What does the path '\REGISTRY\A\...' in Sysinternals Procmon log mean?

It is an application hive, which can be seen in volatility by no name! Application hives are registry hives loaded by user-mode applications to store application-specific state data. An application calls the RegLoadAppKey function to load an application hive.

More info at https://msdn.microsoft.com/en-us/library/windows/hardware/jj673019%28v=vs.85%29.aspx

To edit a private hive it should be loaded beforehand.

For Visual Studio it can be done this way:

[To] increase the isolation and resilience of VS 2017, it uses now a private registry hive. Internally VS uses a redirection and while for VS extensions (which are dlls) this is transparent, for external processes (that are exes), this causes them not to work.

To change values in the private registry hive by hand, you can use regedit.exe to load a private hive. You need to select the HKEY_USERS node, and click the File > Load Hive… menu. You select the privateregistry.bin file, give a name to the hive (I entered “VS2017PrivateRegistry”) and now you can see the 15.0_Config key populated as usual (note: use File > Unload Hive when done):

To change values in the private registry hive programmatically you need either to build an extension for VS or if you want to use an external exe you need to use the RegLoadAppKey function or avoid using the registry directly and use the External Settings Manager. See the section “Change: Reduce registry impact” in Breaking Changes in Visual Studio 2017 extensibility.

https://web.archive.org/web/20210506232809/https://social.msdn.microsoft.com/Forums/vstudio/en-US/f636ee47-1eb7-45ed-ae2a-674cbabb8b2c/clear-mru-list-in-visual-studio-2017

Do not forget to unload the hive in regedit before starting an application using it.

What does the path '\REGISTRY\A\…' in Sysinternals Procmon log mean? Could you please explain what part of the registry it is? Can I see it using Regedit or some other utility? Can I access it programmatically?

I can’t reproduce what you are seeing on my system, but I can tell you how you can find out what it is on yours. You can see a list of all registry hives that are currently mounted under any name (including system-wide hives, user hives for users that are currently logged on, and any hives loaded manually or by software) at the following registry key. It will show both the internal registry path and the path to the hive file (figure 1).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

You can use this command to see which services are being hosted by the specific instance of svchost.exe. I’ve used the pid (1240) that it was using at the time of your screenshot; replace it with the current PID.

tasklist /svc /fi "pid eq 1240"

Figure 1: Screenshot of registry-editor with hivelist key highlighted, showing mounted registry hives

\REGISTRY\A is a hidden registry hive for use by Windows Store apps (aka Metro-style apps).