How-To Geek

How Can I Track the Modifications a Program’s Installer Makes?

What exactly are those installation apps doing as the progress bar whizzes by? If you want to keep a close eye on things, you’ll need the right tools.

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-drive grouping of Q&A web sites.

The Question

SuperUser reader Gregory Moussat wants to know what’s going on behind the installer’s facade :

I want to know what some installers do: mainly what files, folders, and registry entries they add, remove, or modify.

Lots of “ professional” programs are so poorly documented that it’s difficult to find the proper way to configure them, update them, etc.

InstallRite is a program which is able to take a “snapshot” before and after the installation of a program and then compare the snapshots. This allows you to know what was done and even to create a custom uninstaller. Unfortunately InstallRite seems to no longer be maintained and has not been updated since 2008.

What tool stands to replace InstallRite?

The Answer

Contributor Synetech offers an alternative tool:

There are several and I have tested at least 10-12, but the one I prefer and recommend is ZSoft Uninstaller. It is free and is good at finding difference without overwhelming you with extraneous clutter like most of these programs, even commercial ones tend to do.

I also use PC Magazine’s InCtrl 5 which is very good (enough to get Microsoft’s approval), but several years ago they stopped distributing their programs for free, but because it used to be free, there are still plenty of copies available (unfortunately not so with the newer InCtrl X.)

If you’re interested in getting the overhauled copy of InCtrl (InCtrl X) it’ll run you $8–read more about InCtrl X here.

Another contributor, Prahlad Yeri, offers a few suggestions on how to manually investigate what the application is doing:

What an installer truly does in detail cannot be known, except perhaps by reverse-engineering its binary instructions. Here are a few signs that you can check:

  1. Check for application folders in your Program Files directory. There is usually an entry inC:\Program Files\AppXYZ.
  2. Similarly check the system folders (C:\Windows\System32). Your app could have placed libraries (DLL/OCX/TLBs) here.
  3. Run CCleaner to see if it has created any registry entries. CCleaner also shows some other changes the app could have made such as registration of a MIME type, etc.
  4. Remember to check the .NET GAC (Global Assembly Cache). It contains all the .NET assemblies your app might have registered on your machine. It’s usually in the folder C:\windows\assembly
  5. The obvious (but sometimes the obvious is overlooked!):
    • Start Menu and desktop shortcuts
    • Files in C:\users\USER-NAME\Application Data (CCleaner will show these)
    • Entries in Startup menu and boot.ini (run msconfig to check these)

Between checking snapshots with an app and manually checking the files out, you’ll have all your bases covered. You can check out the full discussion at SuperUser here. Have a tool or technique to add to the list? Sound off in the comments.


Jason Fitzpatrick is a warranty-voiding DIYer who spends his days cracking opening cases and wrestling with code so you don't have to. If it can be modded, optimized, repurposed, or torn apart for fun he's interested (and probably already at the workbench taking it apart). You can follow him on if you'd like.

  • Published 11/15/12

Comments (15)

  1. markedmanner

    Its not free buy systracer is probably best at this.

  2. anonymous

    You might also want to check out the appdeploy repackager tool from Dell Kace. This is a really handy tool for not only figuring out what an installer is doing, but also the intended purpose of creating packages for that one old program that a department refuses to give up.

    Also, inctrl used to be a great tool too, but I haven’t touched it in probably 10+ years. I can’t say if it’s good now or not, but it’s at least worth giving a look!

  3. webdev

    There’s a really great tool for that called “RegShot”. Although the name suggests otherwise it doesn’t only document registry changes but also watches predefined folders. I configured it to observe changes in C:\ProgramData, C:\Program Files, C:\Program Files (x86), C:\Users and C:\Windows which covers most needs. You can take snapshots before and after installations and get a nice HTML comparison report. And the best thing: it’s even free! Check it out here:

  4. Chemical

    My Webroot Antivirus has a sandboxed program install mode. You install the program, Webroot lists the changes it makes to your computer (program files, registry keys, policy changes, anything that is affected) and you simply close your installed program and it disappears.

  5. buchno

    Yet another reason to love Linux: just check the makefile (alternatively dep/rpm-packages).

  6. Vrushank

    An advanced way to check it is to use a SandBox. That way you’d get to know EVERYTHING the program has created/modified… including registry changes.

  7. Paul

    Tracking before an install sounds good in theory, but what about all the Registry entries and files created AFTER the install, when the app is running? Therefore, there’s no point to these tracking apps, because they really don’t do anything at all except provide a false sense of security. As Vrushank said, sandboxing is the only TRUE way to keep everything in check, both before installing and during runtime.

  8. Zach

    RegShot Portable from

    Click 1st Scan, Run Installer, Click 2nd Scan, Click Compare.

    It will show all registry entries changed between scans, and there’s a configurable option for directory paths to monitor as well.

  9. Yu

    @Paul: You’re probably right. For instance I had some bad experiences with Games — be it paid, freeware, or F2P MMOs — making unwanted changes to the system such as installing nasty DRM drivers.

    Since about a year I’m using SandboxIE for keeping my game installs (including Steam and Desura) apart from the rest of my system and generally for trying untrusted software. It allows pretty detailed configuration of what a program is allowed to do, e.g. by sandboxing file, registry and other resource access. If needed though, direct access can be granted (e.g. in order to allow writing savegames to the documents folder).

    The base version is free, but the paid versions gives some nice additional features, e.g. the convenience of forcing all programs located in a subtree of the file-system to be started sandboxed by default.

    PS: I’m still looking for a way to subscribe to follow-up comments, if possible even without posting myself. Such as a comment-RSS-feed or email-notification (as provided by many blogs).


    SandboxIE also comes in a portable version so it doesn’t have to install.

  11. Someone

    I use Process Monitor from Sysinternals, which gives you a live view of every file, folder and registry being created, read, modified or deleted. It takes lots of time to get used to it, but once you get a hang of the filters, you can see everything an application touches.

  12. Paul

    @Someone: Using “Process Monitor” to see everything an app touches is not a solution, because what they touch can cause irreparable damage. That’s like saying watching a burlgar enter your house is okay because I can call the cops… in the meantime, the burglar has trashed your rooms and damaged property. Sure, the cops come and get rid of him, but the damage is done. At least sandboxing stops that from occurring.

  13. cal

    I love portable apps for this reason. However, I have still found some “portable” apps that will leave files/data or make system changes.

  14. Someone

    @Paul: You are right, I forgot to mention that I use Process Monitor within a virtual machine, which I have taken a snapshot of before installing the application. I use this process because I typically re-install the same application over and over until I can get it to deploy silently as this is a requirement where I work.

    At home I use Sandboxie though.

  15. mmg1818

    i hate see post about …

    photo, more photo, big photo.

    la ce pl. mea faceti tutoriale daca nu stiti sa explicati ? pentru reclame ? fut in ele de reclame pe net care rup procesorul.

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!