What does the path '\REGISTRY\A\...' in Sysinternals Procmon log mean?

It is application hive, which can be seen in volatilty by no name! pplication hives are registry hives loaded by user-mode applications to store application-specific state data. An application calls the RegLoadAppKey function to load an application hive.

more info on

http://msdn.microsoft.com/en-us/library/windows/hardware/jj673019%28v=vs.85%29.aspx

\REGISTRY\A is a hidden registry hive for use by Windows Store apps (aka Metro-style apps).

I need to answer to my own question in comments.

To edit private hive it should be loaded before.

For Visual Studio it can be made this way:

https://social.msdn.microsoft.com/Forums/vstudio/en-US/f636ee47-1eb7-45ed-ae2a-674cbabb8b2c/clear-mru-list-in-visual-studio-2017?forum=visualstudiogeneral

The increase the isolation and resilience of VS 2017, it uses now a private registry hive. Internally VS uses a redirection and while for VS extensions (which are dlls) this is transparent, for external processes (that are exes), this causes them not to work.

To change values in the private registry hive by hand, you can use regedit.exe to load a private hive. You need to select the HKEY_USERS node, and click the File > Load Hive… menu. You select the privateregistry.bin file, give a name to the hive (I entered “VS2017PrivateRegistry”) and now you can see the 15.0_Config key populated as usual (note: use File > Unload Hive when done):

To change values in the private registry hive programmatically you need either to build an extension for VS or if you want to use an external exe you need to use the RegLoadAppKey function or avoid using the registry directly and use the External Settings Manager. See the section “Change: Reduce registry impact” in Breaking Changes in Visual Studio 2017 extensibility.

Do not forget to unload hive in regedit before starting application using it.