Skip to content

Instantly share code, notes, and snippets.

@belst-n

belst-n/registry-diff.ps1

Forked from aadityabhatia/registry-diff.ps1
Created December 31, 2024 16:56
Show Gist options
  • Save belst-n/c57a4db8c682b841bfb24d1f9707fe24 to your computer and use it in GitHub Desktop.
Save belst-n/c57a4db8c682b841bfb24d1f9707fe24 to your computer and use it in GitHub Desktop.
Download ZIP
PowerShell script to create and compare snapshots of Windows Registry sections
Raw
registry-diff.ps1
[CmdletBinding()]
Param(
[Parameter(Position=1, Mandatory=$True)]
[string]$dataFile1,
[Parameter(Position=2, Mandatory=$True)]
[string]$dataFile2
)
$dataObj1 = cat -raw "$dataFile1.json" | ConvertFrom-Json
$dataObj2 = cat -raw "$dataFile2.json" | ConvertFrom-Json
$locations = @(
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\Software\Policies\Microsoft\Windows\System\Scripts",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
)
function getHashtable($obj) {
$hash = @{}
$obj | gm -mem NoteProperty | select -exp Name | % { $hash[$_] = ($obj | select -exp $_) }
return $hash
}
function printDiff($dataset, $location, $key, $value) {
"`n" + $dataset.toUpper() + ": $location`n`t$key => $value"
}
function diffObjs ($location, $obj1, $obj2) {
$h1 = getHashtable $obj1
$h2 = getHashtable $obj2
foreach ($key in $h1.Keys) {
if(!$h2.Contains($key)) {
printDiff $dataFile1 $location $key $h1[$key]
} elseif ($h1[$key] -ne $h2[$key]) {
printDiff $dataFile1 $location $key $h1[$key]
printDiff $dataFile2 $location $key $h2[$key]
}
}
foreach ($key in $h2.Keys) {
if(!$h1.Contains($key)) {
printDiff $dataFile2 $location $key $h2[$key]
}
}
}
foreach ($loc in $locations) {
$obj1 = $dataObj1 | select -ExpandProperty $loc
$obj2 = $dataObj2 | select -ExpandProperty $loc
diffObjs $loc $obj1 $obj2
}
Raw
registry-snapshot.ps1
[CmdletBinding()]
Param(
[Parameter(Position=1, Mandatory=$True)]
[string]$outputFile
)
$data = @{}
$locations = @(
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\Software\Policies\Microsoft\Windows\System\Scripts",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
)
"Creating snapshot..."
foreach ($loc in $locations) {
$keys = Get-Item -ErrorAction SilentlyContinue $loc | select -exp Property
$data[$loc] = @{}
# echo "`n$loc"
foreach ($key in $keys) {
$value = Get-ItemPropertyValue $loc -Name $key
$data[$loc][$key] = $value
# echo "`t$key => $value"
}
}
"Snapshot created."
$data | ConvertTo-Json > "$outputFile.json"
"Saved Object: $outputFile.json"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment