Installing an application in a sandbox to detect windows registry manipulation

I would like to know if there is a way to detect which registry settings an installer affects. Are there other options than running a full-size VM and then somehow comparing snapshots of the registry hives? If these is the best approach, please share your experiences.

The objective here is to figure out where in the registry a certain program stores settings. During installation and otherwise. It might seem like a good idea to just ask the developers, but I've faced this situation before (not knowing where in the registry a program stores settings) and would like to find a general approach to this problem.


I had good experiences with these small portable applications.
RegFromApp only shows changes made by your targeted application

RegFromApp v1.30 (NirSoft)

RegFromApp monitors the Registry changes made by the application that you selected, and creates a standard RegEdit registration file (.reg) that contains all the Registry changes made by the application. You can use the generated .reg file to import these changes with RegEdit when it's needed.

enter image description here

RegShot v1.90

Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product.

enter image description here

Other experiences on my own:

  • WhatChanged: Too slow, even on a SSD
  • MJRegWatcher: Hard to determine what registry change was important and which not

A second approach is using Sandboxie together with SandboxDiff.
This gives you the chance to see what will be changed before touching your live system.

Sandboxie

Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. You can also access all the changes that were made during the program execution.

SandboxDiff

SandboxDiff allows tracking changes in Registry and Files when using 'Sandboxie' (an amazing application created by Ronen Tzur). All Registry entries and File system created/modified by a program sandboxed (or any action sandboxed) are monitored and listed with SandboxDiff. Very useful when users want (before to install an application) to know all changes made by the installer in Registry and File system.


You could try running Process Explorer (a free tool from Microsoft), which you could use to show you all the files and keys being accessed during the installation.

There will be a lot of information presented, but you can filter by application (you'll need to know the application being run during install which might be something like setup.exe or msiexec).