Is there a way to see all files and registry entries that an application installs?

windows-7 windows installation windows-registry sandbox
15,327

Solution 1

  1. Download, unpack and run Process Monitor.

  2. Run your installer. I'm using FileZilla for this example.

    enter image description here

  3. While the installer runs, you can use the crosshair and drag it onto the installer window. This will create a filter which results in Process Monitor only showing events relating to that process.

    enter image description here

    You can also wait for the installer to finish and pick it out of the recorded events yourself. You can right-click the Process Name and create an Include filter easily.

  4. You will now have a log of every file system or registry access of the installer. You can now create additional filters to further analyse the data or use the functions available from the Tools menu.

    Especially File Summary and Registry Summary might be of interest in this context.

    enter image description here

However, note that when filtering events for a specific process only, you might miss operations that aren't directly caused by the installer process itself. The installer could call some Windows API that indirectly causes registry values to change.

Likewise, the installer could just spawn a child process that makes file and/or registry modifications. This child process also wouldn't be seen when you only filter on the parent process.

When a process spawns a child process, this will be indicated by the Process Create operation in Process Monitor.

Solution 2

I think you might be looking for something like Total Uninstall

This software needs to be installed prior to the application you would like to monitor.

It maintains a log of all the registry entries and files created and changed.

It provides a GUI for navigating the freshly installed and monitored programs.

Solution 3

  1. Export the entire registry before the install
  2. Export the entire registry after the install

Use a file diff to get the differences between the two registries.

http://support.microsoft.com/kb/171780

You can download software to do it for you (see below)

http://www.aplusfreeware.com/categories/util/registry.html

Another thing you can do is to download "Sysinternals Process Monitor". Then you can filter the operations done by the installer are shown. You can even filter down to whatever operations you want to see (RegWrite, RegQueryValue, etc) and save the capture for later viewing.

Solution 4

A more user-friendly way than ProcessMonitor is to use an actual install-monitoring program. The one that I have always used and preferred is PCMagazine’s InCtrl5. It used to be free and while they started charging for their utilities several years ago, you may still be able to find a copy from someone who downloaded it while it was free and had the free license. They have also updated it to InCtrlX which is presumably better, but not free.

Another one that I like is ZSoft Uninstaller. Of the dozens of such programs that I have tested, this was the next best to InCtrl5. It’s also free.

These programs work by taking a snapshot of the registry and file system before and after the installation, then doing a comparison to find out what has changed (added, removed, modified). Unlike a program like ProcessMonitor which simply monitors system accesses, these filter for actual changes to the system and the better ones even filter out false positives like temporary files and OS-initiated changes.

Share:
15,327

Related videos on Youtube

user1632018
Author by

user1632018

Updated on September 18, 2022

Comments

  • user1632018
    user1632018 over 1 year

    I am trying to figure out if there is a way to basically install an application into a sandbox, so that I can easily see all files it created and all registry entries it added without searching the computer looking for files.

    It doesn't need to be a sandbox, as long as it will tell me everything the installer has done. Surely there has to be something out there that does this. I know my A/v tells me when it accesses certain files and folders, but I am looking for a more precise approach that logs everything so I can analyze it after.

    • Admin
      Admin over 10 years
      You can audit registry changes in Windows 7, but that depends on the specific version used.
  • Doktoro Reichard
    Doktoro Reichard over 10 years
    Link-only answers are a bad fit for SU. Please provide a somewhat detailed explanation on how the program works and how it solves the OP's problem.
  • user1632018
    user1632018 over 10 years
    It looks like a nice piece of software, but I was leaning towards a free approach. It seems promising as an uninstaller though. A while back I was looking for an uninstaller that took this approach. I ended up with Revo Uninstaller though because I couldn't find one. Revo just searches for keys and files that contain the name in them. Which isn't always accurate and can delete important registry keys if the user isn't careful. So thank you for that, If I get fed up with revo I will probably purchase this uninstaller. For this use though I am going with the Process monitor approach.
  • user1632018
    user1632018 over 10 years
    I am trying the process monitor approach as we speak. I'll let you know if it works well for me.
  • user1632018
    user1632018 over 10 years
    Hi Oliver, thanks for the detailed tutorial. I really appreciate it. I am just uninstalling the software and will try it right after when I reinstall. I will keep you posted on how well it works for me.
  • MonkeyZeus
    MonkeyZeus over 10 years
    Wow, this answer puts mine to shame. +1 for you!
  • MonkeyZeus
    MonkeyZeus over 10 years
    Good luck! Certainly let us know how it goes.
  • user1632018
    user1632018 over 10 years
    I ended up taking this approach. It worked great once I got the hang of it. I realized it is best to set the filters before hand or else it takes very long to filter the objects in the listview.
  • Oliver Salzburg
    Oliver Salzburg over 10 years
    @user1632018: If you have a set of filters that it working for you, might also want to enable the Drop filtered events option from the Filter menu. Then the filtered events don't even get stored.
  • developerbmw
    developerbmw over 8 years
    The likelihood of another program modifying the registry in that time is too high for this approach to be reasonable

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I see what an executable file is writing to disk and to the registry?
Mapping a printer via the registry
Disabling RegBack
Error during installation :'msiexec.exe' is not recognized as an internal or external command
Windows 7: logon denied only one user session is allowed
Restore Missing “New” or “New Folder” Option in Desktop and Explorer Context Menu in Windows 7
Cannot Create Key: Error Writing to the Windows 7 Registry
How do I set IE8 default start-up arguments?
Where is the registry location for installed third-party software on Windows 7?
Disable "Remember my credentials" on Windows 7 Home Premium