Video:Using SysInternalsí Process Monitor to Analyze Apps and Malware
Process Monitor is a useful tool to see what registry, file system and thread changes processes are making on your Windows system. It should work on currently patched versions of 2k, XP and Vista. Two major uses security professionals may have for Process Monitor for are:
1. Analyzing what malware is doing to a system so it can be countered and removed.
2. Figuring out what registry and files system rights a user will need to run a badly written application. Some apps assume everyone is an admin and wonít run correctly unless they are. By using Process Monitor an admin can figure out the minimum rights needed for an application to work.
Also, some software pirates may use the tool to figure out how a shareware applicationís expiration function works, but thatís not a topic I will be covering. For simplicity of demonstration, I will be using my own app called MadMACs for this demo.