31 replies to this topic

[MedEvil]

I need a tool to track an install. Mainly the registry part of the install.
And when i say track, i don't mean it figuratively, i mean it literally! The two snapshot methode isn't working. The program would really need to record what the install is doing.



edit:
NO RegMon won't do. The output is not usable as basis for a script.

[MichaelZ]

Hi MedEvil,

I use a tool called InCtrl5. It was designed for Windows XP but I also can run it on Vista in Windows XP compatibility mode (probably not processing Vista's new key types). It is a (freeware ?) tool made my PCMagazine and I downloaded it when downloads were possible free of charge. Nowadays one has to buy an abonnement.

The tool does not need to be installed and makes a scan of the file system and registry and stores md5 checksums of the files and copies of the registry. After whatever is done it does it again and compares the scanned information. It displays all added, deleted and modified files and registry keys and creates html, csv and text files with that information.

I don't know if it is legal to send you a copy

Many Greetings
MichaelZ


EDIT

I just noticed that InCtrl5 was designed for Windows 2000. Information can be found at
http://www.pcmag.com...149,9882,00.asp

[joakim]

I need a tool to track an install. Mainly the registry part of the install.
And when i say track, i don't mean it figuratively, i mean it literally! The two snapshot methode isn't working. The program would really need to record what the install is doing.

All in one solutions for capturing system changes will often do

- Installrite
- SysTracer

These cover registry and file changes and are easy to use.

Procmon may help, but produce output similar to regmon, so that's not it you, I guess.

Advanced Registry Tracer run as localsystem will capture most registry related.

If you had network communication in mind, try wireshark too.

Alternate Data Streams (ADS) is not captured by the above mentioned, and will only make sense on ntfs disks. Sometimes ads's is important to capture too.

And odcourse, attaching debuggers lets you have complete control...


Joakim

[MedEvil]

I use a tool called InCtrl5. ...

The tool does not need to be installed and makes a scan of the file system and registry and stores md5 checksums of the files and copies of the registry. After whatever is done it does it again and compares the scanned information.

Thanks MichaelZ. But unfortunately you've overlooked this:

The two snapshot methode isn't working.

The problem is, that said registry entries already exist to some extend and do not get modified and are therefore invisible to the 2 snapshot approach.

[MedEvil]

- Installrite
- SysTracer

Advanced Registry Tracer run as localsystem will capture most registry related.

ART uses the 2 snapshot methode and is useless in this case. The working of the other two apps i do not kow, but will check.

And odcourse, attaching debuggers lets you have complete control...

Good idea!
But i was kinda hoping for something that would give me an easy to use output. You know, i'm lazy!

[Nuno Brito]

I started using total uninstall after reading Shirin's tutorial.

Allows to export as .reg files all the changes considered pertinent to the registry and see in detail which files were added to where.

What I liked better is that you also get to decide when the program has finished being installed, handy for the times when you need to reboot.

[joakim]

ART uses the 2 snapshot methode and is useless in this case. The working of the other two apps i do not kow, but will check.


Good idea!
But i was kinda hoping for something that would give me an easy to use output. You know, i'm lazy!

What are you after?
Last read/written/accessed in registry? Just modified entries? Only read entries?

You want output in a report like format instead of reg?

I do not quite understand your need?

Joakim

[MedEvil]

Installrite and SysTracer also use the 2 snapshot approach.
This methode seems to be just too easy to pass up.

[MedEvil]

What are you after?
Last read/written/accessed in registry? Just modified entries? Only read entries?

You want output in a report like format instead of reg?

I do not quite understand your need?

Joakim

I'm looking for a way to track the install of a file. The problem is, that most keys are already present in the registry and therefore any of the 2 snapshot programs will not find/report all the registry entries the installer deems necessary.

Ideally the program should track all the regwrites (maybe also the just attempted) and give me an output as *.reg or something that can easily be converted to '.reg

I know that one can read the create times of registry entries, but last written?

Also if you know how to get the last accessed value of a registry entry, i would be very interested for an other problem. As far as i know that information is not stored in the registry.

[billonious]

just for the record, what do you want to record that the two - ways snapshots doesn't do?

Once, I wanted to catch the registy changes that installer of macrium reflect was doing. InstallWatch (brother-application to Installrite) was missing something. VMware thinstall succeed in finding all registry changes.

[steelbone]

Hi guys,

in this case i think u need something which is tracking it live-timed.

so for example "Process Monitor - Regmon" there's a possibillity to log into a file. but didn't tryed out deeply for such using.

so it's only a mind

Regards

Steel

[MedEvil]

just for the record, what do you want to record that the two - ways snapshots doesn't do?

Simly imagine you have a program already installed and need now all the registry entries. You could simply run the install again, but the 2-snapshot apps would claim that the install did nothing, while you know it did something, it just didn't change anything!

My specific problem is, that the installer also installs a bunch of dll and ocx which need to be registered. A big part of those are already present on an uptodate XP so they are not recorded. Since our PE are not 'uptodate' i get error messages left and right.
Installing the app in a minimal PE, also does not work because the installer has requirements that exceed a min PE.

The only solution i found so far is to puzzle the install together. From the captured files and registry entries, the dependency scan and then register all files in Pe prior to the first run.
This took alot of time to create, always takes lot of time to start and there is no gurantee that just because the app starts now, that really everything works.

I want a proper solution!

Once, I wanted to catch the registy changes that installer of macrium reflect was doing. InstallWatch (brother-application to Installrite) was missing something. VMware thinstall succeed in finding all registry changes.

Will have a look at thinstall. Thanks.

[MedEvil]

in this case i think u need something which is tracking it live-timed.

Exactly what i was hoping would exist.
RegMon would even be usable for that, if it would generate some usable output.

[dog]

No point trying to monitor a second install when it's already been installed... use a clean vm instead.
There will always be some manual tweaking to do though.
If you name the app, people might be able to help...

[joakim]

Exactly what i was hoping would exist.
RegMon would even be usable for that, if it would generate some usable output.

There once was a utility called something like regmon log2reg. But I cannot remember or confirm wether it works.

Joakim

[steelbone]

By the way thinapp is also just doing the "comparing 2 snapshots" way. i generated several Portable apps, but i did'nt recognized something live-timed. but u have then an output for changed+new registry keys like "installrite"

i also never tryed out: here is this RegmonToRegfile which Joakim was talking about

Link for RegmonToRegfile

Best Regards

Steel

[MedEvil]

joakim, steelbone many thanks for regmon to regfile!
Seems to be exactly what i was looking for!

[billonious]

joakim, steelbone many thanks for regmon to regfile!
Seems to be exactly what i was looking for!

did you make it/?

as you said sysinternals regmon is not usable because windows writes some thousands of etries per second

[steelbone]

yeah of course RegMon is a real live-timed monitoring. so it will be monitor everything happens if u capture without configure

but i know there is an Filtering-Function. this should be comfortable to configure.

so u could exactly filter out uninteresting entrys.

Regards

Steel

[MedEvil]

No point trying to monitor a second install when it's already been installed... use a clean vm instead.
There will always be some manual tweaking to do though.
If you name the app, people might be able to help...

A joke?

[MedEvil]

did you make it/?

Not yet. Will try it tomorrow.

as you said sysinternals regmon is not usable because windows writes some thousands of etries per second

'Know, i said regmon won't do and the proposed solution is also not what i was looking for.
But RegMon together with the convert to reg should give me what i need. And since neighter i nor anyone here found another tool that can do the trick, this seems to be the only solution.

[MichaelZ]

Hi MedEvil,

I'm not sure if the installer will behave on the second install as on the first one. I can imagine that there will be a lot of regwrites missing because regreads determine that entries are present. I doubt that a regmon output converter will do what you need.

For installation examinations I always use a VMware with a naked Windows XP having up to date service packs and updates. Then I can use the two pass method to find out what was done. After examining everything I revert to the previous snapshot/saved VMware.

Many Greetings
MichaelZ

[dog]

Two comedians in the thread

[pscEx]

Maybe a bit late, but what about trying
trackWBInstall.script
and
testVirtualBox.script
of nativeEx?

peter

[m4dm4Xz]

Hi,
i'm new here and it seems the sound that i should get some programs like that for write script and get all registry but was that not a good idea to make a new installed xp on VMWare an tested it on there?

And did you get your solution for now, please give some answer.

Thank you for the programs of this thread and advicing it's good for newbies like me to use TRACE TOOLS.

m4dm4Xz

Ps: sorry for my poor english