SystemSherlock – snapshot using GUI or CMD

Recently I wrote about SystemSherlock Lite – really nice snapshoting tool that supports command line… I also posted small utility for parsing log files.

After that I started to heavily use SystemSherlock – and I must say that it is really really great utility. Problem is that usually you want to have command line AND GUI interface – and SystemSherlock is cmd only :(

So I decided to create wrapper around it – and for me combination of GUI and SystemSherlock is much better snapshoting tool than RegShot or InstallRite…

SystemSherlock GUI consists of 3 different tabs – one for creating snapshots, second for comparing snapshots and third for displaying log files in friendly structure.

Create snapshot

Below is GUI used for taking snapshots:


It allows you to create snapshot configuration, specify output file and also to include exclusion list if you want to ignore particular entries. This is configured snapshot for detecting HKCU and C:\Temp folder:


I tried to implement quite logical interface, so there are feature like auto-suggest or auto-repair of entries (for example HKLM is automatically translated HKEY_LOCAL_MACHINE)… Another feature is that entry type is automatically detected (you can see it in video – I don’t select whether entry is registry or filesystem, it is automatically filled):

Update: Embedded video from Jing doesn’t work :( So click on following link instead).

Once you specified what you want to monitor, just click on create button – dump is automatically created. Then do whatever you want – and just click on Create button again. One of SystemSherlock advantages is that it allows you to create as many dumps as you want – you can even compare current dump with one created months ago…

When finished, move to Compare snapshots tab.

Compare snapshots

Below is screenshot of Compare snapshots tab:


It is divided to two parts – on left you can see source dumps and on right target dumps. Source dumps are the ones that were taken first –  this is VERY important to understand that source must be always older.

System Sherlock Lite can report unexpected results if you are not aware of this behavior – if you will swap source and target (so target will be older file and source will be newer file), results will be opposite (for example if you deleted folder between snapshots, it will report that this folder was created etc.).

For this reason I implemented some logic to processing. When you select any file on left, ONLY newer files then selected are displayed on right.


Parse logs

When you compare two dumps, differences between these two entries are automatically displayed in GUI.

Current version should be already functional, but I am sure that there will be some issues – after all, this is really first version I just finished. If you encounter any problems or you have some features requests, feel free to post them in comments – if nothing, I will at least respond (but probably also implement such changes).

Advantages compared to RegShot:

  • Fully supports command line – can be scripted
  • Imho better GUI
  • Supports multiple dumps – not only comparison of 2 snapshots (easily review historical changes)
  • Exclusion list based on RegExes
  • GUI for reading log files


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>