www.sysinternals.com
look for filemon and regmon, real-time logging of what reg keys get opened, closed, accessed, and enumerated, filemon also shows the files being used
use filtering options to make it a bit clearer, these things log access very heavily so you might get confused...turning off ur AV while monitoring the traces would help too