How to find out what an .exe file changes on the computer
I try to find out what exactly an .exe is changing on my windows computer before i really execute it, e.g. see the registry changes which will take action, which files are going to get changed, which new files are going to be added etc.
Is this possible?
windows
asked Nov 29 '15 at 8:52
Black
1,45952138
add a comment |
I try to find out what exactly an .exe is changing on my windows computer before i really execute it, e.g. see the registry changes which will take action, which files are going to get changed, which new files are going to be added etc.
Is this possible?
windows
asked Nov 29 '15 at 8:52
Black
1,45952138
1
Probably not in general. Read about the halting problem
– Basile Starynkevitch
Nov 29 '15 at 8:55
1
Hmm, i see. If a condition in the program is only true at e.g. 01.01.2020, then it wouldn't be detectable that easy.
– Black
Nov 29 '15 at 9:00
add a comment |
I try to find out what exactly an .exe is changing on my windows computer before i really execute it, e.g. see the registry changes which will take action, which files are going to get changed, which new files are going to be added etc.
Is this possible?
windows
asked Nov 29 '15 at 8:52
Black
1,45952138
I try to find out what exactly an .exe is changing on my windows computer before i really execute it, e.g. see the registry changes which will take action, which files are going to get changed, which new files are going to be added etc.
Is this possible?
windows
windows
asked Nov 29 '15 at 8:52
Black
1,45952138
asked Nov 29 '15 at 8:52
Black
1,45952138
asked Nov 29 '15 at 8:52
Black
1,45952138
asked Nov 29 '15 at 8:52
Black
1,45952138
asked Nov 29 '15 at 8:52
Black
1,45952138
1,45952138
1
Probably not in general. Read about the halting problem
– Basile Starynkevitch
Nov 29 '15 at 8:55
1
Hmm, i see. If a condition in the program is only true at e.g. 01.01.2020, then it wouldn't be detectable that easy.
– Black
Nov 29 '15 at 9:00
add a comment |
1
Probably not in general. Read about the halting problem
– Basile Starynkevitch
Nov 29 '15 at 8:55
1
Hmm, i see. If a condition in the program is only true at e.g. 01.01.2020, then it wouldn't be detectable that easy.
– Black
Nov 29 '15 at 9:00
1
1
Probably not in general. Read about the halting problem
– Basile Starynkevitch
Nov 29 '15 at 8:55
Probably not in general. Read about the halting problem
– Basile Starynkevitch
Nov 29 '15 at 8:55
1
1
Hmm, i see. If a condition in the program is only true at e.g. 01.01.2020, then it wouldn't be detectable that easy.
– Black
Nov 29 '15 at 9:00
Hmm, i see. If a condition in the program is only true at e.g. 01.01.2020, then it wouldn't be detectable that easy.
– Black
Nov 29 '15 at 9:00
add a comment |
2 Answers
2
active
oldest
votes
How do I know what will change on my Windows computer before I run a program?
I want to see the registry changes which will take action, which files are going to get changed, which new files are going to be added, etc
That's not possible:
If you analysed the .exe program and knew what system calls it can make you would have to give it all possible inputs to predict what would happen when it was run.
There is an infinite number of possible inputs (consider just the simple case of typing random characters into a text file, there are millions of possible combinations).
In the particular case of "which new files are going to be added" nothing can know in advance the filename you are going to give the program to save a file.
The best you can do is run the program (maybe in a sandbox) and monitor the changes as they happen.
There are a number of possibilities for this monitoring. The most useful is probably Process Monitor as it provides lots of information that can be logged.
From Nirsoft:
- FolderChangesView
FolderChangesView is a simple tool that monitors the folder or disk
drive that you choose and lists every filename that is being modified,
created, or deleted while the folder is being monitored.
You can use FolderChangesView with any local disk drive or with a
remote network share, as long as you have read permission to the
selected folder.
- ProcessActivityView
ProcessActivityView creates a summary of all files and folders that
the selected process tries to access. For each file that the process
access, the following information is displayed: Number of times that
the file was opened and closed, number of read/write calls, total
number of read/write bytes, the dll that made the last open-file call,
and more...
From SystemInternals:
- Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows
real-time file system, Registry and process/thread activity.
It combines the features of two legacy Sysinternals utilities,
Filemon and Regmon, and adds an extensive list of enhancements
including rich and non-destructive filtering, comprehensive event
properties such session IDs and user names, reliable process
information, full thread stacks with integrated symbol support for
each operation, simultaneous logging to a file, and much more.
- ProcessExplorer
Process Explorer shows you information about which handles and DLLs
processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top
window always shows a list of the currently active processes,
including the names of their owning accounts, whereas the information
displayed in the bottom window depends on the mode that Process
Explorer is in: if it is in handle mode you'll see the handles that
the process selected in the top window has opened; if Process Explorer
is in DLL mode you'll see the DLLs and memory-mapped files that the
process has loaded.
Disclaimer
I am not affiliated with Nirsoft or SystemInternals in any way, I am just an end user of their software.
answered Nov 29 '15 at 9:46
DavidPostill♦
103k25224258
add a comment |
I found a possible way.
- Setup a Virtual Windows Machine.
- Install "Process Monitor" on it.
- Execute the exe
- Lookup the PID of the process from the exe
- Filter for the PID of this process in "Process Monitor"
- See changes live
It's not the best solution, but a start.
answered Nov 29 '15 at 9:10
Black
1,45952138
1
That's not /really/ 'finding out what exactly an .exe is changing on your windows computer before you really execute it' though is it. It is executing the exe and finding out what it has changed afterwards, you just happen to be doing it in a disposable environment.
– RyanfaeScotland
Jan 22 '16 at 15:24
Yes true, I mean this way you can find out what the exe does before executing it in your real environment.
– Black
Apr 7 '18 at 8:24
add a comment |
protected by Ramhound Dec 22 '18 at 13:38
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
How do I know what will change on my Windows computer before I run a program?
I want to see the registry changes which will take action, which files are going to get changed, which new files are going to be added, etc
That's not possible:
If you analysed the .exe program and knew what system calls it can make you would have to give it all possible inputs to predict what would happen when it was run.
There is an infinite number of possible inputs (consider just the simple case of typing random characters into a text file, there are millions of possible combinations).
In the particular case of "which new files are going to be added" nothing can know in advance the filename you are going to give the program to save a file.
The best you can do is run the program (maybe in a sandbox) and monitor the changes as they happen.
There are a number of possibilities for this monitoring. The most useful is probably Process Monitor as it provides lots of information that can be logged.
From Nirsoft:
- FolderChangesView
FolderChangesView is a simple tool that monitors the folder or disk
drive that you choose and lists every filename that is being modified,
created, or deleted while the folder is being monitored.
You can use FolderChangesView with any local disk drive or with a
remote network share, as long as you have read permission to the
selected folder.
- ProcessActivityView
ProcessActivityView creates a summary of all files and folders that
the selected process tries to access. For each file that the process
access, the following information is displayed: Number of times that
the file was opened and closed, number of read/write calls, total
number of read/write bytes, the dll that made the last open-file call,
and more...
From SystemInternals:
- Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows
real-time file system, Registry and process/thread activity.
It combines the features of two legacy Sysinternals utilities,
Filemon and Regmon, and adds an extensive list of enhancements
including rich and non-destructive filtering, comprehensive event
properties such session IDs and user names, reliable process
information, full thread stacks with integrated symbol support for
each operation, simultaneous logging to a file, and much more.
- ProcessExplorer
Process Explorer shows you information about which handles and DLLs
processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top
window always shows a list of the currently active processes,
including the names of their owning accounts, whereas the information
displayed in the bottom window depends on the mode that Process
Explorer is in: if it is in handle mode you'll see the handles that
the process selected in the top window has opened; if Process Explorer
is in DLL mode you'll see the DLLs and memory-mapped files that the
process has loaded.
Disclaimer
I am not affiliated with Nirsoft or SystemInternals in any way, I am just an end user of their software.
answered Nov 29 '15 at 9:46
DavidPostill♦
103k25224258
add a comment |
How do I know what will change on my Windows computer before I run a program?
I want to see the registry changes which will take action, which files are going to get changed, which new files are going to be added, etc
That's not possible:
If you analysed the .exe program and knew what system calls it can make you would have to give it all possible inputs to predict what would happen when it was run.
There is an infinite number of possible inputs (consider just the simple case of typing random characters into a text file, there are millions of possible combinations).
In the particular case of "which new files are going to be added" nothing can know in advance the filename you are going to give the program to save a file.
The best you can do is run the program (maybe in a sandbox) and monitor the changes as they happen.
There are a number of possibilities for this monitoring. The most useful is probably Process Monitor as it provides lots of information that can be logged.
From Nirsoft:
- FolderChangesView
FolderChangesView is a simple tool that monitors the folder or disk
drive that you choose and lists every filename that is being modified,
created, or deleted while the folder is being monitored.
You can use FolderChangesView with any local disk drive or with a
remote network share, as long as you have read permission to the
selected folder.
- ProcessActivityView
ProcessActivityView creates a summary of all files and folders that
the selected process tries to access. For each file that the process
access, the following information is displayed: Number of times that
the file was opened and closed, number of read/write calls, total
number of read/write bytes, the dll that made the last open-file call,
and more...
From SystemInternals:
- Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows
real-time file system, Registry and process/thread activity.
It combines the features of two legacy Sysinternals utilities,
Filemon and Regmon, and adds an extensive list of enhancements
including rich and non-destructive filtering, comprehensive event
properties such session IDs and user names, reliable process
information, full thread stacks with integrated symbol support for
each operation, simultaneous logging to a file, and much more.
- ProcessExplorer
Process Explorer shows you information about which handles and DLLs
processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top
window always shows a list of the currently active processes,
including the names of their owning accounts, whereas the information
displayed in the bottom window depends on the mode that Process
Explorer is in: if it is in handle mode you'll see the handles that
the process selected in the top window has opened; if Process Explorer
is in DLL mode you'll see the DLLs and memory-mapped files that the
process has loaded.
Disclaimer
I am not affiliated with Nirsoft or SystemInternals in any way, I am just an end user of their software.
answered Nov 29 '15 at 9:46
DavidPostill♦
103k25224258
add a comment |
How do I know what will change on my Windows computer before I run a program?
I want to see the registry changes which will take action, which files are going to get changed, which new files are going to be added, etc
That's not possible:
If you analysed the .exe program and knew what system calls it can make you would have to give it all possible inputs to predict what would happen when it was run.
There is an infinite number of possible inputs (consider just the simple case of typing random characters into a text file, there are millions of possible combinations).
In the particular case of "which new files are going to be added" nothing can know in advance the filename you are going to give the program to save a file.
The best you can do is run the program (maybe in a sandbox) and monitor the changes as they happen.
There are a number of possibilities for this monitoring. The most useful is probably Process Monitor as it provides lots of information that can be logged.
From Nirsoft:
- FolderChangesView
FolderChangesView is a simple tool that monitors the folder or disk
drive that you choose and lists every filename that is being modified,
created, or deleted while the folder is being monitored.
You can use FolderChangesView with any local disk drive or with a
remote network share, as long as you have read permission to the
selected folder.
- ProcessActivityView
ProcessActivityView creates a summary of all files and folders that
the selected process tries to access. For each file that the process
access, the following information is displayed: Number of times that
the file was opened and closed, number of read/write calls, total
number of read/write bytes, the dll that made the last open-file call,
and more...
From SystemInternals:
- Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows
real-time file system, Registry and process/thread activity.
It combines the features of two legacy Sysinternals utilities,
Filemon and Regmon, and adds an extensive list of enhancements
including rich and non-destructive filtering, comprehensive event
properties such session IDs and user names, reliable process
information, full thread stacks with integrated symbol support for
each operation, simultaneous logging to a file, and much more.
- ProcessExplorer
Process Explorer shows you information about which handles and DLLs
processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top
window always shows a list of the currently active processes,
including the names of their owning accounts, whereas the information
displayed in the bottom window depends on the mode that Process
Explorer is in: if it is in handle mode you'll see the handles that
the process selected in the top window has opened; if Process Explorer
is in DLL mode you'll see the DLLs and memory-mapped files that the
process has loaded.
Disclaimer
I am not affiliated with Nirsoft or SystemInternals in any way, I am just an end user of their software.
answered Nov 29 '15 at 9:46
DavidPostill♦
103k25224258
How do I know what will change on my Windows computer before I run a program?
I want to see the registry changes which will take action, which files are going to get changed, which new files are going to be added, etc
That's not possible:
If you analysed the .exe program and knew what system calls it can make you would have to give it all possible inputs to predict what would happen when it was run.
There is an infinite number of possible inputs (consider just the simple case of typing random characters into a text file, there are millions of possible combinations).
In the particular case of "which new files are going to be added" nothing can know in advance the filename you are going to give the program to save a file.
The best you can do is run the program (maybe in a sandbox) and monitor the changes as they happen.
There are a number of possibilities for this monitoring. The most useful is probably Process Monitor as it provides lots of information that can be logged.
From Nirsoft:
- FolderChangesView
FolderChangesView is a simple tool that monitors the folder or disk
drive that you choose and lists every filename that is being modified,
created, or deleted while the folder is being monitored.
You can use FolderChangesView with any local disk drive or with a
remote network share, as long as you have read permission to the
selected folder.
- ProcessActivityView
ProcessActivityView creates a summary of all files and folders that
the selected process tries to access. For each file that the process
access, the following information is displayed: Number of times that
the file was opened and closed, number of read/write calls, total
number of read/write bytes, the dll that made the last open-file call,
and more...
From SystemInternals:
- Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows
real-time file system, Registry and process/thread activity.
It combines the features of two legacy Sysinternals utilities,
Filemon and Regmon, and adds an extensive list of enhancements
including rich and non-destructive filtering, comprehensive event
properties such session IDs and user names, reliable process
information, full thread stacks with integrated symbol support for
each operation, simultaneous logging to a file, and much more.
- ProcessExplorer
Process Explorer shows you information about which handles and DLLs
processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top
window always shows a list of the currently active processes,
including the names of their owning accounts, whereas the information
displayed in the bottom window depends on the mode that Process
Explorer is in: if it is in handle mode you'll see the handles that
the process selected in the top window has opened; if Process Explorer
is in DLL mode you'll see the DLLs and memory-mapped files that the
process has loaded.
Disclaimer
I am not affiliated with Nirsoft or SystemInternals in any way, I am just an end user of their software.
answered Nov 29 '15 at 9:46
DavidPostill♦
103k25224258
edited Nov 19 '17 at 19:58
answered Nov 29 '15 at 9:46
DavidPostill♦
103k25224258
answered Nov 29 '15 at 9:46
DavidPostill♦
103k25224258
answered Nov 29 '15 at 9:46
DavidPostill♦
103k25224258
103k25224258
add a comment |
add a comment |
I found a possible way.
- Setup a Virtual Windows Machine.
- Install "Process Monitor" on it.
- Execute the exe
- Lookup the PID of the process from the exe
- Filter for the PID of this process in "Process Monitor"
- See changes live
It's not the best solution, but a start.
answered Nov 29 '15 at 9:10
Black
1,45952138
1
That's not /really/ 'finding out what exactly an .exe is changing on your windows computer before you really execute it' though is it. It is executing the exe and finding out what it has changed afterwards, you just happen to be doing it in a disposable environment.
– RyanfaeScotland
Jan 22 '16 at 15:24
Yes true, I mean this way you can find out what the exe does before executing it in your real environment.
– Black
Apr 7 '18 at 8:24
add a comment |
I found a possible way.
- Setup a Virtual Windows Machine.
- Install "Process Monitor" on it.
- Execute the exe
- Lookup the PID of the process from the exe
- Filter for the PID of this process in "Process Monitor"
- See changes live
It's not the best solution, but a start.
answered Nov 29 '15 at 9:10
Black
1,45952138
1
That's not /really/ 'finding out what exactly an .exe is changing on your windows computer before you really execute it' though is it. It is executing the exe and finding out what it has changed afterwards, you just happen to be doing it in a disposable environment.
– RyanfaeScotland
Jan 22 '16 at 15:24
Yes true, I mean this way you can find out what the exe does before executing it in your real environment.
– Black
Apr 7 '18 at 8:24
add a comment |
I found a possible way.
- Setup a Virtual Windows Machine.
- Install "Process Monitor" on it.
- Execute the exe
- Lookup the PID of the process from the exe
- Filter for the PID of this process in "Process Monitor"
- See changes live
It's not the best solution, but a start.
answered Nov 29 '15 at 9:10
Black
1,45952138
I found a possible way.
- Setup a Virtual Windows Machine.
- Install "Process Monitor" on it.
- Execute the exe
- Lookup the PID of the process from the exe
- Filter for the PID of this process in "Process Monitor"
- See changes live
It's not the best solution, but a start.
answered Nov 29 '15 at 9:10
Black
1,45952138
answered Nov 29 '15 at 9:10
Black
1,45952138
answered Nov 29 '15 at 9:10
Black
1,45952138
answered Nov 29 '15 at 9:10
Black
1,45952138
1,45952138
1
That's not /really/ 'finding out what exactly an .exe is changing on your windows computer before you really execute it' though is it. It is executing the exe and finding out what it has changed afterwards, you just happen to be doing it in a disposable environment.
– RyanfaeScotland
Jan 22 '16 at 15:24
Yes true, I mean this way you can find out what the exe does before executing it in your real environment.
– Black
Apr 7 '18 at 8:24
add a comment |
1
That's not /really/ 'finding out what exactly an .exe is changing on your windows computer before you really execute it' though is it. It is executing the exe and finding out what it has changed afterwards, you just happen to be doing it in a disposable environment.
– RyanfaeScotland
Jan 22 '16 at 15:24
Yes true, I mean this way you can find out what the exe does before executing it in your real environment.
– Black
Apr 7 '18 at 8:24
1
1
That's not /really/ 'finding out what exactly an .exe is changing on your windows computer before you really execute it' though is it. It is executing the exe and finding out what it has changed afterwards, you just happen to be doing it in a disposable environment.
– RyanfaeScotland
Jan 22 '16 at 15:24
That's not /really/ 'finding out what exactly an .exe is changing on your windows computer before you really execute it' though is it. It is executing the exe and finding out what it has changed afterwards, you just happen to be doing it in a disposable environment.
– RyanfaeScotland
Jan 22 '16 at 15:24
Yes true, I mean this way you can find out what the exe does before executing it in your real environment.
– Black
Apr 7 '18 at 8:24
Yes true, I mean this way you can find out what the exe does before executing it in your real environment.
– Black
Apr 7 '18 at 8:24
add a comment |
protected by Ramhound Dec 22 '18 at 13:38
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
1
Probably not in general. Read about the halting problem
– Basile Starynkevitch
Nov 29 '15 at 8:55
1
Hmm, i see. If a condition in the program is only true at e.g. 01.01.2020, then it wouldn't be detectable that easy.
– Black
Nov 29 '15 at 9:00