IDEA: Monitor Program's Creation of Files/Folders and Registry Entries

[AtomFury]

Hello all, I'm AtomFury and I need some help.

What I have in mind here is a little program that will monitor whatever a program (selected by .exe) creates, like any files or folders or registry entries. I know Tiny Watcher will monitor all system processes and will tell you what any of those processes might have changed but I'm looking for something that is (hopefully) more simplified and will be more specific by just monitoring one program that you have selected (before it runs) and then it creates a little .txt with a log of what folders/files/registry entries it made.

My intentions for this program are to use those results in a batch file which will delete the findings.

I apologize if this is too ambitious for a DonationCoder Coding Snack, but I appreciate any help  .

[MilesAhead]

Not exactly a monitor but if you have 32 bit win2k windows 2003 XP or Vista you can use Sandboxie

You run the application "sandboxed" and any changes made to the registry or other files will be inside the sandbox folder.  Unfortunately Sandboxie won't work in 64 bit.

[f0dder]

Sysinternals' Process Monitor can do quite comprehensive logging. In fact, it's so comprehensive you have to set up filters in order not to be completely swamped with the log

[AtomFury]

I've heard of Sandboxie before but I'm afraid it's not what I'm looking for. Thanks anyways though  .

Haven't heard of Process Monitor before but I'll try it. Thanks f0dder .

[f0dder]

If you haven't heard of ProcMon until now, you should probably take a look at the rest of the sysinternals tools - there's a lot of goodstuff there!

[AtomFury]

Thank you! The RegMon tool definitely stands out to me but I think I'll go ahead and grab the entire suite. I don't know how I missed out on all these excellent utilities. Thanks again .

EDIT: Now that I look at DiskMon, I think I'll be good to go with a combination of DiskMon and RegMon. Sorry for posting a coding snack, I should have asked about something like this in another forum.

[f0dder]

ProcMon is like a combined super version of FileMon and RegMon - afaik FM and RM were discontinued after ProcMon appeared?

[PhilB66]

RegFromApp

RegFromApp monitors the Registry changes made by the application that you selected, and creates a standard RegEdit registration file (.reg) that contains all the Registry changes made by the application.

[f0dder]

Interesting tool, Phil!

It's worth noting, though, that RegFromApp doesn't seem to use a driver (from a very cursory glance), and could thus miss some program actions.

[AtomFury]

RegFromApp is very nice! Thanks Phil . I've decided to run it in tandem with Process Monitor (thanks f0dder ) and I should be good to go. Regarding the lack of driver usage noted by f0dder, I'm pretty sure whatever RegFromApp might miss, ProcMon will catch it (hopefully), but good to know nevertheless.

Thanks everyone for replying to my topic. This could've been a simple Googlin' job and the coding snack thing wasn't necessary. DonationCoder's got a very nice community  .