Free file system and registry snapshot comparison programs for 64-bit (x64) Windows

Discussion in 'other software & services' started by MrBrian, Feb 5, 2014.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Continuation of https://www.wilderssecurity.com/showthread.php?t=305704.

    I recently tested Regshot v1.9.0, Regshot Unicode v2.0.1.68, System Explorer v4.5.0, OSForensics v2.2.1000, and SysTracer v2.6.0.59 (not free) on Win 7 x64.

    IMHO, the best choice for x64 file snapshot comparison is SysTracer (not free). Other good choices are System Explorer, Regshot, and OSForensics.

    IMHO, the best choice for x64 registry snapshot comparison is SysTracer (not free). Other good choices are System Explorer, Regshot, and Regshot Unicode.

    For both file and registry snapshot comparison, I plan on using System Explorer first because of its tree view, and Regshot if I want a 2nd opinion.

    Some issues with System Explorer:
    1. It seems to compare just 7 of the 12 types of values possible (although all of the most common ones). (Use Aezay Registry Commander to create types that regedit.exe can't create.)
    2. Just the first line of multi-line values of type REG_MULTI_SZ seems to be shown.
    3. Added keys that have no values are apparently not shown.
    4. Deleted keys that had no values prior to deletion are apparently not shown.
    5. Seems to miss a few changed files that some others find, but those it misses usually aren't ones that are interesting anyway.
    6. How to edit the Global Filter file?

    Any others? :D
     
  2. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    Clicking in 'Global Filter', notepad is opened and after to add folders/registry paths saving the opened file. It is easy and quick to edit.

    I use also the 'exclude' field to be excluded in all snapshots items like 'winsxs' that allows to decrease snapshot analysis. E.g.:
    Code:
    C:\Windows\winsxs;HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\;HKCU\Software\Classes\Local Settings\MuiCache\;HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\;
    Snapshot feature in 'System Explorer' is quick and good enough to me.

    ;)
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thanks :). I had tried that before, but it doesn't work on x64 apparently. Are you using x64?
     
    Last edited: Feb 8, 2014
  4. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    Yes, using Win 7 x64.

    A tip: if you use 'Global Filter' check/uncheck it to see the differences; but if e.g. you are seeing text results you need to toggle to tree view (and again to text viewer) since it needs to reload results with/without filter activated.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Using v4.5.0?
     
  6. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    Humm... I forget. :blink:

    I'm using v. 3.8.5 - could be the annoyance perhaps?

    :doubt:

    P.S.: I´ll try with latest version.
     
  7. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    @ MrBrian, it seems to work well in v. 4.5.0

    If I can help I can do something that you are doing and that doesn't work to you to see the issue better.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @majoMo: Here's what I get when I press Global Filter Edit button:

    se.png

    This is from a new installation of v4.5.0 into a clean Win 7 x64 virtual machine.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @majoMo: I didn't post at the System Explorer forum about any of the possible issues that I've found. I don't have an account there.

    --------

    Here's another problem too: it launches the 32-bit version of Regedit.exe, which is blind to some of a 64-bit system.
     
  10. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    I renamed my 'snapshotFilter.txt' to see if such message comes out; but SE built a new default file. So I can't reproduce your issue. [I didn't a new installation of v. 4.5.0 however]

    I add here the default file - maybe you can use it for now.

    View attachment snapshotFilter.txt
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thanks, I'll try it and post if it works :).
     
  12. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    You are right about. I can confirm that here.

    Since SE hasn't a 64-bit version such annoyances can happen.
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    That works, thanks :). v4.5.0 doesn't include that file by default, so it looks to be a bug.
     
  14. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    Nice to know that. ;)
     
Loading...
Thread Status:
Not open for further replies.