Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Comparing the Whole System Before a Software Install to After a Software Install

  • Please log in to reply
2 replies to this topic

#1 Guest_Aaron_Warrior_*


  • Guests

Posted 24 February 2017 - 06:16 PM

I've been reading computer-related threads for years and every once in a while you read a reference to some sort of method where someone is able to "record" their system before they install a software and then compare that to what it looks like after.  I assume a virtual machine is involved and they aren't actually doing anything to their "real" data.


The purpose in general is to learn what data is added, what data is deleted or moved (if any), what registry entries are made, etc... either for the purpose of learning exact what changes the software is making in order to determine if it's installing malware, or I've read reports that it's a method for cracking the software (example learning if it is making secret, undocumented registry entries to prevent people from reinstalling after a trial period has expired).


I've always wondered how people do this. Maybe there is a special software that does this, and presents all the changes neatly in a easy-to-read interface.  Just wondering if anyone knows the technical details on this kind of thing and how difficult it would be to do you myself.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,047 posts
  • Gender:Male
  • Location:Virginia, USA

Posted 24 February 2017 - 10:12 PM

There are several types of programs available which can monitor the installation of files, folders, modifications to the registry, file changes, deletions, etc. Some are more specific than others...some provide additional security protection so it depends on what you are looking for and how comprehensive you want the monitoring to be.File & Directory Monitor ToolsUserAssist by Didier Stevens displays all the data from the UserAssist registry keys which registers programs launched via Windows Explorer. This utility displays a table of programs executed with a running count and last execution date and time.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • Gender:Male
  • Local time:05:42 PM

Posted 25 February 2017 - 12:24 PM

It's easy to do. Have you used regedit?

Didier Stevens

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019


If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.


Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users