These settings will help you optimize a portablized application.
By default, once registry and file system redirection is enabled, all of the possible API functions that might be used by an application for registry and file system access are hooked by the JauntePE runtime for possible portablization. These sections allow you to modify that behavior in two different ways. Both allow you to optimize a portablized application to its greatest extent possible outside of choosing not to redirect at the registry and/or file system level all together. So this is one area of optimization that you will almost always want to pursue if possible.
First, you can specify a minimum set of API functions to be hooked, based upon an application's usage (or non-usage) of the list of hookable API functions. This allows you to optimize a portablized application's overall performance.
Second, you can specify a minimum set of API functions to be hooked during application startup, deferring the hooking of the rest of the API functions to when the application goes into its initial "waiting for input" idling state. This allows you to optimize a portablized application's startup performance.
There are several ways to get a list of the API functions that an application uses. JauntePE provides 4 convenient ways which require you to only exercise the portablized application enough to ensure that all of the possible hooked API functions have been used. This is a very important point that you must not forget. If you fail to exercise the application thoroughly, and then proceed to create hook section lists based upon that run's results, your list of used API functions will most likely be incomplete. This means that any runs made with such lists in use will most likely lead to portablization "leaks," i.e., registry and/or file system redirections that used to occur will no longer occur and the system registry and non-portable file system will be compromised.
Using JPE Quickie to get an API Hooks list
The first, and easiest way to get such a list is to make use of the JPE Quickie JauntePE tool. Once an application has been portably run through this tool, you are given the option to create an optimized package. Doing so will create a JauntePE configuration ini with hook sections appropriate to the run log and discovery data output for the application runs via the tool. This feature of JPE Quickie essentially automates the steps given in a following section outlining how to use the LogFuncs and Discovery output to create your own hook sections manually.
An important point to make is that JPE Quickie easily processes log and discovery data from multiple runs during the creation of the optimized package's hook-related section's lists. While using any of the other methods mentioned below require that each log or discovery file be processed individually. So you have a better chance of capturing an application's complete set of used hooked api functions with JPE Quickie.
Using JPE Discover to get an API Hooks list
The second way to get such a list is to set Redirection Discovery to 2, along with an optional Redirection DiscoveryPath to specify the path to the discovery file. This will have the JauntePE runtime create a discovery file at the end of the application's execution. This file may then be processed using the JPE Discover utility. Using JPE Discover you will be able to get a list of the used, hooked API functions that may then be pasted into your application's JauntePE configuration ini.
Using LogFuncs to get an API Hooks list
The third way to get such a list is to set both Redirection Logging and Redirection LogFuncs to 1, along with an optional Redirection LogPath to specify the path to the log file. This will have the JauntePE runtime output a "Used API Functions" table to the end of the log file at the end of the application's execution. The contents of this table looks something like the following:
First No. of Total Percent Percent
Hooked API Call (ms) Calls Time(ms) Calls Time
=============================================================================
GetCurrentDirectoryA 120 2 0 0.06 0.00
GetModuleFileNameA 140 1 0 0.03 0.00
GetModuleFileNameW 120 42 1 1.32 0.26
GetPrivateProfileIntA 130 6 0 0.18 0.00
GetPrivateProfileStringA 140 1 0 0.03 0.00
GetProfileIntA 130 6 0 0.18 0.00
LoadLibraryA 120 23 0 0.72 0.00
LoadLibraryExW 130 4 16 0.12 4.21
LoadLibraryW 130 4 9 0.12 2.36
RegCloseKey 130 769 14 24.27 3.68
RegCreateKeyExA 130 14 0 0.44 0.00
RegOpenKeyExA 120 106 6 3.34 1.57
RegOpenKeyExW 140 886 153 27.96 40.26
RegQueryValueExA 120 103 3 3.25 0.78
RegQueryValueExW 140 570 8 17.99 2.10
------------------------------------
CreateFileA 15902 3 0 0.09 0.00
CreateFileW 1832 45 64 1.42 16.84
DuplicateHandle 2343 23 0 0.72 0.00
FindClose 2713 37 0 1.16 0.00
FindFirstFileA 15942 25 2 0.78 0.52
FindFirstFileExW 2713 12 6 0.37 1.57
FindNextFileA 15952 90 0 2.84 0.00
FindNextFileW 2804 17 0 0.53 0.00
GetCurrentDirectoryW 2413 2 0 0.06 0.00
GetFileAttributesA 1782 4 7 0.12 1.84
GetFileAttributesW 2333 21 7 0.66 1.84
GetPrivateProfileStringW 2343 6 1 0.18 0.26
RegCreateKeyExW 1892 22 30 0.69 7.89
RegCreateKeyW 1892 2 0 0.06 0.00
RegDeleteValueA 10655 4 0 0.12 0.00
RegEnumKeyExW 1762 25 3 0.78 0.78
RegEnumKeyW 1762 25 3 0.78 0.78
RegNotifyChangeKeyValue 1822 15 0 0.47 0.00
RegOpenKeyA 2763 5 0 0.15 0.00
RegOpenKeyW 1742 80 35 2.52 9.21
RegOpenUserClassesRoot 1822 1 0 0.03 0.00
RegQueryValueW 1762 17 0 0.53 0.00
RegSetValueExA 2763 18 0 0.56 0.00
RegSetValueExW 1912 10 0 0.31 0.00
SearchPathW 2333 10 0 0.31 0.00
SetCurrentDirectoryA 1652 6 0 0.18 0.00
SetCurrentDirectoryW 3114 3 0 0.09 0.00
SHGetFileInfoW 2423 4 2 0.12 0.52
SHGetFolderPathW 2343 70 0 2.20 0.00
SHGetPathFromIDListW 2763 7 0 0.22 0.00
SHGetSpecialFolderLocation 1962 22 10 0.69 2.63
=============================================================================
3168 380
For application startup optimization, what you're interested in are the function names given in the Hooked API column that are listed above the "waiting for input" time line, which is marked in that table via the "------------------------------------" line. Along with a 1=* entry for the HookInitExclude list to exclude all other hooks, these are the names that you enter into the HookInitInclude list. If there is no "waiting for input" time line, then you should not use the HookInit... sections.
As an example, the above table's entries would be entered into the hook init sections as follows. The order is unimportant:
[HookInitExclude]
1=*
[HookInitInclude]
1=GetCurrentDirectoryA
2=GetModuleFileNameA
3=GetModuleFileNameW
4=GetPrivateProfileIntA
5=GetPrivateProfileStringA
6=GetProfileIntA
7=LoadLibraryA
81LoadLibraryExW
9=LoadLibraryW
10=RegCloseKey
11=RegCreateKeyExA
12=RegOpenKeyExA
13=RegOpenKeyExW
14=RegQueryValueExA
15=RegQueryValueExW
For overall optimization, what you're interested in are all of the function names given in the Hooked API column. Along with a 1=* entry for the HookExclude list to exclude all other hooks, these are the names that you enter into the HookInclude list.
The only other thing to consider is whether there are ANSI and Unicode versions of a particular API function. You find this out by looking up each API function name in the allowable registry and allowable file system lists given below. If you wish to portablize the application across 9x as well as NT-based versions of Windows, you need to make sure to list both the ANSI (...A) as well as the Unicode (...W) versions of an API function, if both exist.
As an example, the above table's entries would be entered into the hook sections as follows. The order is unimportant:
[HookExclude]
1=*
[HookInclude]
1=GetCurrentDirectoryA
2=GetCurrentDirectoryW
3=GetModuleFileNameA
4=GetModuleFileNameW
5=GetPrivateProfileIntA
6=GetPrivateProfileIntW
7=GetPrivateProfileStringA
8=GetPrivateProfileStringW
9=GetProfileIntA
10=GetProfileIntW
11=LoadLibraryA
12=LoadLibraryW
13=LoadLibraryExA
14=LoadLibraryExW
15=RegCloseKey
16=RegCreateKeyExA
17=RegCreateKeyExW
18=RegOpenKeyExA
19=RegOpenKeyExW
20=RegQueryValueExA
21=RegQueryValueExW
22=CreateFileA
23=CreateFileW
24=DuplicateHandle
25=FindClose
26=FindFirstFileA
27=FindFirstFileW
28=FindFirstFileExA
29=FindFirstFileExW
30=FindNextFileA
31=FindNextFileW
32=GetCurrentDirectoryA
33=GetCurrentDirectoryW
34=GetFileAttributesA
35=GetFileAttributesW
36=GetPrivateProfileStringA
37=GetPrivateProfileStringW
38=RegCreateKeyExA
39=RegCreateKeyExW
40=RegCreateKeyA
41=RegCreateKeyW
42=RegDeleteValueA
43=RegDeleteValueW
44=RegEnumKeyA
45=RegEnumKeyW
46=RegEnumKeyExA
47=RegEnumKeyExW
48=RegNotifyChangeKeyValue
49=RegOpenKeyA
50=RegOpenKeyW
51=RegOpenUserClassesRoot
52=RegQueryValueA
53=RegQueryValueW
54=RegSetValueExA
55=RegSetValueExW
56=SearchPathA
57=SearchPathW
58=SetCurrentDirectoryA
59=SetCurrentDirectoryW
60=SHGetFileInfoA
61=SHGetFileInfoW
62=SHGetFolderPathA
63=SHGetFolderPathW
64=SHGetPathFromIDListA
65=SHGetPathFromIDListW
66=SHGetSpecialFolderLocation
Using Discovery to get an API Hooks list
The fourth way to get such a list is to set Redirection Discovery to 2, along with an optional Redirection DiscoveryPath to specify the path to the discovery file. This will have the JauntePE runtime create a discovery file at the end of the application's execution.
Within the discovery file will be 3 sections that may then be used to populate a HookInclude section to minimize the overall hook usage of a portablized application. The sections of interest are RegFuncs, WFSFuncs, and PrcFuncs. All may be found near the top of the discovery file before the itemized api call list's first section.
The advantage of using the discovery vs the log output is that the discovery output will contain additional information which may be used for additional types of optimizations, such as module use related, registry key use related, and file system use related optimizations.
The [HookExclude] section
In this section you specify the API functions that you don't want to be hooked. There are two ways to do this. The first is to enter an ascending, consecutively numbered list of API functions that you don't want to be hooked. The second is to enter 1=* as the only entry, which tells JauntePE to exclude all API functions from being hooked. You then optionally enter a list of API functions that you do want to have hooked via the HookInclude section.
The [HookInclude] section
In this section you specify the API functions that you want to be hooked. You do this by entering an ascending, consecutively numbered list of API functions. Since all of the API functions are hooked by default, you only make use of this section when you have 1=* as the only entry in the HookExclude section.
The [HookInitExclude] section
In this section you specify the API functions that you don't want to be hooked during application startup. There are two ways to do this. The first is to enter an ascending, consecutively numbered list of API functions that you don't want to be hooked during application startup. The second is to enter 1=* as the only entry, which tells JauntePE to exclude all API functions from being hooked during application startup. You then optionally enter a list of API functions that you do want to have hooked via the HookInitInclude section.
The [HookInitInclude] section
In this section you specify the API functions that you want to be hooked during application startup. You do this by entering an ascending, consecutively numbered list of API functions. Since all of the API functions are hooked by default, you only make use of this section when you have 1=* as the only entry in the HookInitExclude section.
Allowable registry-related hook entries
API Function | API Function |
---|---|
RegCloseKey | |
RegConnectRegistryA | RegConnectRegistryW |
RegCreateKeyA | RegCreateKeyW |
RegCreateKeyExA | RegCreateKeyExW |
RegDeleteKeyA | RegDeleteKeyW |
RegDeleteValueA | RegDeleteValueW |
RegEnumKeyA | RegEnumKeyW |
RegEnumKeyExA | RegEnumKeyExW |
RegEnumValueA | RegEnumValueW |
RegFlushKey | |
RegGetKeySecurity | |
RegLoadKeyA | RegLoadKeyW |
RegNotifyChangeKeyValue | |
RegOpenKeyA | RegOpenKeyW |
RegOpenKeyExA | RegOpenKeyExW |
RegQueryInfoKeyA | RegQueryInfoKeyW |
RegQueryMultipleValuesA | RegQueryMultipleValuesW |
RegQueryValueA | RegQueryValueW |
RegQueryValueExA | RegQueryValueExW |
RegReplaceKeyA | RegReplaceKeyW |
RegRestoreKeyA | RegRestoreKeyW |
RegSaveKeyA | RegSaveKeyW |
RegSetKeySecurity | |
RegSetValueA | RegSetValueW |
RegSetValueExA | RegSetValueExW |
RegUnLoadKeyA | RegUnLoadKeyW |
Allowable file system-related hook entries
API Function | API Function |
---|---|
_lcreat | |
_lopen | |
CopyFileA | CopyFileW |
CopyFileExA | CopyFileExW |
CreateDirectoryA | CreateDirectoryW |
CreateDirectoryExA | CreateDirectoryExW |
CreateFileA | CreateFileW |
CreateHardLinkA | CreateHardLinkW |
DecryptFileA | DecryptFileW |
DeleteFileA | DeleteFileW |
EncryptFileA | EncryptFileW |
FindFirstChangeNotificationA | FindFirstChangeNotificationW |
FindFirstFileA | FindFirstFileW |
FindFirstFileExA | FindFirstFileExW |
GetBinaryTypeA | GetBinaryTypeW |
GetCompressedFileSizeA | GetCompressedFileSizeW |
GetCurrentDirectoryA | GetCurrentDirectoryW |
GetDiskFreeSpaceExA | GetDiskFreeSpaceExW |
GetExpandedNameA | GetExpandedNameW |
GetFileAttributesA | GetFileAttributesW |
GetFileAttributesExA | GetFileAttributesExW |
GetFileSecurityA | GetFileSecurityW |
GetFileVersionInfoA | GetFileVersionInfoW |
GetFullPathNameA | GetFullPathNameW |
GetLongPathNameA | GetLongPathNameW |
GetModuleFileNameA | GetModuleFileNameW |
GetPrivateProfileIntA | GetPrivateProfileIntW |
GetPrivateProfileSectionA | GetPrivateProfileSectionW |
GetPrivateProfileSectionNamesA | GetPrivateProfileSectionNamesW |
GetPrivateProfileStringA | GetPrivateProfileStringW |
GetPrivateProfileStructA | GetPrivateProfileStructW |
GetProfileIntA | GetProfileIntW |
GetProfileSectionA | GetProfileSectionW |
GetProfileStringA | GetProfileStringW |
GetShortPathNameA | GetShortPathNameW |
LoadLibraryA | LoadLibraryW |
LoadLibraryExA | LoadLibraryExW |
LZOpenFileA | LZOpenFileW |
MoveFileA | MoveFileW |
MoveFileExA | MoveFileExW |
MoveFileWithProgressA | MoveFileWithProgressW |
OpenFile | |
RemoveDirectoryA | RemoveDirectoryW |
ReplaceFileA | ReplaceFileW |
SearchPathA | SearchPathW |
SetCurrentDirectoryA | SetCurrentDirectoryW |
SetEnvironmentVariableA | SetEnvironmentVariableW |
SetFileAttributesA | SetFileAttributesW |
SetFileSecurityA | SetFileSecurityW |
ShellExecuteA | ShellExecuteW |
ShellExecuteExA | ShellExecuteExW |
SHFileOperationA | SHFileOperationW |
SHGetFileInfoA | SHGetFileInfoW |
SHGetFolderPathA | SHGetFolderPathW |
SHGetPathFromIDListA | SHGetPathFromIDListW |
SHGetSpecialFolderPathA | SHGetSpecialFolderPathW |
WritePrivateProfileSectionA | WritePrivateProfileSectionW |
WritePrivateProfileStringA | WritePrivateProfileStringW |
WritePrivateProfileStructA | WritePrivateProfileStructW |
WriteProfileSectionA | WriteProfileSectionW |
WriteProfileStringA | WriteProfileStringW |
Allowable child process-related hook entries
API Function | API Function |
---|---|
CreateProcessA | CreateProcessW |
CreateProcessAsUserA | CreateProcessAsUserW |
CreateProcessWithLogonW | |
LoadModule | |
WinExec |
Allowable MS Installer prevention-related hook entries
API Function | API Function |
---|---|
CreateServiceA | CreateServiceW |
OpenServiceA | OpenServiceW |
StartServiceA | StartServiceW |
MsiInstallProductA | MsiInstallProductW |