Wiki‎ > ‎

Monitor Installer/Program Changes in Windows

posted Aug 26, 2016, 8:09 AM by Danny Xu   [ updated Aug 26, 2016, 12:00 PM ]

Spyme Tool (real time monitor file changes)
It does have one drawback though because there is only the facility to snapshot either files or registry, not both together, changeable in the Current Mode option on the toolbar

Old y2k app, but still work great, needs a bit change to work on 64-bit Windows

First, InCtrl5 will need to be run in compatibility mode: Windows XP SP2 compatibility mode (right click the exe and choose "troubleshoot compatibility")

Secondly, there is an issue with it’s output results for 64-bit users as it won’t display the Software\Wow6432Node registry keys as coming from there, but will instead show them as coming from simply Software, something to watch out for.

Inctrl 5 will analyze the /Wow6432 Node/ keys, the results will drop that key from the path even though showing the change.  For instance, if an application puts a new entry in the HKLM\Wow6432 Node\Software key, the results will show that addition as being in HKLM\Software instead--so you would need to check both places for the listed addition.  Have not found anything "funny" in the file listings though.

I tried the Regshot x64 build to compare, and it does correctly label the entries as being in the Wow6432 Node.  However, its file comparison mode crashes the app if you choose to include the Users or ProgramData folders, while InCtrl 5 handles those just fine.


What an installer truly does in detail cannot be known, except perhaps by reverse-engineering its binary instructions. Here are a few signs that you can check:

  1. Check for application folders in your Program Files directory. There is usually an entry inC:\Program Files\AppXYZ.
  2. Similarly check the system folders (C:\Windows\System32). Your app could have placed libraries (DLL/OCX/TLBs) here.
  3. Run CCleaner to see if it has created any registry entries. CCleaner also shows some other changes the app could have made such as registration of a MIME type, etc.
  4. Remember to check the .NET GAC (Global Assembly Cache). It contains all the .NET assemblies your app might have registered on your machine. It’s usually in the folder C:\windows\assembly
  5. The obvious (but sometimes the obvious is overlooked!):
    • Start Menu and desktop shortcuts
    • Files in C:\users\USER-NAME\Application Data (CCleaner will show these)
    • Entries in Startup menu and boot.ini (run msconfig to check these)