Is there a way to know what an executable file has done ( wh开发者_如何学编程at files have copied, in what folder have copied this files, what key registry have edited, etc ) ?
Procmon is a good place to start.
There are different tools for the different operating systems for sure. For MS Windows the SysInternals package by Mark Russinovich and Bryce Cogswell has a lot of tools for this.
It has real-time FileMonitor, DiskMonitor, ProcessMonitor, Network monitor and Registry Monitor showing the information in very detailed and understandable way.
You should download the whole suite, as these are different programs inside it.
http://technet.microsoft.com/en-us/sysinternals/bb842062
I voted up the procmon
answer. However, I'd like to add that procmon
is pretty much just a tool to display and plot Windows' realtime registry key (HKEY_PERFORMANCE_DATA
) values. If you want to monitor some of that stuff programatically, you just have to write code to look at and process those same registry values out of HKEY_PERFORMANCE_DATA
yourself.
You can use utilites from sysinternals such as ProcessMonitor. With it you can monitor registry, file system, network access and something more(sorry, i can't remember all features.)
精彩评论