When I install a program I need to know what files were added/modified, which registry was modified. Can someone suggest a program that does this or maybe a code?
I think, this tool makes exactly what you need: http://technet.microsoft.com/en-us/sysinternals/bb896645
Process Monitor is an advanced monitoring tool for Windows that shows
real-time file system, Registry and process/thread activity. It
combines the features of two legacy Sysinternals utilities, Filemon
and Regmon, and adds an extensive list of enhancements including rich
and non-destructive filtering, comprehensive event properties such
session IDs and user names, reliable process information, full thread
stacks with integrated symbol support for each operation, simultaneous
logging to a file, and much more. Its uniquely powerful features will
make Process Monitor a core utility in your system troubleshooting and
malware hunting toolkit.
Systracer perfectly do what you want:
SysTracer is a system utility tool that can scan and analyze your
computer to find changed (added, modified or deleted) data into
registry and files.
There is both a free and a paid versions.
http://www.blueproject.ro/systracer
Related
I am running Windows 7 on which I want to do kernel debugging and I do not want to mess with boot loader. So I've downloaded LiveKd as suggested here and make it run and seems it is working. If I understand correct it is some kind of read only debugging. Here is mentioned that it is very limited and even breakpoint cannot be used. I would like to ask if is possible in this mode to periodically dump all the instructions that are being executed or basically all events which are happening on current OS? I would like to have some system wide strace (Linux users know) and to do some statistical analysis on this. I suppose it depends on more factors like installed debug symbols to begin able resolve addresses etc.
I'm not sure if debugger is the best tool you can use for tracing live system calls. As you've mentioned LiveKd session is quite limited and you are not allowed to place breakpoints in it (otherwise you would hang your own system). However, you still can create memory dumps using the .dump command (check windbg help: .hh .dump). Keep in mind though that getting a full dump (/f) of a running system might take a lot of time.
Moving back to the subject of your question, by using the "dump approach" you will miss many system calls as you will have only snapshots of a system at given points in time. So if you are looking for something similar to Linux strace I would recommend checking those tools:
Process Monitor (procmon) - it's a tool which will show you all I/O requests in the system, as well as operations performed on the registry or process activity events
Windows Performance Toolkit - it contains tools for collecting (WPR) and analysing (WPA) system and application tracing events. It might be a lot of events and it's really important to filter them accordingly to your needs. ETW (Event Tracing for Windows) is a huge subject and you probably will need to read some tutorials or books before you will be able to use it effectively (but it's really worth it!).
API Monitor - it's one of many (I consider it as one of the best) tracing applications - this tool will allow you to trace method calls in any of the running processes. It has a nice interface and even allows you to place breakpoints on methods you'd like to intercept.
There are many other tools which might be used for tracing on Windows, but I would start with the ones I listed above. You may also check a great book on this subject: Inside Windows Debugging. Good luck! :)
There's no shortage of traditional version control software, but I'm looking for something that doesn't require me to constantly commit. In other words, I am searching for background software that automatically keeps a history of all files in a directory. If possible, I would also like to be able to add commit notes myself for benchmarks later on.
I have no preference on whether or not the solution is a web service or a local service that I host myself, as long as it is free or has a reasonable one-time fee (no subscriptions please). Performance and Hard Drive Usage are not issues.
I hope that I'm not being too specific with my request. I searched the web for solutions, but I could not find any software that does what I want. For compatibility, I have Windows 7 64-bit and an AMD processor.
You should consider Dropbox. It's not strictly version control software, but it runs in the background and syncs your files to the cloud.
They give you 2GB of storage for free (more if you pay a subscription), and from their website, you can view the different versions of the files in your Dropbox folder.
I don't know of any software or services that do this.
I did come up with a quick idea though
This idea seems like a bit of a hack and it is right off the top of my head (so issues may come up in implementing).
Create an app/service that uses the FileSystemWatcher to detect changes/creation/deletion to the location(s) that you want to version.
When a detection is made, do [bat/cmd/powershell/code/ect] that uses the command line (or other) interface of [insert version control software here] to do a commit.
I think it's fairly straight forward. I think it's easy to implement, but that's the danger of 'top of the head' ideas. A direction to look for rolling your if nothing else. :)
I don't know of any stock solutions, but depending on your IDE/Make system, you should be able to create a postbuild event that commits the files to your "regular" version control system after a successful build (the version control system will need an external API or CLI for this to work). You can then add commit notes, etc. in the version control system at your leisure.
I have a .net application which I don't have source too. I'm interested in determining what files this application is accessing. I thought that a debugger would be a good way to do this. I work only in the linux world and know nothing about windows debuggers. I feel like there should be a way to do this with windbg, I know how I would go about it with gdb but not with windbg. Any help or advice is much appreciated.
If you just want to monitor file system activity for a given process then you won't find anything better than Process Monitor. It does lots more too and it's free from Sysinternals (now Microsoft).
Process Monitor is an advanced
monitoring tool for Windows that shows
real-time file system, Registry and
process/thread activity. It combines
the features of two legacy
Sysinternals utilities, Filemon and
Regmon, and adds an extensive list of
enhancements including rich and
non-destructive filtering,
comprehensive event properties such
session IDs and user names, reliable
process information, full thread
stacks with integrated symbol support
for each operation, simultaneous
logging to a file, and much more. Its
uniquely powerful features will make
Process Monitor a core utility in your
system troubleshooting and malware
hunting toolkit.
Stu is right if you just want to know what files are being accessed.
But if you want to know more about debugging .net apps, you can place break points on .net code when you have SOS.dll loaded into windbg. It's more involved than I can describe here, but you can Google windbg and SOS.DLL to find more info. Tess Ferrandez has a great blog that you may find useful, too: http://blogs.msdn.com/b/tess/
I want to use performance monitors to determine when a file is being accessed (read/write). Is this possible? If not, is there any other way?
My OS is Windows Server 2008 R2, and I am writing the code in C#.
For what its worth, you can use FileSystemWatcher to monitor writes to a specific file.
Unfortunately I don't think there is an API available for doing this using managed code. If you need to hook a file system read or write event, you should look into writing a filter driver. Filter drivers are pretty low-level constructs and if it's only to do performance monitoring then it's probably not worth it. This API is often utilized by anti-virus or backup/replication software developers.
I would like to create events for certain resources that are used across various processes and access these events by name. The problem seems to be that the names of the events must be known to all applications referring to them.
Is there maybe a way to get a list of names events in the system?
I am aware that I might use some standard names, but it seems rather inflexible with regard to future extensibility (all application would require a recompile).
I'm afraid, I can't even consider ZwOpenDirectoryObject, because it is described as needing Windows XP or higher, so it is out of question. Thanks for the suggestion though.
I am a little unsure about shared memory, because I haven't tried it so far. Might do some reading in that area I guess. Configuration files and registry are a slight problem, because they do tend to fail with Vista due to access problems. I am a bit afraid, that shared memory will have the same problem.
The idea with ProcessExplorer sounds promising. Does anyone know an API that could be used for listing events for a process? And, does it work without administrative rights?
Thank you for the clarification.
There is not really a master process. It is more of a driver dll that is used from different processes and the events would be used to "lock" resources used by these processes.
I am thinking about setting up a central service that has sufficient access rights even under Vista. It will certainly complicate things, but it might be the only thing left facing the problems with security.
No, there is not any facility to enumerate named events. You could enumerate all objects in the respective object manager directory using ZwOpenDirectoryObject and then filter for events. But this routine is undocumented and therefore should not be used without good reason.
Why not use a separate mechanism to share the event names? You could list them in a configuration file, a registry key or maybe even in shared memory.
Do not mix up the user mode ZwOpenDirectoryObject with the kernel mode ZwOpenDirectoryObject -- the kernel mode API (http://msdn.microsoft.com/en-us/library/ms800966.aspx) indeed seems to available as of XP only, but the user mode version should be available at least since NT 4. Anyway, I would not recommend using ZwOpenDirectoryObject.
Why should configuration files and registry keys fail on Vista? Of course, you have to get the security settings right -- but you would have to do that for your named events as well -- so there should not be a big difference here. Maybe you should tell us some more details about the nature of your processes -- do they all run within the same logon session or do they run as different users even? And is there some master process or who creates the events in the first place?
Frankly, I tend to find the Process Explorer idea to be not a very good one. Despite the fact that you probably will not be able to accomplish that without using undocumented APIs and/or a device driver, I do not think that a process should be spelunking around in the handle table of another process just to find out the names of some kernel objects. And, of course, the same security issues apply again.
ProcessExplorer is able to enumerate all the named events held by some specific process. You could go over the entire process list and do something similar although I have now clue as to what API is used to get the list...