Need help seeing filesystem changes

How can I see what files are altered after a program installation (on Virtualbox)? I assume a kind of snapshot program?

 

SysTracer is a good, paid program for this. Regshot Unicode (aka Regshot 2) is a good free alternative. (Not sure if the link I included is the best one, there may be a newer version available). Even though it's called Regshot (for taking snapshots of your registry), you can also tell it to monitor files. Of course if you have lots of files and registry entries then these snapshots can take a long time, so you might want to exclude some large directories (in the sense of including numerous files and subdirectories). Normally snapshots take a few minutes, ymmv. Other methods include installing a program into Sandboxie to see what files it adds or changes, and you can also open the sandboxie registry hive with a program like MiTeC Windows Registry Recovery, but this method only works with simple programs that agree to be installed into Sandboxie.

There will always be some noise (file and registry changes unrelated to your installation), so you might want to take a few snapshots without installing anything (or just start an installer, but cancel it), to see what the noise looks like and maybe add it to entries to ignore. If you need to reboot the machine after install, then you should take the after snapshot before reboot, and third snapshot after reboot (to compare with the previous one), although a complete reboot will introduce a lot of noise into the log of changes. You should also run the program once, then exit, before you take the after snapshot, or even make a seprate (third) snapshot for the first run of the program because that's when they often add important changes to the registry. There's also a nifty little tool called RegFromApp that can capture registry changes made by an app, which is often convenient when running a program for the first time. It's not as reliable as taking snapshots, but it's quick and there no noise since it only captures changes to registry made by the specific exe you are monitoring.

 

Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) is recording changes made to filesystem in real time during installation. You can have it running when installing software and then check the log file (using filters you can reduce the log size).

 

Thank you both, I'll take a look at these

 

Free file system and registry snapshot comparison programs for 64-bit (x64) Windows