Skip to content

Regshot Guide

Overview

Regshot is a tool that takes snapshots of your registry and file system, and allows you to see differences between two points.

Usage

Using Regshot is fairly straight forward. To start Regshot double click on the Regshot icon on your desktop. It would also be wise to have the malware folder open (but don't run anything just yet).

Step 1: Configure Regshot

By default Regshot examines the registry for changes, but you can also have it examine the file system. Do do this, click on the check box next to "Scan dir", and then enter the directories to scan in the box beneath it.

If you have more than one directory, separate them by using a semicolon (;). For this class, use the following directories (at a minimum):

  • C:\users
  • C:\malware
  • C:\Windows

Step 2: Take the 1st Shot

The first thing to do with Regshot is take your 1st shot. To do this click the 1st shot button on the right:

and click "Shot"

Step 3: Take a VM Snapshot

Since it is common to have to repeat this process, take a virtual machine snapshot (VMware snapshot).

Step 4: Run the Malware

At this point you'll need to run whatever malware you'll be analyzing. The specific lab exercises will tell you what specimens to analyze.

Step 5: Take 2nd Shot

Take the second Regshot snapshot by clicking on the 2nd shot button on the right:

and click Shot

Step 6: Compare

Now that you've taken the 2nd Regshot snapshot, if you want to compare the two you can click the Compare button on the right:

It should now open Notepad automatically, showing you the differences.