Recently I spent a fair amount of time researching free programs for 64-bit Windows that show file and/or registry changes between two points in time. Many of the free programs out there that fit this description unfortunately are 32-bit programs that don't see the full 64-bit system. Here are the free programs I found that see the full 64-bit system:

1. RegShot Unicode x64
Can show both file and registry changes. Comparisons can be done between any two snapshots. File snapshots can optionally include file hashes. Unfortunately, when run with admin privileges (which you need to do to see everything), scanning the file system always results in RegShot Unicode crashing on my computer. Thus I use only the registry snapshot functionality.

2. RegShot (http://code.google.com/p/regshot/) x64
Crashed during registry scan when run as admin (which you need to do to see everything), so not evaluated further.

3. OSForensics
Can show both file and registry changes (http://www.betanews.com/article/OSForensics-keeps-watch-on-pesky-Windows-Registry-changes/1310746211). Comparisons can be done between any two snapshots. File snapshots (they're actually called "signatures" in the program) can optionally include file hashes. Unfortunately, a registry snapshot doesn't include registry values as far as I can tell; registry keys are included however. Thus I use only the file comparison functionality of OSForensics.

4. TrackWinstall x64
Can show both file and registry changes. Comparisons can be done only between a snapshot and the present time. File snapshots can optionally include file hashes. File snapshot comparison results list only which files have been added, created, and deleted; OSForensics shows more file details than TrackWinstall. The registry comparison results give an inadequate amount of details in some cases IMHO, and thus I recommend not using the registry snapshot functionality of TrackWinstall.

5. Microsoft Windows System State Monitor x64 (found in Software Certification Toolkit x64)
Can show both file and registry changes. Additionally, can show changes in services and drivers. Comparisons can be done only between two points in time within the current session. Cannot monitor across a reboot. File snapshots cannot include file hashes.

6. Microsoft Windows System State Analyzer (http://www.wilderssecurity.com/showthread.php?t=263494) x64 (found in Software Certification Toolkit x64)
Can show both file and registry changes. Additionally, can show changes in services and drivers. Comparisons can be done between any two snapshots. File snapshots cannot include file hashes. Snapshot creation is very slow. I couldn't assess the comparison results because the program crashed when I tried.

7. Advanced Uninstaller Free (http://www.innovative-sol.com/uninstaller-free/)
Can show both file and registry changes - use the installation monitor. Comparisons can be done only between two points in time within the current session, or across a reboot. File snapshots cannot include file hashes. I noticed that file changes and deletions are not listed; this might not be a bug because file changes or deletions cannot be undone by Advanced Uninstaller Free during uninstallation of a program that was monitored during installation. Not recommended as a file snapshot comparison program because of this issue, although it might be fine for the purpose of uninstalling programs. Off topic remark: Advanced Uninstaller Free can optionally scan for leftover file and registry items during uninstallation, similar to Revo Uninstaller.

My recommendations:
For file system snapshots, use either OSForensics or TrackWinstall; OSForensics is better IMHO but it's also a larger download. For registry snapshots, use RegShot Unicode x64 run with admin privileges.

If you know of other similar programs, please do tell :).

My description of the registry snapshot feature in OSForensics was somewhat incorrect. OSForensics stores both registry keys and value names in a registry snapshot. However, OSForensics doesn't store a value's data in a registry snapshot, although it does store a value's data size. As a result, OSForensics won't be able to show if a given value's data changed if its size in bytes didn't change. Regshot Unicode doesn't have this issue.

My recommendations from the last post are unchanged.

@ MrBrian, appreciated your finded time to analyze this kind of app. to 64bits systems.

1- Since I'm using SystemExplorer'Snapshot feature but in 32bit system, can you try it and to see if it works well in 64bits also?

2- BTW, Advanced Uninstaller Free has an Ignore/Excluded List in their analyze installations?

Thanks.

-{ Quote: "@ MrBrian, appreciated your finded time to analyze this kind of app. to 64bits systems.

1- Since I'm using SystemExplorer'Snapshot feature but in 32bit system, can you try it and to see if it works well in 64bits also?

2- BTW, Advanced Uninstaller Free has an Ignore/Excluded List in their analyze installations?

Thanks." }-

You're welcome :).

System Explorer v3.06 run with admin privileges doesn't see the whole 64-bit system.

You can test whether a given snapshot program sees the whole 64-bit system by creating a new file with Windows Explorer between snapshots in \windows\system32 (to test file system snapshot) and creating a new registry key with Regedit between snapshots directly under HKEY_LOCAL_MACHINE\SOFTWARE (to test registry snapshot). If a given snapshot program doesn't list these newly created items in a snapshot comparison, then it can't see the whole 64-bit system.

Advanced Uninstaller Free's Installation monitor settings are described here (http://www.innovative-sol.com/uninstaller/manual/installation_monitor_settings.htm). When uninstalling, the user is given the option of which items to undo - see here (http://www.innovative-sol.com/uninstaller/manual/installation_monitor_uninstall.htm).

I didn't test it since I don't have 64bit system. ;D Thanks for how to be sure 64bit snapshot'compatibility about. Useful. ;)

Tried now Advanced Uninstaller Free and it doesn't have Ignore/Excluded List indeed; to unchecked a posteriori isn't the better solution.

Another program that might be helpful to some is System Change Log (http://www.greyware.com/software/systemchangelog/3x/index.asp) (free for personal use, not free for business use). System Change Log isn't technically a file snapshot comparison program. Instead, it monitors the operating system's USN Journal (http://en.wikipedia.org/wiki/USN_Journal) for file events. System Change Log can write its log to either a text file and/or Windows Event Viewer. You can specify which folders to monitor, and also which files to include or exclude.
-{ Quote: "System Change Log works with or without Window's auditing enabled to record file and folder creation, deletion, modification, renaming, and security descriptor changes. If standard auditing is enabled, System Change Log can also report the user account of the person making the change." }-
The website states that this is a 30-day trial, but it's on the honor system and there is no nagging.

When I tried to run the program's Control Panel applet, nothing happened. However, you can access the applet by running file \windows\system32\scl.cpl with admin privileges. The text log, if this option is enabled, is found at \windows\system32\scl.log.

To give you an idea of what the text log file looks like, here is a snippet from my computer:
Sat Aug 27 2011 12:12:23 Info: C:\Temp\System Change Log v3.1 hehe\x86\setup.exe file deleted
Sat Aug 27 2011 12:12:23 Info: C:\Temp\System Change Log v3.1 hehe\x86 folder deleted
Sat Aug 27 2011 12:12:23 Info: C:\Temp\System Change Log v3.1 hehe folder deleted
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
Sat Aug 27 2011 12:13:03 Info: C:\Temp\New folder folder created
Sat Aug 27 2011 12:13:05 Info: C:\Temp\New folder folder renamed to hehe
Sat Aug 27 2011 12:13:15 Info: C:\Temp\System Change Log v3.1\Setup.exe file renamed to C:\Temp\hehe\Setup.exe

A note about System Change Log: it doesn't log file system changes recorded in the USN Journal when System Change Log's service isn't running.

Here are free programs which let you view the contents of the USN Journal:
1. Windows Journal Parser (http://tzworks.net/prototype_page.php?proto_id=5)
2. Eyes on NTFS (http://www.codeproject.com/KB/files/Eyes_on_NTFS.aspx)
3. parser-usnjrnl (http://code.google.com/p/parser-usnjrnl/) - terminated with error when I tried it; to use, first copy the file \$Extend\Usnjrnl:$j to a new file using NTFS File Copy Utility (http://tzworks.net/prototype_page.php?proto_id=9)
4. EnScript to parse USNJRNL (http://www.forensickb.com/2008/09/enscript-to-parse-usnjrnl.html) - couldn't try because I don't have EnCase

Windows Journal Parser seems more thorough than Eyes on NTFS in my limited testing. Unlike System Change Log, Windows Journal Parser doesn't show a file's path.

Thanks again for the tips :thumb:

I used the Windows System State Monitor in my sandbox-redirect setup for Chromium.

1. Start Windows System State Monitor
2. Do some browsing
- logging into Wilders Security
- Adding a bookmark
- Adding a extension
- Viewing an Internet movie
- Viewing a PDF
- Buying a music file on a store, to the point of
starting the Ideal payment service until confirmation through external calculator
- Downloading an executable
- Saving an image to the desktop

3. Add the program (in this case Chromium) to GeSWall as untrusted program
* repeat above actions
* scan for untrusted files

4. Fine tuning GeSWall (making it behave like sandboxie)
* export GeSWall logs
* export file scan of GeSWall
* compare those with the initial Windows State Monitor
* fine tune GeSWall console rules

=> Policy sandbox with SBIE application virtualisation around Chromium's sandbox 8) backed up by my UAC settings (only elevate signed programs, which Chromium is not) = tripple sandbox which only uses 0.01% CPU realtime ;D

=> Under UAC the command menu of GesWall to change a downloaded file from untrusted to trusted does not work. GeSWall has a disadvantage compared to DefenseWall (which has total untrusted file control), when you copy or move a file from one partition to another GeSWall forgets the untrusted file marker (Windows does the same for mandatory rights assignment with icacls.exe). Funny thing the 1806 deny execute marker of the ADS sticks!

Thanks for making this thread, will add new programs to the list later.

Where is the website for RegShot Unicode and Windows System State Monitor (Software Certification Toolkit)? Third-party is fine as long as there's an adequate description and valid download links.

-{ Quote: "Thanks for making this thread, will add new programs to the list later.

Where is the website for RegShot Unicode and Windows System State Monitor (Software Certification Toolkit)? Third-party is fine as long as there's an adequate description and valid download links." }-

You're welcome J_L, and thank you also for the great list :).

The usual online reference for RegShot Unicode is hxxp://regshot.ru/20/, but I'm not sure if it's located there anymore. I got my copy of RegShot Unicode from hxxp://www.woodmann.com/collaborative/tools/index.php/Regshot_Unicode. By the way, RegShot Unicode apparently isn't an officially santioned fork of RegShot.

The Software Certification Toolkit is found at http://msdn.microsoft.com/en-us/library/dd744769%28v=vs.85%29.aspx. Note that there are separate downloads for x86 and x64.

While in beta, OSForensics has an expiration date. When the final free version is released, an expiration date shouldn't be present as far as I know.

Yet Another Registry Utility (http://tzworks.net/prototype_page.php?proto_id=3) is another free program which can compare registry snapshots. Unfortunately, as of v1.14, in my limited testing any two registry snapshots are considered to have no differences, even if registry changes have been made in between the two compared snapshots. Also, the program compares individual registry hive files instead of the whole registry at once. I included mention of Yet Another Registry Utility here because the comparison feature might work properly in the future, when this thread may have already been closed due to inactivity.

-{ Quote: "You're welcome J_L, and thank you also for the great list :).

The usual online reference for RegShot Unicode is hxxp://regshot.ru/20/, but I'm not sure if it's located there anymore. I got my copy of RegShot Unicode from hxxp://www.woodmann.com/collaborative/tools/index.php/Regshot_Unicode. By the way, RegShot Unicode apparently isn't an officially santioned fork of RegShot.

The Software Certification Toolkit is found at http://msdn.microsoft.com/en-us/library/dd744769%28v=vs.85%29.aspx. Note that there are separate downloads for x86 and x64.

While in beta, OSForensics has an expiration date. When the final free version is released, an expiration date shouldn't be present as far as I know." }-
You're welcome.

I'll add the second link, missed the download link before.

Doesn't provide an adequate description, and I've only found reviews for Windows System State Analyzer. Might as well add that instead then.

I see.

-{ Quote: "
Doesn't provide an adequate description, and I've only found reviews for Windows System State Analyzer. Might as well add that instead then." }-

From a member of the Windows Server Logo Program (see thread http://social.msdn.microsoft.com/Forums/da-DK/winserver2008appcompatabilityandcertification/thread/cc39f0fc-a356-4f72-a3a3-4c366f4bf538):
-{ Quote: "The Windows Server Logo Program has come to accept the end of life of the Windows System State Analyzer tool.

The tool has a dependency on a component outside our control, which is no longer supported on latest updates of Windows.

Workaround #1

Use the Windows System State Monitor tool also included in the Software Certification Toolkit v3.5. This tool is much faster, and will monitor system state changes in real time, producing a report very similar to the Analyzer tool, reflecting Logo test cases." }-

I've seen that before, but it's sort of vague and provides no download links. Also has unrelated information, being a forum thread.

System Explorer (http://systemexplorer.net/)'s snapshot feature now works correctly in x64. Registry snapshot comparisons do not show added registry keys if there are no values within the added key. Registry snapshot comparisons do not show deleted registry keys if there were no values within the deleted registry key.

Thank you majoMo for your post in the System Explorer forum which led to the proper functioning of the snapshot feature in x64. :)

My prefered tool for that is Registry Workshop, wonder if you had a chance to give it a try? Not free but just out of curiosity to see what would be your findings.

There is also a new beta available for RegShot Unicode: 1.8.3 beta1 (MAJ le 25/12/11)

-{ Quote: "My prefered tool for that is Registry Workshop, wonder if you had a chance to give it a try? Not free but just out of curiosity to see what would be your findings.

There is also a new beta available for RegShot Unicode: 1.8.3 beta1 (MAJ le 25/12/11)" }-

I haven't tried Registry Workshop because it isn't free. See post #4 if you're wondering if it works correctly in x64.

Thank you for the notice about the latest Regshot (http://code.google.com/p/regshot/). I just tried using it as admin, and it didn't crash, unlike the version that I tested in post #1. I'll test it and report my results here.

There are a number of programs that can be used to show file system changes in real time. These technically aren't snapshot comparison programs but nonetheless are related. Here are some that seem to work properly in x64:

1. Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645)
Unlike the other programs mentioned in this post, shows the process responsible for the file changes. Can show registry changes also. Tip: create filter "Category is Write then Include". Also, you can check "Drop Filtered Events" so that only displayed events are kept.
2. Disk Pulse (http://www.diskpulse.com/)
Requires installation.
3. Moo0 FileMonitor (http://www.moo0.com/software/FileMonitor/)
Runs as standalone program. As of v1.07, can list more items if run with admin privileges than without; I reported this to developers because I'm not sure if it's a bug.
4. TheFolderSpy (http://venussoftcorporation.blogspot.com/2010/05/thefolderspy.html)
Runs as standalone program. If you want a realtime file change monitoring program that seems to list all file changes without requiring admin privileges, use this program.

-{ Quote: "I haven't tried Registry Workshop because it isn't free. See post #4 if you're wondering if it works correctly in x64." }-
Ok, I understand.
(btw, RW seems to truely work on x64 because it listed the key I created as instructed above, thanks for this infotip and this thread)

As noted by ruinebabine, there is a new beta of Regshot which includes an x64 version. It's available at both http://code.google.com/p/regshot/ and http://sourceforge.net/projects/regshot/. The executables from these two sites are different from one another. This is a different program from Regshot Unicode.

-{ Quote: "Thank you majoMo for your post in the System Explorer forum which led to the proper functioning of the snapshot feature in x64. :)" }-
My thanks for your infotip that allows me to check x64 compatibility'System Explorer snapshot feature; since their snapshot feature to be good and quick, was a laxness not to work in x64 bits systems indeed.

;)

-{ Quote: "As noted by ruinebabine, there is a new beta of Regshot which includes an x64 version. It's available at both http://code.google.com/p/regshot/ and http://sourceforge.net/projects/regshot/. The executables from these two sites are different from one another. This is a different program from Regshot Unicode." }-

Developer seems very active lastly.
3 new builds this week...
-{ Quote: "v 1.8.3 beta1 v 4 (MAJ le 30/12/11) Testing purpose only
Note for 1.8.3_beta1_v4.txt:
Figure out why v1-v4 diffs in compilers.:)
So in this package, all .exe are compiled with Visual Studio 2010

182to183.exe
regshot.exe
regshot_x64.exe

Fix small bugs and a little change.
ps: v1 and v2 are bad. v3 is good. v4 is unknow ;)
http://sourceforge.net/projects/regshot/files%2Fregshot%2F1.8.3%2Fv4_regshot_1.8.3_beta1_win32_x64_src_bin_v4.zip/download
https://sourceforge.net/projects/regshot/" }-

Track Folder Changes: free program that shows file system changes with 3 color codes (http://www.wilderssecurity.com/showthread.php?t=315311) (real time monitoring)

Watch 4 Folder: free program that performs various actions upon file system events (http://www.wilderssecurity.com/showthread.php?t=315315) (real time monitoring)

-{ Quote: "Track Folder Changes: free program that shows file system changes with 3 color codes (http://www.wilderssecurity.com/showthread.php?t=315311) (real time monitoring)" }-

Nice find.

Al

"Track Folder Changes" is really tiny, useful and allows to track file activity; to check e.g. log/uneeded files to be deleted in a custom clean.

Thanks MrBrian for share with us this app..