Compare button and menu item are operable only when 2 main nodes are active. So, by that moment you must have at least 2 scans of Registry in the current file (see. Registry Scan )
You can choose any node for comparing, when you click the Compare button, if the relevant node exists in another active tree, comparing procedure will be fulfilled, otherwise the following message will be displayed "Appropriate node does not exist :..".
To exclude certain nodes from comparing, use function "Exclude from compare (check)" of the context menu. The chosen node will be marked with red "x".
Having marked a certain node in certain tree, you also exclude all the nodes with the same paths in other trees. You can view and edit the list of all excluded nodes in the "Exclude List". All the changes to a tree and the list are done simultaneously. It is possible to include/exclude nodes of a higher level covering already existing nodes of a lower level and vice versa.
Depending on the option "Jump to < > opened tree" on the tag General, double-clicking a line in exclude list opens the relevant node in the first or in the second active tree. If there is no node with the specified path, it is not opened. You can check whether a node contains any excluded nodes using the "Expand Excluded Nodes" button. To remove all the excluded subnodes in a node from the Exclude List, use the "UnExclude All Subnodes" button.
One copy is always newer than the other – it will be marked as New, and the older one will be marked as Old. When comparing is finished, a window with three (or less) trees appears:
1) "Deleted - xx" – this is a tree showing deleted Keys and Value Names, i.e. those ones that used to be the old copy of the Registry, but were not found in the newer one.
2) "Added - xx" – this is a tree showing added Keys and Value Names;
3) "Distinct in data - xx" – this is a tree showing changed Value Data.
In the first tree - "Deleted - xx", (xx = number of keys and value names missing in the new copy as compared to the old one) deleted Keys are marked by a yellow bulb all their subkeys are marked by a grey bulb. The Keys with deleted Value Names are marked by a green bulb, only Value Names not found in the new copy are shown there. Subkeys that remained the same are not shown.
A similar notation system is used in the second tree ("Added -
xx"), the only difference is that Keys and Value Names present in the new
copy and not found in the old one are shown here. Analysing this tree after
installing new software is helpful to understand whether it is a Trojan, or
whether the software makes illegal changes in critical registry areas.
In the
third tree ("Distinct in data - xx"), only differences in Value Data
are shown. Here, xx is a total number of pairs where differences in Value Data
were found. The Keys where such differences were found are marked with a green
bulb. The data with the same Value Names are shown in columns and marked with
the digits 1 and 2 for the old copy and for the new one respectively. Icons
showing the data type are alike icons in the Registry Editor, but the digital
type us divided into the three subtypes: 1 - Double word; 2 - Binary; 3 - Multi
size.
By choosing Locate in Old or Locate in New in the context menu (depending on
the active tree) of the selected Key, you can go to the respective source Key in
the main window.
Upon double-clicking on a data string the Copy String window appears, where
you can copy Value Name and the Value Data from.