7
4
Possible Duplicate:
Looking for an program installer monitor or recorder
What software can be used in order to "record" all the files written to the disk and registry entries beeing modified by an .exe or other installers?
JohnnyFromBF
Posted 2012-05-29T15:01:59.940
Reputation: 4 298
14
Process Monitor (Windows Sysinternals) from Microsoft TechNet does what you're asking for.
From the Introduction:
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Screenshot:
Dennis
Posted 2012-05-29T15:01:59.940
Reputation: 42 934
6
You could try ProcMon from Sysinternals. This way you can exactly see what a file is doing. However, you have to filter on the specific file else the list will be bloated with everything else.
Devator
Posted 2012-05-29T15:01:59.940
Reputation: 962
Thanks for the hint, but this could get quite difficult when my setup.exe starts some abc.exe in order to do some other stuff, it's hard to trace. I thought of some sort of sandbox, but sandboxie which I tried doesn't seem to have such a trace feature. – JohnnyFromBF – 2012-05-29T15:13:41.310
1@Ian It will list the child processes started by it. Then you can filter on them. – Devator – 2012-05-29T15:19:32.680
Thanks for the hint, but this could get quite difficult when my setup.exe starts some abc.exe in order to do some other stuff, it's hard to trace. I thought of some sort of sandbox, but sandboxie which I tried doesn't seem to have such a trace feature. – JohnnyFromBF – 2012-05-29T15:13:55.693
1You can filter processes by
Parent PID. Still not a sandbox, but it's a start. – Dennis – 2012-05-29T15:16:22.867Okay, hadn't thought about that Parent PID filter. That could be useful. Thanks! – JohnnyFromBF – 2012-05-29T15:20:45.730