Is there a way to see all files and registry entries that an application installs?
I am trying to figure out if there is a way to basically install an application into a sandbox, so that I can easily see all files it created and all registry entries it added without searching the computer looking for files.
It doesn't need to be a sandbox, as long as it will tell me everything the installer has done. Surely there has to be something out there that does this. I know my A/v tells me when it accesses certain files and folders, but I am looking for a more precise approach that logs everything so I can analyze it after.
Download, unpack and run Process Monitor.
-
Run your installer. I'm using FileZilla for this example.
-
While the installer runs, you can use the crosshair and drag it onto the installer window. This will create a filter which results in Process Monitor only showing events relating to that process.
You can also wait for the installer to finish and pick it out of the recorded events yourself. You can right-click the Process Name and create an Include filter easily.
-
You will now have a log of every file system or registry access of the installer. You can now create additional filters to further analyse the data or use the functions available from the Tools menu.
Especially File Summary and Registry Summary might be of interest in this context.
However, note that when filtering events for a specific process only, you might miss operations that aren't directly caused by the installer process itself. The installer could call some Windows API that indirectly causes registry values to change.
Likewise, the installer could just spawn a child process that makes file and/or registry modifications. This child process also wouldn't be seen when you only filter on the parent process.
When a process spawns a child process, this will be indicated by the Process Create operation in Process Monitor.
I think you might be looking for something like Total Uninstall
This software needs to be installed prior to the application you would like to monitor.
It maintains a log of all the registry entries and files created and changed.
It provides a GUI for navigating the freshly installed and monitored programs.
- Export the entire registry before the install
- Export the entire registry after the install
Use a file diff to get the differences between the two registries.
http://support.microsoft.com/kb/171780
You can download software to do it for you (see below)
http://www.aplusfreeware.com/categories/util/registry.html
Another thing you can do is to download "Sysinternals Process Monitor". Then you can filter the operations done by the installer are shown. You can even filter down to whatever operations you want to see (RegWrite, RegQueryValue, etc) and save the capture for later viewing.
A more user-friendly way than ProcessMonitor is to use an actual install-monitoring program. The one that I have always used and preferred is PCMagazine’s InCtrl5. It used to be free and while they started charging for their utilities several years ago, you may still be able to find a copy from someone who downloaded it while it was free and had the free license. They have also updated it to InCtrlX which is presumably better, but not free.
Another one that I like is ZSoft Uninstaller. Of the dozens of such programs that I have tested, this was the next best to InCtrl5. It’s also free.
These programs work by taking a snapshot of the registry and file system before and after the installation, then doing a comparison to find out what has changed (added, removed, modified). Unlike a program like ProcessMonitor which simply monitors system accesses, these filter for actual changes to the system and the better ones even filter out false positives like temporary files and OS-initiated changes.