Check Open Registry Keys in Memory
https://www.windowsscope.com/wp-content/uploads/2016/07/orkblog1-1024x786.jpg 1024 786 WindowsSCOPE WindowsSCOPE https://www.windowsscope.com/wp-content/uploads/2016/07/orkblog1-1024x786.jpgTo view the registry keys being used by Windows at the time of a snapshot, on the left panel go to Memory View → Summary of System Activity → Open Registry Keys. Open registry keys can be viewed per process as well by going to Memory View → Processes → Open Registry Keys.
From the example snapshot, after viewing the Open Registry Files two columns ‘Key Name’ and ‘Process’ appear. In the registry, the two fundamental parts are keys and values. Keys are almost like folders for the values, and keys can be found inside of keys. Values are what actually store the configuration data. In this case, the key REGISTRYMACHINESYSTEMCONTROLSET001SERVICES used by the process services.exe was selected.
One thing to note is that each Key Name begins with REGISTRY. This just defines that it is found in the registry. After that is MACHINE or USER. This is shorthand referring to the predefined registry keys HKEY_LOCAL_MACHINE and HKEY_USERS respectively. To see WindowsSCOPE finding registry keys being used, open the Windows Registry Editor and find a random key. To open Windows Registry Editor (regedit), in Windows go to Start → Run and type ‘regedit’. It is highly advised to only look at and not edit the registry files found.
In the example screen shot, a random key used by Adobe Acrobat Reader was selected. Then, a snapshot in WindowsSCOPE was taken. After viewing the Open Registry Keys, the key being viewed with the Windows Registry Editor can easily be found using the Find tool.