找到系统设置对应的注册表项

tiandyoin2026-02-21 19:19

1. 使用 RegShot

下载 regshot

三步走:

提取1

提取2

比较

参考的配置清单:

cobol 复制代码 
; regshot.ini
[Setup-COMMENT]
;
; Snapshot-Steuerungs-File regshot.ini
; @ Patrick (skydive241@gmx.de)
; H A N D L E   W I T H   C A R E ! ! ! ! ! ! ! !
;
; --------------------------------------------------------------------------------------------------------------
; ---------------------------------------------- allg. Parameter -----------------------------------------------
; --------------------------------------------------------------------------------------------------------------
[Setup]
Title=WinMerge
Language=中文GB
Flag=9
;ExtDir=C:\;D:\
NoFiltersWhenLoading=1
DontDisplayInfoAfterShot=1
DontDisplayInfoAfterComparison=1
StartDefaultActionsByButtons=0
AutoCompare=0
StoreOnQuit=1
StoreOnlyUncompared=1
SaveSettingsOnExit=1
BaseDir=D:\Users\test\Desktop
;BaseDir=Z:\Downloads\Test\bin\VS2010\Regshot\x64\Debug Unicode\RegSnapshot20210108113232
OnlyNewVals=0
Editor=C:\Temp\cuda\cudatext.exe
ShowSIDFilterRules=1
ExpandLevels=4
; ExpandLevels=10
MaxNodes=5000
;MaxNodes=999
MaxLines=5000

[Registry-Scan]
HKEY_LOCAL_MACHINE=1
HKEY_USERS=1
HKEY_CURRENT_USER=1

[Output]
OpenEditor=1
BATFile=1
UNLFile=0
HTMFile=0
TXTFile=0
ISSDeinstallFile=0
ISSInstallFile=0
NSIDeinstallFile=0
NSIInstallFile=0
RegDeinstallFile=1
RegInstallFile=1
;
DeleteDirNotEmpty=0
DeleteReadOnly=0
LogEnvironmentStrings=0
LogUNLOrder=0
;CP_UTF8 (65001): Unicode UTF-8
;CP_ACP (0):      ANSI
;-1:              Unicode UTF-16 LE
Codepage=65001
UseLongRegHead=0
OutSeparateObjs=0
OutMaxResultLines=100
CheckResult=0
SuppressLogs=1
AU3File=1

[REG-COMMENT]
; --------------------------------------------------------------------------------------------------------------
; --------------------------------------------- Flags for reg file ---------------------------------------------
; --------------------------------------------------------------------------------------------------------------
[REG]
REG5=1

[ISS-COMMENT]
; --------------------------------------------------------------------------------------------------------------
; --------------------------------------------- Flags for iss file ---------------------------------------------
; --------------------------------------------------------------------------------------------------------------
[ISS]
UseDifferentISSOutputFolder=0
ISSOutputFolder=C:\Temp\Output
UseDifferentISSEditor=1
ISSEditor=C:\Temp\Inno Setup 6\Compil32.exe
;ISSEditor=C:\Program Files (x86)\Inno Script Studio\ISStudio.exe

[NSI-COMMENT]
; --------------------------------------------------------------------------------------------------------------
; --------------------------------------------- Flags for nsi file ---------------------------------------------
; --------------------------------------------------------------------------------------------------------------
[NSI]
UseDifferentNSIOutputFolder=0
NSIOutputFolder=C:\Temp\Output
UseDifferentNSIEditor=1
NSIEditor=C:\Temp\nsis-3.06.1-setup\makensisw.exe

[UNL-COMMENT]
; --------------------------------------------------------------------------------------------------------------
; --------------------------------------------- Flags for unl file ---------------------------------------------
; --------------------------------------------------------------------------------------------------------------
[UNL]
OnlyNewEntries=0
NoVals=1
NoDeletedEntries=0

[UNL-Output]
;Silent=1
;Simulation=1
Log=1
;NewFileLog=1
;LogOnlyErrors=1
DeleteReadOnly=1

[ScanDir]
%SystemDrive%\=1
D:\=0
%SystemDrive%\Temp=0


[RegKeyWhitelist-Comment]
; --------------------------------------------------------------------------------------------------------------
; -------------------------------------- eingeschlossene Registry-Subkeys --------------------------------------
; ---------------------------------------- USE SHORT FORM, e.g. HKLM\... ---------------------------------------
; --------------------------------------------------------------------------------------------------------------
[RegKeyWhitelist]

[SkipRegKey-Comment]
; --------------------------------------------------------------------------------------------------------------
; -------------------------------------- ausgeschlossene Registry-Subkeys --------------------------------------
; ---------------------------------------- USE SHORT FORM, e.g. HKLM\... ---------------------------------------
; --------------------------------------------------------------------------------------------------------------
; Regshot 2.0 不能使用缩写键,如 HKCR。
; Regshot 3.0 必须使用缩写键。
; HKCC --> HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current +
;          HKCU\System\CurrentControlSet\Hardware Profiles\Current (无此项)
; HKCR  =  HKLM\SOFTWARE\Classes + HKCU\Software\Classes
; HKCU 和 HKLM 同步到 HKCR 相同位置时,优先 HKCU
; 操作 HKCR 的结果实在诡异,所以屏蔽 HKCR,分别取 HKLM 和 HKCU 中的项
; HKCU --> HKU\{SID}
; SID 随机,只好使用 HKCU
; =1 时,忽略当前项及子孙项。
; HKEY_LOCAL_MACHINE\System\CurrentControlSet --> HKEY_LOCAL_MACHINE\System\ControlSet00X
; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer=0 ; 有争议,暂时不屏蔽
[SkipRegKey]
HKCC=1
HKCR=1
HKCU\Control Panel\Desktop=1
HKCU\Control Panel\NotifyIconSettings=1
HKCU\Printers=1
HKCU\Software\Classes\Extensions\ContractId=1
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PolicyCache=1
HKCU\Software\Classes\PackagedCom\Package=1
HKCU\Software\Classes\VirtualStore=1
HKCU\Software\DownloadManager=1
HKCU\Software\Microsoft\ActiveMovie=1
HKCU\Software\Microsoft\AuthCookies=1
HKCU\Software\Microsoft\CertSelect=1
HKCU\Software\Microsoft\CTF=1
HKCU\Software\Microsoft\Edge=1
HKCU\Software\Microsoft\EdgeUpdate=1
HKCU\Software\Microsoft\IdentityCRL=1
HKCU\Software\Microsoft\OneDrive=1
HKCU\Software\Microsoft\Poom=1
HKCU\Software\Microsoft\RestartManager=1
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store=1
HKCU\Software\Microsoft\Windows NT\CurrentVersion\HostActivityManager\CommitHistory=1
HKCU\Software\Microsoft\Windows Script\Settings\Telemetry=1
HKCU\Software\Microsoft\Windows\CurrentVersion\AppListBackup=1
HKCU\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store=1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer=1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs=0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU=0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage=0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU=0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams=0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify=0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist=0
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats=1
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\PolicyApplicationState=1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections=1
HKCU\Software\Microsoft\Windows\CurrentVersion\IrisService=1
HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications=1
HKCU\Software\Microsoft\Windows\CurrentVersion\RunNotification=1
HKCU\Software\Microsoft\Windows\CurrentVersion\Search=1
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions=1
HKCU\Software\Microsoft\Windows\CurrentVersion\Start=1
HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC=1
HKCU\Software\Microsoft\Windows\CurrentVersion\UnifiedConsent=1
HKCU\Software\RegisteredApplications=1
HKCU\Software\Woozle\XN Resource Editor\Recent Files=1
HKLM\Components\CanonicalData=1
HKLM\COMPONENTS\CCPInterface=1
HKLM\Components\DerivedData=1
HKLM\Components\DerivedData\Components=1
HKLM\Components\Drivers=1
HKLM\Components\ServicingStackVersions=1
HKLM\Drivers\DriverDatabase=1
HKLM\HARDWARE\RESOURCEMAP=1
HKLM\Schema=1
HKLM\SOFTWARE\Classes\Interface=1
HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment=1
HKLM\SOFTWARE\Classes\TypeLib=1
HKLM\SOFTWARE\Microsoft\Active Setup=1
HKLM\SOFTWARE\Microsoft\EventSystem=1
HKLM\SOFTWARE\Microsoft\IdentityCRL=1
HKLM\SOFTWARE\Microsoft\Internet Explorer=1
HKLM\SOFTWARE\Microsoft\LanguageOverlay=1
HKLM\SOFTWARE\Microsoft\MpSigStub=1
HKLM\SOFTWARE\Microsoft\Multimedia=1
HKLM\SOFTWARE\Microsoft\RemovalTools=1
HKLM\SOFTWARE\Microsoft\Security Center=1
HKLM\SOFTWARE\Microsoft\SecurityManager=0
HKLM\SOFTWARE\Microsoft\SystemCertificates=1
HKLM\SOFTWARE\Microsoft\UPnP Device Host=1
HKLM\SOFTWARE\Microsoft\Wbem=1
HKLM\SOFTWARE\Microsoft\Windows Defender=1
HKLM\SOFTWARE\Microsoft\Windows NT=1
HKLM\SOFTWARE\Microsoft\Windows Search=1
HKLM\SOFTWARE\Microsoft\Windows Security Health=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Fcon=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer=0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18=0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InstallService=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mrt=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OneSettings=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\VFUProvider=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc=1
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting=1
HKLM\SOFTWARE\Microsoft\WindowsSelfHost=1
HKLM\SOFTWARE\Microsoft\WindowsUpdate=1
HKLM\SOFTWARE\Microsoft\WZCSVC=1
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Perflib=1
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer=1
HKLM\SOFTWARE\WOW6432Node\NemuServer=1
HKLM\SYSTEM\ActivationBroker=1
HKLM\SYSTEM\ControlSet001=1
; HKLM\SYSTEM\ControlSet001\Control\Session Manager=1
; HKLM\SYSTEM\ControlSet001\Enum=1
; HKLM\SYSTEM\ControlSet001\Services\VFILT=1
HKLM\SYSTEM\ControlSet002=1
; HKLM\SYSTEM\ControlSet002\Control\Session Manager=1
; HKLM\SYSTEM\ControlSet002\Enum=1
; HKLM\SYSTEM\ControlSet002\Services\VFILT=1
HKLM\SYSTEM\CurrentControlSet=1
; HKLM\SYSTEM\CurrentControlSet\Control\hivelist=1
; HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings=1
; HKLM\SYSTEM\CurrentControlSet\Services\bam=1
; HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum=1
; HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch=1
; HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy=1
HKLM\SYSTEM\DriverDatabase=1
HKLM\SYSTEM\HardwareConfig=1
HKLM\SYSTEM\Input=1
HKLM\SYSTEM\Keyboard Layout=1
HKLM\SYSTEM\Maps=1
HKLM\SYSTEM\MountedDevices=1
HKLM\SYSTEM\ResourceManager=1
HKLM\SYSTEM\ResourcePolicyStore=1
HKLM\SYSTEM\ResourcePolicyStore\ResourceSets=1
HKLM\SYSTEM\ResourcePolicyStore\ResourceSets\Policies=1
HKLM\SYSTEM\RNG=1
HKLM\SYSTEM\Select=1
HKLM\SYSTEM\Setup=1
HKLM\SYSTEM\Software=1
HKLM\SYSTEM\State=1
HKLM\SYSTEM\WaaS=1
HKLM\SYSTEM\WPA=1
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings=1
; ----------------------------------------------------------------------------------------------------------------
; 要根据实际情况更改 SID
HKU\S-1-5-20=1
HKU\S-1-5-21-1112048239-3170395655-576480342-1001=1
HKU\S-1-5-21-1112048239-3170395655-576480342-1001_Classes=1
HKU\S-1-5-80-0123456789-0123456789-0123456789-0123456789-0123456789=0
HKU\S-1-5-80-0123456789-0123456789-0123456789-0123456789-0123456789_Classes=0
; ----------------------------------------------------------------------------------------------------------------
; [Bags & BagMRU]
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags=1
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU=1
HKCU\Software\Microsoft\Windows\Shell\Bags=1
HKCU\Software\Microsoft\Windows\Shell\BagMRU=1
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags=1
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU=1
; ----------------------------------------------------------------------------------------------------------------
; [Cache]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache=1
HKCU\Software\Classes\Local Settings\MrtCache=1
HKCU\Software\Classes\Local Settings\MuiCache=1
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache=1
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache=1
HKU\.DEFAULT\Software\Classes\Local Settings\MrtCache=1
HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache=1
HKU\S-1-5-18\Software\Classes\Local Settings\MrtCache=1
HKU\S-1-5-18\Software\Classes\Local Settings\MuiCache=1
HKU\S-1-5-19\Software\Classes\Local Settings\MuiCache=1
HKU\S-1-5-20\Software\Classes\Local Settings\MuiCache=1
; ----------------------------------------------------------------------------------------------------------------
; [WOW6432Node]
; HKCR = HKLM\SOFTWARE\Classes + HKCU\Software\Classes
; HKCR=1
; HKCR\WOW6432Node=1
; HKCU\Software\WOW6432Node 不同步 HKCU\Software
; HKLM\SOFTWARE\WOW6432Node 不同步 HKLM\SOFTWARE
; HKCU\Software\WOW6432Node=0
; HKLM\SOFTWARE\WOW6432Node=0
; HKCU\Software\Classes\WOW6432Node 不同步 HKCU\Software\Classes
; HKLM\SOFTWARE\Classes\WOW6432Node 不同步 HKLM\SOFTWARE\Classes
; HKCU\Software\Classes\WOW6432Node 同步到 HKCR\Software\Classes\WOW6432Node
; HKLM\SOFTWARE\Classes\WOW6432Node 同步到 HKCR\Software\Classes\WOW6432Node
; HKCU\Software\Classes\WOW6432Node=0
; HKLM\SOFTWARE\Classes\WOW6432Node=0
; HKLM\SOFTWARE\Classes\Software\WOW6432Node\以下3个符号链接 --> HKLM\SOFTWARE\Classes\Software\3个实体项
HKLM\SOFTWARE\Classes\WOW6432Node\AppID=1
HKLM\SOFTWARE\Classes\WOW6432Node\PROTOCOLS=1
HKLM\SOFTWARE\Classes\WOW6432Node\TypeLib=1
; HKLM\SOFTWARE\WOW6432Node\以下4个符号链接 --> HKLM\SOFTWARE\4个实体项\WOW6432Node
HKLM\SOFTWARE\WOW6432Node\Classes=1
HKLM\SOFTWARE\WOW6432Node\Clients=1
HKLM\SOFTWARE\WOW6432Node\Policies=1
HKLM\SOFTWARE\WOW6432Node\RegisteredApplications=1
; HKLM\SOFTWARE\WOW6432Node\以下4个符号链接 --> HKLM\SOFTWARE\4个实体项
HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager=1
HKLM\SOFTWARE\WOW6432Node\Microsoft\SystemCertificates=1
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\KindMap=1
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Group Policy=1
; HKCU\Software\Wow6432Node --> HKU\S-1-5-21-{GUID}-1001\Software\Wow6432Node
; HKU\S-1-5-21-{GUID}-1001 已屏蔽 
; HKU\S-1-5-21-{GUID}-1001\Software\Wow6432Node=1
; ----------------------------------------------------------------------------------------------------------------
HKCU\Software\7-Zip\FM=1
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy=1
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe=1
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.SecHealthUI_8wekyb3d8bbwe=1
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WidgetsPlatformRuntime_8wekyb3d8bbwe=1
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy=1
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy=1
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy=1
HKCU\Software\Microsoft\EdgeWebView=1
HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications=1
HKCU\Software\Microsoft\Windows\CurrentVersion\RulesEngine=1
HKCU\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance=1
HKCU\Software\Microsoft\Windows\CurrentVersion\ThemeManager=1
HKLM\COMPONENTS\Windows Update Clean Tool=1
HKLM\DRIVERS=1
HKLM\SOFTWARE\Classes\CLSID\{F1E752C3-FD72-11D0-AEF6-00C04FB6DD2C}=1
HKLM\SOFTWARE\Intel\Display\igfxcui\3D=1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS=1
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Search=1

[SkipRegKey.test]
HKCU\Software\Classes\VirtualStore=1
HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC=1
HKLM\SOFTWARE\Microsoft\EventSystem=1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib=1
HKLM\SYSTEM\ControlSet001=0
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum=1
HKU\Sandbox_Patrick_DefaultBox=1
; ----------------------------------------------------------------------------------------------------------------
HKLM\SOFTWARE\Google=1

[SkipDir]
; %ALLUSERSPROFILE% = %SystemDrive%\Users\All Users --> %SystemDrive%\ProgramData
%ALLUSERSPROFILE%=1
; 注册表根项置1会屏蔽子项,文件根目录置1有时候无法屏蔽子目录。
%APPDATA%\Microsoft\Windows\Recent=1
%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations=1
%APPDATA%\Mozilla\Firefox\Profiles=1
%LOCALAPPDATA%\Microsoft\TokenBroker=1
%LOCALAPPDATA%\Microsoft\Windows\Caches=1
%LOCALAPPDATA%\Microsoft\Windows\INetCache=1
%LOCALAPPDATA%\Temp=1
%LOCALAPPDATA%\ToastNotificationManagerCompat=1
%ProgramFiles(x86)%\Microsoft=1
%ProgramFiles(x86)%\Microsoft\Edge=1
%SystemDrive%\$Recycle.Bin=1
%SystemDrive%\msdownld.tmp=1
%SystemDrive%\ProgramData\D3DSCache=1
%SystemDrive%\ProgramData\Microsoft=1
%SystemDrive%\ProgramData\Microsoft\Credentials=1
%SystemDrive%\ProgramData\Microsoft\Search=1
%SystemDrive%\ProgramData\Microsoft\Windows Defender\Scans=1
%SystemDrive%\ProgramData\Microsoft\Windows Defender\Scans\History=1
%SystemDrive%\ProgramData\Microsoft\Windows\Explorer=1
%SystemDrive%\ProgramData\Microsoft\Windows\TaskManager=1
%SystemDrive%\ProgramData\Microsoft\Windows\WebCache=1
%SystemDrive%\ProgramData\Package Cache=1
%SystemDrive%\ProgramData\regid.1991-06.com.microsoft=1
%SystemDrive%\ProgramData\USOPrivate=1
%SystemDrive%\ProgramData\USOShared=1
%SystemDrive%\servicing\LCU=1
%SystemDrive%\System Volume Information=1
%SystemDrive%\System=1
%SystemDrive%\temp=1
%SystemRoot%\appcompat=1
%SystemRoot%\AppReadiness=1
%SystemRoot%\Logs\WindowsUpdate=1
%SystemRoot%\Microsoft.NET=1
%SystemRoot%\PCHealth\HelpCtr\DataColl=1
%SystemRoot%\Prefetch=1
%SystemRoot%\Profiles\Administrator\Temporary Internet Files=1
%SystemRoot%\ServiceProfiles\LocalService=1
%SystemRoot%\ServiceProfiles\NetworkService=1
%SystemRoot%\SoftwareDistribution=1
%SystemRoot%\System32\CatRoot=1
%SystemRoot%\System32\config=1
%SystemRoot%\System32\spp=1
%SystemRoot%\System32\wbem\Repository=1
%SystemRoot%\System32\winevt\Logs=1
%SystemRoot%\SystemTemp=1
%SystemRoot%\temp=1
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default=1
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Safe Browsing=1
%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5=1
%USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles=1
%USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\ujcmi4bt.default\cache2=1
%USERPROFILE%\AppData\Local\Packages=1
%USERPROFILE%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy=1
%USERPROFILE%\AppData\LocalLow=1
%USERPROFILE%\Eigene Dateien\Snapshots=1
%USERPROFILE%\Local Settings\Temp=1
%USERPROFILE%\Local Settings\Temporary Internet Files=1
%USERPROFILE%\Lokale Einstellungen\Temporary Internet Files=1
%USERPROFILE%\MicrosoftEdgeBackups=1
%USERPROFILE%\Microsoft\Edge=1
%USERPROFILE%\Recent=1
; ----------------------------------------------------------------------------------------------------------------
%ALLUSERSPROFILE%\Microsoft\Windows Defender=1
;; 上面已经置为1,但是还会扫到下面子目录
%ALLUSERSPROFILE%\Microsoft\Windows Defender\Scans=1
%ALLUSERSPROFILE%\ASUS=1
%APPDATA%\GreenHub\Session Storage=1
%ProgramFiles%\QuarkUpdater=1
%USERPROFILE%\Local Settings\Google\Chrome\User Data\Default\IndexedDB=1
%USERPROFILE%\Local Settings\Microsoft\Windows\Caches=1

[SkipFile-Comment]
; --------------------------------------------------------------------------------------------------------------
; ------------------------------------------ ausgeschlossene Dateien -------------------------------------------
; ---------------------------- Dateien k鰊nen auch unter SkipDir eingetragen werden ----------------------------
; ---------------------------- Die eigene Section dient nur der besseren 躡ersicht -----------------------------
; --------------------------------------------------------------------------------------------------------------
[SkipFile]
%ALLUSERSPROFILE%\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd=1
%ALLUSERSPROFILE%\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-wal=1
%ALLUSERSPROFILE%\Microsoft\Windows\AppRepository\StateRepository-Machine.srd=1
%ALLUSERSPROFILE%\Microsoft\Windows\AppRepository\StateRepository-Machine.srd-wal=1
%ALLUSERSPROFILE%\Microsoft\Windows\UsrClass.dat.LOG1=1
%SystemDrive%\hiberfil.SYS=1
%SystemDrive%\pagefile.sys=1
%SystemDrive%\swapfile.SYS=1
%SystemDrive%\Users\Public\Desktop\Microsoft Edge.lnk=1
%SystemRoot%\bootstat.dat=1
%SystemRoot%\Installer\SourceHash{7F0C3584-ED21-4282-9931-50D173C2CCE5}=1
%SystemRoot%\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask=1
%USERPROFILE%\ntuser.dat.log=1
%USERPROFILE%\ntuser.dat.LOG1=1
%USERPROFILE%\ntuser.dat.LOG2=1
%USERPROFILE%\UsrClass.dat=1
%USERPROFILE%\UsrClass.dat.LOG1=1
; ----------------------------------------------------------------------------------------------------------------
%ProgramFiles(x86)%\IncrediBuild\CoordService.sbd=1
%SystemRoot%\System32\Tasks\AsusSystemAnalysis_754F3273-0563-4F20-B12F-826510B07474=1

[SkipFile.Test]
%LOCALAPPDATA%\Launchy\launchy.db=1
%SystemDrive%\hiberfil.SYS=1
%SystemDrive%\pagefile.sys=1
%SystemDrive%\swapfile.SYS=1
%USERPROFILE%\ntuser.dat.log=1

[SkipDir.Test]
%APPDATA%\Microsoft\Windows\Recent=1
%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations=1
%APPDATA%\Mozilla\Firefox\Profiles=1
%LOCALAPPDATA%\Google\Chrome\User Data\Default=1
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5=1
%LOCALAPPDATA%\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy=1
%ProgramFiles%=0
%ProgramFiles(x86)%=0
%SystemDrive%\$Recycle.Bin=1
%SystemDrive%\Brenner=1
%SystemDrive%\Debugger=1
%SystemDrive%\Editoren=1
%SystemDrive%\Internet=1
%SystemDrive%\msdownld.tmp=1
%SystemDrive%\MSOCache=1
%SystemDrive%\MultiMedia=1
%SystemDrive%\Office=1
%SystemDrive%\Programmierung=1
%SystemDrive%\Sandbox=1
%SystemDrive%\Sandbox\%USERNAME%=1
%SystemDrive%\System Volume Information=1
%SystemDrive%\System=0
%SystemDrive%\temp2=1
%SystemDrive%\temp=1
%SystemRoot%\PCHealth\HelpCtr\DataColl=1
%SystemRoot%\Prefetch=1
%SystemRoot%\Profiles\Administrator\Temporary Internet Files=1
%SystemRoot%\SoftwareDistribution=1
%SystemRoot%\System32\config=1
%SystemRoot%\System32\wbem\Repository=1
%SystemRoot%\winsxs=1
%USERPROFILE%\Eigene Dateien\Lieder=1
%USERPROFILE%\Eigene Dateien\Snapshots=1
%USERPROFILE%\Eigene Dateien\Visual Studio Projects=1
%USERPROFILE%\Lokale Einstellungen\Temporary Internet Files=1
%USERPROFILE%\MicrosoftEdgeBackups=1
%USERPROFILE%\Recent=1
; ----------------------------------------------------------------------------------------------------------------
D:\Temp\Portables=1
D:\Temp\Downloads=1
D:\temp=1
D:\System Volume Information=1
D:\Sandbox\%USERNAME%\DefaultBox\user\current\AppData\Roaming\Mozilla\Firefox=1
D:\Recycler=1
; ----------------------------------------------------------------------------------------------------------------
%LOCALAPPDATA%\Mozilla\Firefox\Profiles=1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ujcmi4bt.default\cache2=1
; Eigene Dateien 德文里表示"我的文档"
D:\Eigene Dateien\Dropbox\.dropbox.cache=1
D:\Eigene Dateien\Dropbox\Cloudfogger=0
D:\Eigene Dateien\Dropbox\Scripts\AutoHotkey\ac'tivAid_New\Settings\Clipboards=1
D:\Eigene Dateien\Eigene Musik=1
D:\Eigene Dateien\ERDNT=1
D:\Eigene Dateien\Scripts\AutoHotkey\ac'tivAid\settings\Clipboards=1
D:\Eigene Dateien\Snapshots=1
D:\Eigene Dateien\Visual Studio Projects=1
;%SystemDrive%\j2sdk1.4.1_06=1

2. 使用 RegFromApp.exe

此软件不能挂系统钩子,一般只能监测第三方软件的注册表行为。

3. 使用 Process Monitor

过滤器选择

包含注册表设置操作: RegSetValue
排除 Service 进程名称如 : BuildService.exe
其它的使用重置过滤器操作,就会添加这些默认的排除项。

然后操作系统上的设置,如:
设置 - 时间和语言 - 输入 - 高级键盘设置 - 切换输入法 - 使用桌面语言栏(如果可用) - 勾选

该操作的作用是:

安装搜狗输入法后,删除默认的输入法键盘,系统托盘会出现两个搜狗图标。

如何删除没用的灰色那个?

操作后,软件会监测到设置程序的注册表修改操作。即 SystemSettings.exe 的 RegSetValue

最后,得到具体 注册表位置 和值的改变。

cobol 复制代码 
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\Desktop]
"UserPreferencesMask"=hex:9e,1e,07,80,12,01,00,00

修改第 6 个字节, 即 "使用桌面语言栏(如果可用)"
01: 勾选
00: 不勾选

4. RegCool

监控一般,但可以脱机比较两个注册表文件。

相关推荐
liulun4 小时前
C++ WinRT中的异步
c++·windows
xyty33205 小时前
QImageReader 的全局静态锁原理
c++·windows·qt
Bruce_Liuxiaowei6 小时前
深入剖析 Windows 网络服务:用 witr 一键溯源所有监听端口
windows·安全·系统安全
overmind8 小时前
oeasy Python 116 用列表乱序shuffle来洗牌抓拍玩升级拖拉机
服务器·windows·python
独自破碎E8 小时前
Windows 环境下 OpenClaw 的安装与千问大模型配置
windows
开开心心就好10 小时前
实用系统备份还原,小巧免PE备份快镜像小
windows·计算机视觉·pdf·计算机外设·迭代器模式·excel·桥接模式
Bruce_Liuxiaowei10 小时前
Windows 进程溯源工具 witr:原理、安装与实战
windows·网络安全
cjl_85200810 小时前
MySQL-递归查询
数据库·windows·mysql
阿昭L12 小时前
Windows内存管理中的交换空间
windows·操作系统·分页机制
热门推荐
01GitHub 镜像站点02Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services03AI Agent 平台横评:ZeroClaw vs OpenClaw vs Nanobot04全面体验 Grok API 中转站(2025 · Grok 4 系列最新版)05MIUI显示/隐藏5G开关的方法,信号弱时开启手机Wifi通话方法06如何解决 OpenClaw “Pairing required” 报错:两种官方解决方案详解07配置 OpenClaw 使用 Ollama 本地模型08从零搭建一个 PHP 登录注册系统(含完整源码)09openClaw安装飞书插件|核心踩坑:spawn EINVAL 错误终极解决指南10使用 1panel面板 部署 php网站