Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Process Monitor
  New Posts New Posts RSS Feed - Procmon - monitor installation program?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Procmon - monitor installation program?

 Post Reply Post Reply
Author
Message
harshabi View Drop Down
Newbie
Newbie
Avatar

Joined: 19 December 2007
Location: India
Status: Offline
Points: 10
Post Options Post Options   Thanks (0) Thanks(0)   Quote harshabi Quote  Post ReplyReply Direct Link To This Post Topic: Procmon - monitor installation program?
    Posted: 26 January 2008 at 3:48am
Hi,
I need the list of files that a program creates/modifies/deletes on the hard disk when i start installing the program. Is it possible to use procmon to identify the files that are created/modified/deleted during the installation of a program. If "Yes" what are the filter conditions i need to set??
I have actually tried to set CreateFile in the filter but it does not show all the files that are being created.
Thanks in advance..
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2008 at 6:11am
Hi harshabi,
 
Yes, it is possible to use Process Monitor to do what you wish, but you will need to adjust the filters to accommodate the situation.  Process Monitor  will not profile an installation program and detect all the possible programs, batch files, scripts, and the like that such a program can launch, and that the programs that it launches launch, ad nauseam.  Rather, it will show you all of the changes that are made to the system (file system, registry) along with Process Activity (process creation, image loading, thread creation / death, etc.).  It is up to the person running Process Monitor to set the filter to find / show the data they're interested in.  The exact filter likely depends on the program / installation at hand.
 
FWIW, there is a Feature Request for Process Monitor to be able to do precisely what it seems you want it to do.
Daily affirmation:
net helpmsg 4006
Back to Top
harshabi View Drop Down
Newbie
Newbie
Avatar

Joined: 19 December 2007
Location: India
Status: Offline
Points: 10
Post Options Post Options   Thanks (0) Thanks(0)   Quote harshabi Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2008 at 9:44am
thanks molotov..
could you please tell me how to identify the files that are created or modified.. ie. what is the parameter that i should look for in the procmon's output..
 
Back to Top
Karlchen View Drop Down
Senior Member
Senior Member
Avatar

Joined: 18 June 2005
Location: Germany
Status: Offline
Points: 5131
Post Options Post Options   Thanks (0) Thanks(0)   Quote Karlchen Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2008 at 9:58am
Hi, harshabi.
Originally posted by harshabi harshabi wrote:

I need the list of files that a program creates/modifies/deletes on the hard disk when i start installing the program.
I do not wish to keep you from using Process Monitor (for troubleshooting purposes). Yet, I assume there are at minimum half a dozen (freeware) programmes which will achieve the goal of monitoring an installation and cause less work to you.

Here is one of these: TrackWinstall by Heise c't. (The archive holds different programmes for different Windows architectures.)

HTH,
Karl


Edited by Karlchen - 26 January 2008 at 9:58am
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2008 at 10:06am
To tell if a file was modified, you could consider adding filters for:
"Event Class is File System Include"
"Category is Write Include" (could also do "Operation is WriteFile Include", in "basic" mode)
"Operation is CreateFile Include"
 
Also seems you might want to consider:
"Detail contains OpenIf Include"
"Detail contains OverwriteIf Include"
to differentiate CreateFile operations that create files as opposed to opening them.  Perhaps there is a better way - I haven't had a need to work this out yet... Embarrassed
Daily affirmation:
net helpmsg 4006
Back to Top
jboucher View Drop Down
Groupie
Groupie


Joined: 18 October 2007
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote jboucher Quote  Post ReplyReply Direct Link To This Post Posted: 27 January 2008 at 2:38pm
I've used ProcMon to monitor an install.  But indeed there are programs out there that will do it out of the box so to speak.  With ProcMon you require more manual interaction (unless they incorporate my request to add this as a feature to ProcMon in a future version...).

1 - Start ProcMon, then run your install. 
2 - When the install is complete stop the capture (not necessary, but no point capturing any more).
3 - Go under Process Tree to see if the setup process called any other child processes (because you'll have to examine the output of the events for the main process and its sub-processes - filtering on their PID in case more than one instance of that process is running).
4 - create a filter to include all PIDs for the main setup process and the child sub-processes.

5 - Next you'll want to examine what files/folders were created at install.  I use Operation WriteFile, and Result is Success for that one.
6 - Use the Unique option to view unique paths.  Save that to a file.  You've now documented the files/folders involved in the installation.

7 - Now registry entries.  Set a filter for Operation is RegSetValue (remove the WriteFile filter as we've already dealt with that one now).
8 - Again use the Unique option to view unique paths.  Save that to another file.  You've now documented the registry keys involved in the installation of that application.

9 - Done!

10 - Caveat!! I've observed a P2P client that had explorer.exe process create some of its folders at install.  explorer.exe was the parent process of the setup application for the P2P client.  It was only because we knew from browsing the drive that certain folders were created but we weren't seeing them that we picked up on the fact that we weren't getting everything.

Having said all that I've been using InCtrl5 from PCMagazine to monitor installs pending ProcMon bringing in a feature to do it.  In that P2P case in #10, InCtrl5 also missed the folders that were created by the parent process of the setup.exe process.

All that to say that regardless which one you use, you may have to validate your findings.  In the case of ProcMon you could then examine events captured during the times from the beginning of the install to the end for the parent process as well to see what it was doing in the event it participated in creating files/folders/registry entries at install.

Of course I don't profess to be an expert in this field so suggestions to improve this are appreciated.


Edited by jboucher - 27 January 2008 at 2:38pm
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 27 January 2008 at 2:48pm
Excellent writeup, Jacques! Clap
 
Quote Next you'll want to examine what files/folders were created at install.  I use Operation WriteFile, and Result is Success for that one.
Does this catch 0-byte files?  Or are those of little concern?
 
How do you handle file deletions - both for files that were created during the installation process, and in the case where an installation program might delete a file that it did not create?


Edited by molotov - 27 January 2008 at 2:48pm
Daily affirmation:
net helpmsg 4006
Back to Top
jboucher View Drop Down
Groupie
Groupie


Joined: 18 October 2007
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote jboucher Quote  Post ReplyReply Direct Link To This Post Posted: 27 January 2008 at 3:16pm
Originally posted by molotov molotov wrote:

Excellent writeup, Jacques! Clap
 
Thanks

Originally posted by molotov molotov wrote:

Does this catch 0-byte files?  Or are those of little concern?


Good question.  I honestly didn't stop to consider that one.  They are certainly of concern.  I would expect that it would still result in a writefile operation but I may be wrong.  Perhaps it only requires a create file operation in that case.  I'll have to do some testing on that when I get a chance.


Originally posted by molotov molotov wrote:

How do you handle file deletions - both for files that were created during the installation process, and in the case where an installation program might delete a file that it did not create?





Edited by jboucher - 27 January 2008 at 3:19pm
Back to Top
jboucher View Drop Down
Groupie
Groupie


Joined: 18 October 2007
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote jboucher Quote  Post ReplyReply Direct Link To This Post Posted: 27 January 2008 at 3:20pm
Originally posted by molotov molotov wrote:

How do you handle file deletions - both for files that were created during the installation process, and in the case where an installation program might delete a file that it did not create?

 
(had to break it into two replies.  Wasn't quoting properly).

Another good question.  In the context in which I've been using it I haven't worried about temp files that get cleaned up at closing.  I can't think of how they'd be of value for my purposes. 

As for deleting files it did not create, I would hope any well written install wouldn't do that unless it was replacing an older version of something - and then only after prompting you.  In the case of potentially malicious software that would be very relevant.

My need to monitor the install of an application is more for a scenario where upon auditing a system I find an unknown application.  I install it and monitor the install to determine where its files get created (especially log files/application settings) as well as registry keys it uses (again especially as it pertains to application settings).  That way I now know where to go look (and what to look for) on the system I'm auditing to ascertain relevant information about that application (i.e. in the case of a P2P client, was sharing enabled, which folder was set for sharing, what was previously shared and which what IPs, etc).
Back to Top
jboucher View Drop Down
Groupie
Groupie


Joined: 18 October 2007
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote jboucher Quote  Post ReplyReply Direct Link To This Post Posted: 27 January 2008 at 3:30pm
Well a quick test by going to a cmd window and doing
copy con test.txt
^Z
(Ctrl-Z for end of file, then enter so a 0 byte file) did not result in a write file, only a createfile.  I see I'll have to amend my guide as it relates to this tip.

So perhaps filtering on operation is WriteFile and a second filter on Operation is CreateFile (so you catch the files that were created, and existing files written to with the WriteFile) is the better approach.

If file deletions are a possible concern, then also filter for operation is SetDispositionInformationFile (for which the details will be Delete: True).

Thanks for raising that issue molotov.


Edited by jboucher - 27 January 2008 at 3:35pm
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down