SandboxDiff - Registry/Files changes

[Shield]

Thanks majoMo, this will be quite handy!

Happy holidays!

[majoMo]

SandboxDiff updated.

Changes:

- Added Registry changes in .reg format (Windows Registry Editor Version 5.00)

Thus the Registry and Files changes are avaliable in text, .reg (registry) and .html (here you can see all files and registry entries created by sandbox'process).


* Download and info in first post. *

[MFS]

Thank you. I'll test it.

[~tmp]

Some antivirs don't like the techniques you use in the subj.
Comodo, NOD32, AViRA... say something like:
TrojWare.Win32.Qhost.~AR@1639959
and possible dangerous packer-cruncher blah-blah-blah.

Take it easy, even Kaspersky says SBie is a really very dangerous thing too.
Just make a note saying the program analyzes both real and virtual registry plus both real and virtual filesystem then compares the results. It is intended for this.

[raid]

Thanks for the update regarding this program.

Another program I've found useful is the Mitec Windows Registry Recovery Tool. You can mount the reghive after you run your sandboxed application and see exactly what it's added to the "registry" as far as it knows.

So if it's added policies, you will know. Any entries in the sandboxed registry can be viewed with ease using this tool.

http://www.mitec.cz/wrr.html

[tzuk]

majoMo, I can add this utility here if you want:

http://www.sandboxie.com/index.php?ContributedUtilities

[majoMo]

@ tzuk, very interesting the "Contributed Utilities page". It seems useful for SandboxIE'users really. Like requested, the answer is affirmative: I want. Thanks for your kindly information.

[tzuk]

My pleasure. Let me know if you don't me to host the file on this server. Or if you're ok with it, let me know when I should update the copy that I host here.

http://www.sandboxie.com/index.php?ContributedUtilities

[majoMo]

@ tzuk, to host in that server it's well. When any update comes out I'll inform you firstly.

Regards.

[MrZ]

The program after install in Vista seems to put files in different places, for example I found "wait.exe" and "regdiff.exe" in my c:\users\myname\appdata\local folder. Later they disappeared from that folder! I know they were there at one time, then they disappeared.

Can you explain where these various executables are? Where else would your program put them?

[majoMo]

The files used by SandboxDiff in that folder (temporarily) are listed in help file.

[t-max]

Hi,
I get an error with regdump.exe, after making an installation of MS Office 2003.

Does anybody know what can be causing it?

[majoMo]

Hi t-max, thanks for your reporting.

I was able to reproduce that error with same app.. In fact the file "regdump.exe", used by SandboxDiff, crashed when loading the hive file; there is a bug in that executable indeed (it's an unusual bug with it).

It seems that when loading some hive files "regdump.exe" crashes.

Consequences? The registries changes in "Comp-Reg.txt" file isn't complete; it record the changes until the crash time. Tip: when "regdump.exe" crashes the reliable and accurate registry changes are in the file "Comp-Reg.REG.txt" (in .reg format).

In the next release I'll reenforce SandboxDiff to check the reliableness in "Comp-Reg.REG.txt" record. At least we can have one trusty registry changes file if occur a crash in that file.

[majoMo]

SandboxDiff updated.

Changes:

- Analyzing/Comparing process far faster now.


Download in: Contributed Utilities page.

[gyp]

In comp-reg.txt I am getting

1d0
< hive path err
\ No newline at end of file

Otherwise seems to be functioning very easy