             Inside NT Utilities, Windows NT Magazine, February 1999.  
Related Utilities
　　Here are some other monitoring tools available at Sysinternals:
　　·             Filemon – a file system activity monitor
　　·             Tdimon – a TCP/IP monitor
　　·             Portmon – a serial and parallel port monitor
　　·             PMon – a process and thread monitor (NT/Win2K)
　　·             Diskmon – a hard disk monitor (NT/Win2K)
　　·             DebugView – a debug output monitor
More Information
　　The following serve as additional sources of information on the Windows NT/2000/XP and Windows 9x/Me registries:
　　·             Inside Windows 2000, 3rd Edition by David Solomon and Mark Russinovich, 2000
　　·             "Examining the Windows 95 Registry," by Mark Russinovich and Bryce Cogswell, Windows Developer's Journal, October 1996
　　·             "Inside the Windows NT Registry," by Mark Russinovich, Windows NT Magazine, April 1997
　　·             "Inside the Windows 95 Registry," by Ron Petrusha, O'Reilly and Associates, 1996
　　·             "Managing the Windows NT Registry" by Paul Robichaux and Robchauxg , O'Reilly and Associates, 1998
　　·             "Windows 98 Registry For Dummies," by Glenn Weadock, IDG Press, 1998
　　·             "Using the Windows 98 Registry," by Jerry Honeycutt, Que, 1998
Microsoft Regmon KB Articles
　　The following Microsoft KB articles reference Regmon for troubleshooting or diagnosing various problems:
　　·             296205: ACC: Error Message: ActiveX Component Can't Create Object
　　·             830761: Best practices for deploying Visual Basic 6.0 applications
　　·             269251: BUG: Automating Windows Installer May Hang When Enumerating Products
　　·             323639: HOW TO: Create Custom Administrative Templates in Windows 2000
　　·             286198: HOWTO: Track "Permission Denied" Errors on DLL Files
　　·             309051: HOW TO: Troubleshoot ASP in IIS 5.0
　　·             308940: HOWTO: Troubleshoot Error 1928 "Error Registering COM+ Application"
　　·             814774: HOW TO: Troubleshoot Site Deployment Issues in Microsoft Content Management Server 2002
　　·             183060: INFO: Troubleshooting Guide for 80004005 and Other Error Messages
　　·             198038: INFO: Useful Tools for Package and Deployment Issues
　　·             327657: OL2002: How to Create Trusted Outlook COM Add-ins
　　·             260513: PRB: An Error Occurs When You Install Visual Studio Products
　　·             274038: PRB: ASP Error 8002801d "Library Not Registered"
　　·             269383: PRB: 'Error Accessing the System Registry' Message When Displaying VB/VBA References
　　·             296108: PRB: Various Issues in Visual Studio Programs on Windows NT-Based Systems
　　·             310586: The Exchange MSSearch instance does not come online on a cluster and event IDs 3055 and 10006 are logged
　　·             555069: Top 10 Potential Problematic Security Settings for Microsoft Windows XP Professional Edition and Microsoft Windows Server 2003.
　　·             296136: XADM: Error Message: Error 123: The Filename, Directory Name, or Volume Label Syntax Is Incorrect
　　
Regmon Enterprise Edition, the commercial version of Regmon, extends the functionality of Regmon with several powerful features, including the ability to monitor remote systems and save output to a log file as the output generates.  It is available as part of Winternals Adminstrator's Pak.  
1.4     RegMon download site
　　RegMon Download (x86 – 72 KB) – you plan on using Regmon on WinNT/2K/XP
http://www.sysinternals.com/ntw2k/source/regmon.shtml