I've a base image of a windows10 machine.
[win10_base image].qcow2 -- [overlay_with_bug].qcow2
I have a bug of a app which I can reproduce. This bug does alter something on the system.
I want to reproduce the bug on a innocent windows VM. All changes should be tracked in the overlay of this image. How can I retrieve the changes stored in the overlay? Which format would be best? Is there something like a compare/Analyse tool for VM-Images?
virt-diff can list the different files between raw or qcow2 images. It claims to allow diff between overlays, in which case try creating an empty qcow2 for the -a argument. Or, compare guests with and without the overlay using the -d option.
Although the RHEL builds appear to patch out NTFS from libguestfs so you may need other tools.
Also valuable is visibility into what the guest is doing. Use procmon or maybe a debugger to watch what the problem program is doing in detail.
Qcow2 tracking works on a block-by-block base; this means there are no easy ways to discover which files changed. I suggest you to mount both disk files, calculate the md5 sum of all the interesting files and comparing the results.
In doing that, be sure to not alter the disk files and/or double-mount them.
EDIT: I was unaware of virt-diff (+1 for John's answer), which seems to do what I suggested above - to mount the two disk images and compare the single files inside them, but in a much easier way. Anyway in RHEL world, where guestfs do not support NTFS (expect for win-virt-reg), you may need to do the comparison the hard (manual) way.
