How to find what/who changes the registry value

Boopathi S 3,666 Reputation points
2023-02-07T09:31:36.14+00:00

Hello,

AutoConfigURL is changing whenever user logoff and login under the registry settings

Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Let me know how to find who/what/whcih is changing the data of the Name AutoConfigURL

I did the below but i cannot find it. May be I am not doing correct.

  1. Open ProcMon
  2. Navigate to Options > Click Enable Boot Logging
  3. From the resulting Dialog box, Select 'Generate profiling events'  'every 100 milliseconds'
  4. Reboot the PC
  5. Open ProcMon
  6. Click yes on prompt "A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now?"
  7. Save the file as type 'Procmon Log (*.PML) with the format of Devicename-bootlog (e.g:laptop1-bootlog)
  8. Close Procmon once file has been saved
  9. Open the .PML file just saved to ensure it loads properly before sending to Support, then close it again

Kindly help.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
12,064 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 44,526 Reputation points
    2023-02-08T14:55:35.68+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

    To find what is changing the value of the AutoConfigURL registry key, you can use the Microsoft Sysinternals Process Monitor tool. The steps you have outlined in your previous message are correct for using this tool to monitor registry changes.

    Start Process Monitor and set a filter for the registry key that you want to monitor. To do this, click the Filter menu and select Filter. In the Filter dialog box, select the Path option and enter the registry key value: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

    Next, click the Add button to add this filter.

    In the Process Monitor window, look for events with the Result column value of "NAME NOT FOUND". These events indicate a change was made to the registry key. The Operation column will show "RegSetValue" if the value was changed or "RegCreateKey" if a new key was created.

    The Process Name column will show the name of the process that made the change, and the Detail column will show the exact value that was changed.

    To stop capturing events, click the File menu and select Capture Events.

    This will give you a detailed view of any changes made to the AutoConfigURL registry key and the process responsible for making the change.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    1 person found this answer helpful.
    0 comments No comments

  2. Limitless Technology 44,526 Reputation points
    2023-02-08T14:55:53.9933333+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

    To find what is changing the value of the AutoConfigURL registry key, you can use the Microsoft Sysinternals Process Monitor tool. The steps you have outlined in your previous message are correct for using this tool to monitor registry changes.

    Start Process Monitor and set a filter for the registry key that you want to monitor. To do this, click the Filter menu and select Filter. In the Filter dialog box, select the Path option and enter the registry key value: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

    Next, click the Add button to add this filter.

    In the Process Monitor window, look for events with the Result column value of "NAME NOT FOUND". These events indicate a change was made to the registry key. The Operation column will show "RegSetValue" if the value was changed or "RegCreateKey" if a new key was created.

    The Process Name column will show the name of the process that made the change, and the Detail column will show the exact value that was changed.

    To stop capturing events, click the File menu and select Capture Events.

    This will give you a detailed view of any changes made to the AutoConfigURL registry key and the process responsible for making the change.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.