Auditing Registry Writes Before Deployment with pkgprobe

01 Where the Real Footprint Lives

When an installer runs, the files it copies to Program Files are only half the story. The registry writes are where the installer establishes persistence — startup behavior, service definitions, protocol handlers, file associations, and the upgrade detection logic that determines whether future versions deploy correctly.

These are the hives that matter most for pre-deployment review:

common installer write targets high-value audit paths

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall uninstall entry

HKLM\Software\Classes\ProgID / COM registration review

HKLM\System\CurrentControlSet\Services\ServiceName review

HKLM\Software\Vendor\AppName expected

HKCU\Software\Microsoft\Windows\CurrentVersion\Run flag

HKCR\ProtocolName\shell\open\command review

If you don't know which of these paths an installer writes to before deployment, you're gambling — especially in regulated environments where unexpected persistence or service creation triggers immediate EDR and compliance scrutiny.

02 What pkgprobe Extracts

For MSI installers, pkgprobe directly inspects the installer's Registry table, ServiceInstall table, and Class table — producing a complete pre-execution map of every key that will be written. No sandbox. No execution. The footprint, before the installer runs.

The output gives you exactly what you need for a pre-deployment review:

          pkgprobe registry extract — Python API
          Python
        

from pkgprobe import analyze_msi

plan = analyze_msi("VendorApp.msi")

# Full registry footprint before execution
for reg in plan.registry_writes:
    print(reg.hive, reg.path, reg.value_name)

# Service definitions
for svc in plan.service_installs:
    print(svc.name, svc.start_type, svc.account)

# COM registrations
for com in plan.com_registrations:
    print(com.clsid, com.prog_id)

Now you can ask the right questions before deployment: Why is this app creating a Run key? Does this service need to auto-start? Is this overwriting an existing COM registration that another app depends on?

03 Red Flags to Watch For

Not all registry writes are equal. These four categories warrant direct review before any installer goes to production:

RF-01

User-Level Startup Persistence

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AppUpdater

Line-of-business software rarely needs per-user startup persistence. When you see this from an enterprise app, ask why. Run key writes are common in consumer updaters, telemetry agents, and potentially unwanted software — and they're easy to miss because they target HKCU, not HKLM.

RF-02

Service Installation

HKLM\System\CurrentControlSet\Services\AppBackgroundSvc

Any installer creating a Windows service expands your attack surface. Before approving, confirm: what account does it run under? Is it auto-start or demand-start? Does it expose network ports? Is the service binary signed?

LocalSystem privilege is rarely justified for vendor background services
AUTO_START services survive reboots and persist indefinitely
Unsigned service binaries are an immediate flag

RF-03

Shell or Protocol Handlers

HKCR\VendorProtocol\shell\open\command

Modifications to file associations, URL protocol handlers, or Explorer context menus can silently override existing behavior. A new protocol handler that launches an EXE introduces an execution path that bypasses normal application launch controls — and affects every user on the endpoint.

RF-04

Upgrade Detection Keys

HKLM\Software\Vendor\App\Version = "3.1.0"

Some MSIs use custom registry keys to detect whether a previous version is installed before proceeding with an upgrade. If those keys are misconfigured — or conflict with keys written by another vendor's installer — upgrades fail silently with exit code 0. You won't know until rollout.

04 Pre-Deployment Registry Review Workflow

The goal is to move registry discovery from post-deployment troubleshooting to pre-deployment review. The shift is simple:

✗ reactive — today

Package installer

Deploy to pilot group

Hope nothing breaks

Troubleshoot at 9:30 PM

✓ proactive — with pkgprobe

Analyze MSI — extract registry writes

Compare against policy baseline

Flag unexpected persistence or services

Approve and deploy with confidence

05 Enforcing Policy in CI/CD

Registry auditing doesn't have to be a manual step. You can encode your org's policy directly into your pipeline and block installers that violate it automatically — before they ever reach a staging environment.

          registry policy gate — Python
          Python
        

from pkgprobe import analyze_msi

plan = analyze_msi("app.msi")

for reg in plan.registry_writes:

    # Block any user-level startup persistence
    if "CurrentVersion\\Run" in reg.path:
        raise Exception(
            f"Blocked: user-level persistence at {reg.path}"
        )

    # Flag unexpected protocol handlers
    if reg.hive == "HKCR" and "shell\\open\\command" in reg.path:
        raise Exception(
            f"Blocked: unexpected shell handler at {reg.path}"
        )

for svc in plan.service_installs:

    # Block services running as LocalSystem
    if svc.account == "LocalSystem":
        raise Exception(
            f"Blocked: service '{svc.name}' runs as LocalSystem"
        )

print("Registry policy checks passed.")

✅

Exit code 0 doesn't mean safe

A successful installation just means the installer completed without error. It says nothing about what was written to the registry, what services were created, or what persistence mechanisms were established. Registry auditing is about intent — what is this installer trying to establish long-term?

06 Real-World Scenario: The Silent Vendor Update

This scenario plays out regularly in enterprise IT. A vendor releases a routine MSI update — same product, incremented version. The packaging team tests installation. Exit code 0. Moves to production.

📋 timeline — unaudited vendor update

Deploy day MSI pushed to 2,000 endpoints via SCCM. Exit code 0. Deployment marked successful.

+3 days SOC flags unexpected outbound traffic from endpoints on port 443 to unknown telemetry domain.

+5 days Helpdesk reports elevated CPU usage complaints from multiple departments. Background service identified.

+7 days Change board asks why a new background service and auto-start updater appeared post-deployment. No documentation exists.

Root cause Vendor silently added an auto-start updater (HKCU Run key) and telemetry service (HKLM Services) in the new MSI version. Neither appeared in the changelog.

With pkgprobe Registry diff against previous version surfaces both additions at analysis time. Deployment blocked pending vendor review. No incident.

// final thought

Installers don't just copy files. They modify state. The registry is where that state lives.

If you audit the registry footprint before deployment, you stop reacting to surprises at 9:30 PM and start predicting them at 9:30 AM — when there's still time to ask the vendor a question, adjust the deployment scope, or block the release entirely. That's the difference between reactive IT and operational discipline.

Know the footprint before it lands

pkgprobe extracts the full registry write map from any MSI before execution — no sandbox, no pilot deployment, no surprises.

Try pkgprobe →