Is there an Installer Analyser tool that can list what Registry Keys will be created?

I can think of 3 ways to achieve my goal:

Create a clean VPC, install a given piece of software, and compare the before and after states.
Somehow reverse-engineer the installer.
Somehow redirect the output of the installer in question so that all registry calls and copy/move file commands are recorded, but not executed.

The first option can be done manually, or potentially automated, but I feel it's rather OTT for my needs. The second could cause all sorts of licencing issues, not to mention it may not always return a correct result. Also, without delving into hex editing, I can't think of a way that it would be possible to do manually (some installers - eg Anti-Virus software - may react unfavourably on automated attempts to investigate the installer).

The third option shows the most promise, although if the first could be stripped down into a lightweight throwaway environment, it would work pretty much the same way. However, I'm not sure how to do it. So my question is:

What tools are available (if any) and/or how could I find out this information manually?

I'm not looking to reverse-engineer anything (if I can help it), but I just want to know exactly what changes are being made to my PC by a given piece of software.

EvoGamer

Posted 2011-01-04T01:31:06.920

Reputation: 21

The Norton Utilities (I'm not going to recommend it or not; I don't know enough about it) has a Registry Monitor tool that tells you when your registry changes and how many changes there were. It doesn't, however, tell you what changed. Link: http://antivirus.norton.com/norton/ps/us_en_nu.html?om_sem_cid=hho_sem_sy:us:ggl:en:e%7Ckw0000012287%7C6426191236&om_sem_site=

– Nathan G. – 2011-01-04T01:43:51.753

Answers

Process monitor can monitor all file accesses during the install and create a log for later review, unfortunately it logs everything that is happening during the install, not just the install, but you can filter the results, a very powerful tool if you want to learn how to use it.

I have used it before to see what files/keys were altered during a software install.

It shows everything that is accessed and or whether it was changed.

http://technet.microsoft.com/en-us/sysinternals/bb896645

Its interesting to just let it run when you are doing nothing on the PC, its amazing what is going on in the background in windows, especially Vista or W7.

Moab

Posted 2011-01-04T01:31:06.920

Reputation: 54 203

I've used ProcMon before, and I've found it to be a VERY good tool (a lot of the SysInternals stuff is good), but it does require that you run it during the install... What happens when I want to analyse an installer WITHOUT actually installing anything? – EvoGamer – 2011-01-04T03:54:59.973

Seems to be there was a program that did a simulation of install, but darned if I can remember it right now, don't know it it logged anything or not. I found this, but probably is not what you want...http://lifehacker.com/162910/hack-attack-safely-install-software-in-a-virtual-layer

– Moab – 2011-01-04T04:15:16.090

An easy-to-use program to monitor the keys and files that an installation creates is Cameyo, which is actually a program to create portable programs from normal installers. But then you still need to install and uninstall if you are only testing the program.

The easiest way to circumvent this is creating a virtual machine with VirtualBox, taking a snapshot before the installation, and simply restoring the snapshot. Restoring snapshots is a matter of seconds for me. Creating a machine just needs to be done once, but it does take some time, because you need to install Windows on the machine.

Cerberus

Posted 2011-01-04T01:31:06.920

Reputation: 593

lessmsi can do it. Just open your MSI, navigate to Table View and look through available tables. You can then Ctrl+A, Ctrl+C and paste values to notepad.

Konstantin Spirin

Posted 2011-01-04T01:31:06.920

Reputation: 121