Application Behavior Tracker

Discussion in 'other software & services' started by TechOutsider, Feb 14, 2010.

Thread Status:
Not open for further replies.
  1. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Is there some sort of HIPS that actually lets you know each specific action of a program - eg writing to the registry, etc?
     
  2. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    Partial solutions (using freeware):

    1. RegFromApp by NirSoft can track registry entries made by most simple programs. Just use it to launch the main exe file and it'll track the info. I often use it before entering registration info for a program to capture the reg changes so that I can import the license to other installations (e.g. BartPE builds) without having to re-enter it.

    2. Sandboxie: Run the program sandboxed and use a SandDiff or SandboxDiff add-on to capture the changes. You can also just open the Sandbox registry hive directly with Windows Registry Hive Reader from MicTec (or similar utility).

    Neither solution is perfect, so I'll keep an eye on this thread for other methods.
     
  3. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    There are HIPS products that will give you lots of alerts about what a given application is doing, but they're mostly concerned with things that appear "dangerous". They're typically not going to tell you everything the application does, that's to say, every registry key the app creates or reads and so on, since that would create an enormous amount of log data and alerts without any good reason as far as security is concerned. But, for those times when you really want to see even the harmless stuff that an application does, you could use, among others, Process Monitor from Microsoft Sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx It'll show you registry and file system activity etc. Prepare for extremely long logs and lots of filtering to do. But, it's an excellent troubleshooting tool for many occasions.
     
  4. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Probably not - Maybe have a look at Russinovich's 'Process Monitor' - I used to use his 'Filemon' and 'Regmon' on 98 se, they have both been superceded by the improved PM.

    "Introduction
    Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit."

    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
     
Loading...
Thread Status:
Not open for further replies.