I use regshot (freeware) it allows to create snapshots before and after the change (for example an installation)
Afterwards you can compare the snapshots and find all changes.
Process Monitor also allows a myriad of filters to be set - so you could, for example, filter by process and only see the effects from the Symantec process you mentioned.
And if you're not sure which process to monitor, Process Explorer (another SysInternals tool) lets you drag a bullseye over an application to identify the process in the Process Explorer window.
Microsoft's Attack Surface Analyzer is a free (beta at the moment) tool that takes snapshots and compares not only registry keys but also lots of other important information like services, ACLs, open/listening ports, etc., and reports any differences between the snapshots.
Downside is that it's only compatible with Win7/2008.
if exporting the registry before the change and comparing with DIFF after didn't find the change, it's possible that the change you are making is not stored in the registry, which is where procmon comes in. Trace the activity of the proccess making the changes and you will see either the file or registry activity that is happening when the settings change is saved. Symantec Antivirus uses HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\ to store many of it's settings if that helps
Process Monitor will let you track Registry activity in realtime.
I use regshot (freeware) it allows to create snapshots before and after the change (for example an installation) Afterwards you can compare the snapshots and find all changes.
Process Monitor also allows a myriad of filters to be set - so you could, for example, filter by process and only see the effects from the Symantec process you mentioned.
And if you're not sure which process to monitor, Process Explorer (another SysInternals tool) lets you drag a bullseye over an application to identify the process in the Process Explorer window.
Microsoft's Attack Surface Analyzer is a free (beta at the moment) tool that takes snapshots and compares not only registry keys but also lots of other important information like services, ACLs, open/listening ports, etc., and reports any differences between the snapshots.
Downside is that it's only compatible with Win7/2008.
if exporting the registry before the change and comparing with DIFF after didn't find the change, it's possible that the change you are making is not stored in the registry, which is where procmon comes in. Trace the activity of the proccess making the changes and you will see either the file or registry activity that is happening when the settings change is saved. Symantec Antivirus uses HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\ to store many of it's settings if that helps