You are here

tracking registry and file changes?

11 posts / 0 new
Last post
ozportable
Offline
Last seen: 10 years 3 months ago
Joined: 2009-11-16 18:50
tracking registry and file changes?

I'd like to be able to track and maybe revert if possible changes to a system done by an application.

In this way, I can test portable apps that I'm unsure are fully portable.

What application can I use for this?

thanks

Simeon
Simeon's picture
Offline
Last seen: 11 years 1 week ago
DeveloperTranslator
Joined: 2006-09-25 15:15
Regshot

I (and a lot of thers here) use Regshot. It makes 2 shots of the system, tracking file and registry changes. There even is a portable version here in the forums. Just search for it.

"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate

dboki89
Offline
Last seen: 10 years 9 months ago
Joined: 2009-11-30 20:44
RegShot + Sandboxie

Option I:
Use RegShot to scan for registry changes made by the application, or for edited files on the system (this is not by default, you'll have to specify the folders to be scanned as well).

Option II:
But if testing on your own PC, where you have admin rights, it's best to do it inside Sandboxie. It is something very similar to having a virtual machine, only a lot faster, easier to use and you can easily see what has been accessed and modified. The best part about Sandboxie being that whatever you run inside it doesn't actually write stuff to the (real) system, even though it thinks it does... And if you want to get the files from Sandboxie into the real system, just hit the "Recover to..." button!

I don't want to get technical, as you can search the forums for the answer, but there is even a way to see what registry entry of the app ran in Sandboxie has been changed by:

1. (temporarily) mounting RegHive hive from Sandboxie... - don't recommend it for beginners, try option 2!
2. Running NirSoft's RegFromApp (it is portable, but there is also a PA version here in the forums) inside a Sandbox, and then running the desired application with RegFromApp. That's the solution I would recommend, as it's the easiest, and cleanest for your system.

Take care Smile

My posts are old and likely no longer relevant.

crux
Offline
Last seen: 4 years 11 months ago
Joined: 2008-06-13 18:10
How about changes that are changed back?

What I mean is, does one of those solutions track EVERY change to the registry, even changes that are reverted?

For example, say a program starts, changes a registry value, then changes that registry value back to what it was originally, and then exits. If you check the registry before and after the program executes, will you see no change, or that the registry changed and then changed back again?

dboki89
Offline
Last seen: 10 years 9 months ago
Joined: 2009-11-30 20:44
Sandboxie + RegFromApp + run testing software

... does one of those solutions track EVERY change to the registry, even changes that are reverted?

No, technically neither one solution offers everything, but read below...

... say a program starts, changes a registry value, then changes that registry value back to what it was originally, and then exits.

Yes, you can see those changes if you follow Option II, 2.

Baby steps in details, so everyone can do this even if they don't quite get it:

1) install Sandboxie if you already didn't
2) get Nirsoft's RegFromApp
3) run Sandboxie
4) right click on "Sandbox Default" and select "Run Sandboxed" > "Run Any Program"
4a) wait for 5 seconds because it is a free version
5) navigate to RegFromApp and select/run it
6) (select "Cancel" if a window with processes shows at startup); in RegFromApp, select "File" > "Start New Process"
7) browse to the beta-testing software with button "Browse", and tick the option "Start tracing immediatelly"
8) "Ok"

By following these steps, you'll see what changes have actively happened, but not whether they have been reverted. For that, you'll have to check the size of 2 files Sandboxie created:

a) open Sandboxie Control (just open Sandboxie)
b) expand "Sandbox Default", then expand "All Files and Folders"
c) if RegHive is the size (256 kB), and RegHive.log is (1 kB), then the changes were reverted.
NOTE: most of the time, for some reason Sandboxie doesn't update the sizes of those files if they were reverted, so you have to exit Sandboxie from the system tray, and start it up again.

If the sizes are what I said, it left no changes in the registry when it finished. If RegHive is bigger, there is a way to see what has changed but I will not explain it in details here because by mounting and dismounting something into the Registry (that's how you see it), you can cause a lot of mess... If you want details, try catching me on chat, or ask computerfreaker Smile

I hope this helped... Take care Smile

[EDIT]: And yea, you are right about scanning the registry. That's how RegShot works, you'll only see the changes that were left after the execution, not the modified ones that were reverted.

My posts are old and likely no longer relevant.

crux
Offline
Last seen: 4 years 11 months ago
Joined: 2008-06-13 18:10
Wow, that's great.

Thanks. A portable tool to do all this would be excellent.

dboki89
Offline
Last seen: 10 years 9 months ago
Joined: 2009-11-30 20:44
.

crux, SCRATCH WHAT I SAID!
Forget about the whole RegFromApp idea! I just re-read this post of mine and realized that I stopped using that method around the time I posted this! There's an incredibly easier way of doing it, and I've been happier with the new way than with any other!

Use Sandboxie, as I recommended before. There is a link for a portable version further down in the post. But, this time, you'll use an "add-on" for Sandboxie (it is a standalone executable, place it wherever you like). It's called SandDiff. Just read through the very simple usage tips from that thread, and start using it. Much like RegShot, it lists only added/edited/deleted registry entries and files. But it works incredibly quicker than RegShot, since it compares only that small sandboxed part of the Registry, not the entire, non-modified parts of it. Also, you can't damage you system using a test-program inside Sandboxie (with or without SandDiff), whereas you can damage your system by testing some software directly and using RegShot to only see the changes...

I apologize for not editing this post sooner, as it became outdated probably the next day from when I posted...

Old message, slightly edited, follows:

Thanks.

You are welcome.

A portable tool to do all this would be excellent.

Sandboxie Portable! Smile wraithdu made one, but it requires Admin rights...

If you're a regular beta-tester, you'll simply fall in love with this piece of software, as it makes erasing all the changes made by the tested software a snap. As well as recovering it to the real system, if wanted to do so.

Cheers Smile

My posts are old and likely no longer relevant.

dboki89
Offline
Last seen: 10 years 9 months ago
Joined: 2009-11-30 20:44
.

I am sorry. A small bump of this thread (this is my first one! Blum ), in order for crux to read through the edited parts. I reckoned the benefits of new knowledge are greater than the repercussions of a single bump. Thank you

My posts are old and likely no longer relevant.

crux
Offline
Last seen: 4 years 11 months ago
Joined: 2008-06-13 18:10
Thanks again.

Those tips, plus the info about Process Monitor from Bahamut, are very helpful.

I read that a tester for a computer magazine intentionally installed something infected with malware to see if Sandboxie could contain it. Unfortunately, some kinds of malware still persisted, so they did not recommend using that method to test if something seems clean.

Bahamut
Bahamut's picture
Offline
Last seen: 13 years 10 months ago
Joined: 2006-04-07 08:44
Process Monitor

You can track everything (and I mean everything) a process does with Process Monitor. It has a nifty filter, so you can track what you want without reading through tens of thousands of operations. It won't tell you exactly what a program writes out of course (it will log that a process wrote something to disk, but not what it wrote), but it will tell you where. It requires admin rights and it won't revert any changes, but it's definitely useful.

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Vintage!

computerfreaker
computerfreaker's picture
Offline
Last seen: 14 years 1 month ago
Developer
Joined: 2009-08-11 11:24
Just FYI

Process Monitor is really great for tracking what a process does, but even filtering frequently leaves a long, long list to sift through. For example, opening a file to read calls the CreateFile API; since opening a file to write calls that same API, you can't really filter that out.
ProcMon is good when you want to be thorough, but if you're in a hurry it can be very troublesome.

I prefer Sandboxie; it does have one annoying trait (showing Registry entries & files even after they're deleted), but it's a small price to pay for knowing that my results are accurate. Plus, Sandboxie has a portable build, which is a very nice thing to have.

"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."

Log in or register to post comments