How to find out what an .exe file changes on the computer
I try to find out what exactly an .exe is changing on my windows computer before i really execute it, e.g. see the registry changes which will take action, which files are going to get changed, which new files are going to be added etc.
Is this possible?
How do I know what will change on my Windows computer before I run a program?
I want to see the registry changes which will take action, which files are going to get changed, which new files are going to be added, etc
That's not possible:
If you analysed the .exe program and knew what system calls it can make you would have to give it all possible inputs to predict what would happen when it was run.
There is an infinite number of possible inputs (consider just the simple case of typing random characters into a text file, there are millions of possible combinations).
In the particular case of "which new files are going to be added" nothing can know in advance the filename you are going to give the program to save a file.
The best you can do is run the program (maybe in a sandbox) and monitor the changes as they happen.
There are a number of possibilities for this monitoring. The most useful is probably Process Monitor as it provides lots of information that can be logged.
From Nirsoft:
- FolderChangesView
FolderChangesView is a simple tool that monitors the folder or disk drive that you choose and lists every filename that is being modified, created, or deleted while the folder is being monitored.
You can use FolderChangesView with any local disk drive or with a remote network share, as long as you have read permission to the selected folder.
- ProcessActivityView
ProcessActivityView creates a summary of all files and folders that the selected process tries to access. For each file that the process access, the following information is displayed: Number of times that the file was opened and closed, number of read/write calls, total number of read/write bytes, the dll that made the last open-file call, and more...
From SystemInternals:
- Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more.
- ProcessExplorer
Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.
Disclaimer
I am not affiliated with Nirsoft or SystemInternals in any way, I am just an end user of their software.
I found a possible way.
- Setup a Virtual Windows Machine.
- Install "Process Monitor" on it.
- Execute the exe
- Lookup the PID of the process from the exe
- Filter for the PID of this process in "Process Monitor"
- See changes live
It's not the best solution, but a start.